961c6f48a263a30a63dda8f2f3ed36ad340daa21e744dbe21470fca24e6ba928

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 18:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_a01362718d2c8a8ec25449b118d3eddf_avoslocker.exe
Size

1.3MB
MD5

a01362718d2c8a8ec25449b118d3eddf
SHA1

b52440f57b8e0a9a2e152aedbf940c0a64a5895c
SHA256

961c6f48a263a30a63dda8f2f3ed36ad340daa21e744dbe21470fca24e6ba928
SHA512

179f76d4f30c7cc76e8f1093807cb2c69b66e88ac60b65d9c102efaeab4e0b652189693520faa207a7b558c6e33898ac2ea72f83253b62b1d1f6c5032cf0beac
SSDEEP

24576:k2zEYytjjqNSlhvpfQiIhKPtehfQ7r9qySkbgedDRVldlnXfH9gPwCn7vOb7HHcg:kPtjtQiIhUyQd1SkFdDRVlbnXf9gPTTg

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEDiagnosticsHub.StandardCollector.Service.exefxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
232	alg.exe
3200	elevation_service.exe
2132	elevation_service.exe
2004	maintenanceservice.exe
4488	OSE.EXE
4564	DiagnosticsHub.StandardCollector.Service.exe
3628	fxssvc.exe
4528	msdtc.exe
3068	PerceptionSimulationService.exe
4116	perfhost.exe
2620	locator.exe
3272	SensorDataService.exe
440	snmptrap.exe
2980	spectrum.exe
1256	ssh-agent.exe
1640	TieringEngineService.exe
1184	AgentService.exe
2640	vds.exe
4432	vssvc.exe
2480	wbengine.exe
212	WmiApSrv.exe
2872	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

Processes:

elevation_service.exe2024-04-28_a01362718d2c8a8ec25449b118d3eddf_avoslocker.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-28_a01362718d2c8a8ec25449b118d3eddf_avoslocker.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\24b70154ad45b396.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

Processes:

elevation_service.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{C1566D4E-90C3-4D8D-8731-8398B4F79F34}\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99140\javaws.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

Processes:

elevation_service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchFilterHost.exeSearchProtocolHost.exeSearchIndexer.exefxssvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000090d4a1f79d99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fae3f2f79d99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001f7642f79d99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000060eb57f79d99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000079ec38f79d99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000931340f79d99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000324d5af79d99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

elevation_service.exe

pid	process
3200	elevation_service.exe
3200	elevation_service.exe
3200	elevation_service.exe
3200	elevation_service.exe
3200	elevation_service.exe
3200	elevation_service.exe
3200	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

2024-04-28_a01362718d2c8a8ec25449b118d3eddf_avoslocker.exealg.exeelevation_service.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1352	2024-04-28_a01362718d2c8a8ec25449b118d3eddf_avoslocker.exe
Token: SeDebugPrivilege	232	alg.exe
Token: SeDebugPrivilege	232	alg.exe
Token: SeDebugPrivilege	232	alg.exe
Token: SeTakeOwnershipPrivilege	3200	elevation_service.exe
Token: SeAuditPrivilege	3628	fxssvc.exe
Token: SeRestorePrivilege	1640	TieringEngineService.exe
Token: SeManageVolumePrivilege	1640	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1184	AgentService.exe
Token: SeBackupPrivilege	4432	vssvc.exe
Token: SeRestorePrivilege	4432	vssvc.exe
Token: SeAuditPrivilege	4432	vssvc.exe
Token: SeBackupPrivilege	2480	wbengine.exe
Token: SeRestorePrivilege	2480	wbengine.exe
Token: SeSecurityPrivilege	2480	wbengine.exe
Token: 33	2872	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeDebugPrivilege	3200	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 2872 wrote to memory of 2448	2872	SearchIndexer.exe	SearchProtocolHost.exe
PID 2872 wrote to memory of 2448	2872	SearchIndexer.exe	SearchProtocolHost.exe
PID 2872 wrote to memory of 4868	2872	SearchIndexer.exe	SearchFilterHost.exe
PID 2872 wrote to memory of 4868	2872	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-28_a01362718d2c8a8ec25449b118d3eddf_avoslocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_a01362718d2c8a8ec25449b118d3eddf_avoslocker.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1352

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:232

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3200

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2132

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2004

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4488

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4564

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4916

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3628

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4528

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3068

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4116

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2620

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3272

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:440

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2980

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1256

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1016

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1640

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1184

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2640

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4432

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2480

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:212

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2872

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:2448

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:4868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
23172b0b038976307ea4482d1c2f5f79

SHA1
58c5be6884fe41cd19a347aa850d22e5133d5e69

SHA256
b9ef9b82b5b1de18e2d2266a57476e86d32e47abfd7edf52fd75797d2e8f11e4

SHA512
006c9e669a4d97d4fdd3aabca8f415bfb11c152809dab8ae32e374731d8f4e1ea0155a843eadd7d4795dab1e4aba21379e3df9481d86a257ac8c9a35d2c0ffa2

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
789KB

MD5
2d117f85a1edb929fbf69cdf8979d5fb

SHA1
96f33d752f8e56ee9452c1c0e345de24ced1374c

SHA256
bd1213de40eaae6c5d2164c8c7d2e307945a8f606b9e9a5189373a76103dd0c4

SHA512
07381952c14d8dbb8a5be339687120c118a821615aebcf1e3b40d88f402b7408ba6590a013b2fa4fe8ac97f681ecade2932ebad212a984372bcf8d6d116b8917

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
17f8f61649a4448c304151b9c99f71ba

SHA1
a723b055e64452785c3196bf2b413ee26aea968b

SHA256
30d2f6551ad60728bb3c1e098915cfcabb9aacfc52b324716093968ec1c21864

SHA512
dd615b318c3c8da12bc790dac71b1787fe7a3a46506c1a82bed7e44f727d131bc8bc7bce23f2f5971886233b9e9e49d409136415d05518b9ab552ff391c4e068

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
e67ef2bedf38f5df708983376b500330

SHA1
e0ce65c7046b9260e38343026cf040ee33455501

SHA256
c72292588e32a96961731523ac4b18f28a5320bb721aee5b079a8ed830e1b4fe

SHA512
ddf2e85d0518347a190866a21236aa5503c9db20ef19261d047709eca7e5d292dba21e1ce9b545bd59fe7c74b6af66273b8fa2080ef0f332bad0de86f859ede4

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
a0d6e193f2e1d6047a787f1ce2b2a449

SHA1
8f71e2635f951c5937a2639a1aa00becb1e7974a

SHA256
f9c9326803323ee79ef41b709e799e17d320c4931f245ed3b633297316967014

SHA512
a7164d6dfd18542b35a5796564f5e481f7b766d3b7546b0d5905f8211e8c65e10b0903303313d41d6c2f94cb83dc68d2a6ddf5b859d8788747cb3bf8991ac2ac

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
1b0f7930707a0dc8f358ddb85cf2d139

SHA1
a81ab0e72aa6adf103bf4ae3185e1f6dc9198395

SHA256
5c23d02b9e57e21fba08150bc14478d3a639ee2902cee098f3fd31f100360503

SHA512
4e49e5aae325db55b29891a59a572ab3dcce4af57029ffb7350d56c4ea69c833474df5763d40f8221147f3a53278741bf46b1a1dd8d01f3280ec253ce7268aa5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
45c3572c23d6fa3fb38d224886e87043

SHA1
b63ca3be771ad761232d6a7629f4921e8f129673

SHA256
4d4c15a04beb40a3785607ce71a21dea45af4a65dde05d701bfd806a0aba731d

SHA512
776ac7fb991858df1ec7f6fbd511781177f37d89d73475b50a5df488aa47dff49e4da8feab6e1ebae1691289e503abdbe9d541e817e3cbf0433bf8975c687df2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
013bc256be55d0f81c7a3b205a4ee81a

SHA1
b11d93d9b02049192f9dda01f4c637af5c72a038

SHA256
715619a26fb4b35e75d3a8ed5bdb9831dccfd12cb7c54d42f52b5c6318449945

SHA512
ab0e849621b0b5d871cfbb6e8621b11f24f96a6ce01b6567faf4d41a3e607048a7528e6452444af704ed7a5802b934f71cce6766fc46162fd5116561a23b4091

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
10392f8fd687530548fad917f33438b1

SHA1
5ce54e57c97792d4d85894a0482032257143ec45

SHA256
5031cb5ce4c988c5bb8c2dbeb8e0bfcce43273ea0dac549491a1f590fc1fdefe

SHA512
3781805a053145af93317ac814279089db77544296c81632ec8400a432aac9757a61ca8646dfbeb65f89464d31537a72bd7362f9e8717284161ba2a651aa8aa3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
70c986c66e14137bc7685ac63c6d0f69

SHA1
7dbf117c94ff35990bbd4e97f3aa662ca7d255cd

SHA256
33b711d42535b95e7ca1861a481f36475fe241924abcfb85f7bcaa6cca5f2784

SHA512
73053fa43f121ce925df9c85e39b328beb4dd221df72579afd2834a8539289d8696ec7f8dd8ec0debfc7985b83a8be326392339cb5c142cd0454a05ff578c489

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
f81b3b9fe96d5e8ed6240b5a2ba9c814

SHA1
cdd279caab08692f73840f9619aaae9ce819e2e9

SHA256
a3ff4f9f46b6cbaf754b1651513c4081b577e8c61e782653e94c0789e9f10879

SHA512
30c332f7bfee431efb40e650b8b55c3893c8c1226667c49407e9b6ab22a9f96ee9700e9b334c9739ddc11cd2e9964caf3c626bd8757b4d5e4e51c69ca287197a

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
e742c5936352526a5ebaf7ca10ebe1ac

SHA1
8e6134a87d5fcc3e4223321a7b68761c8e054547

SHA256
5cede8bf0a6fca135a5826bfe7c936ac8c2b97a1077ed8f705d2a8b131b73b85

SHA512
a08a0073ebd1d6c1e3ec63e8cbc7a2ce6986133e36c575455f6b6eca24b1ad8d1549a6fa5a0138159debe1cb6ad15c2fe153702c45f07bd475b9736c2b4cd11e

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
50b16e7d4300f02279fc6b21e8d39c2f

SHA1
d96e8032124da4806e2105263a967f0880437248

SHA256
5440283d35fe1b3e952f3ed4d921a52dd9f845fb9e5b58a1fe02f3465f384708

SHA512
ba1f4f22608f13a64e8463198aa32fe98ce6b865a568205ed0e0dd8f467517d33244964e4c0a1b7b32c88fd946e59cbe93617dfb9924cbd047c998849f40c59f

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
f6dd4d9ad08d442efe985f7a8db6fc93

SHA1
fc6348844c179318ada4eeeb873b33748b6de074

SHA256
202f6b736b42c655882c9df63279e60dc6e903911d103787f1f570ea8c75ef59

SHA512
6a8f337027811c3bce3dd9e04fb14cbe2d113a05b1f0f38961e56fc53d763040c812c826f1ca83897c2f16c4a80a23132954773c1f5372f9d0fbf60372438e0b

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
Filesize
4.6MB

MD5
64fbef5245f7bbfd4656a902d4a05a65

SHA1
c3d5c3271cb9a0026cacf3e01b241071bcdbec7d

SHA256
3b75cc7480b63514d4a2e63ab6c33093a384690999c6b5be4bb2422578040040

SHA512
ad57001152acadc026b214ce3e800d84a463e85bd21ebb7f3779bcdb464de423985d4909ac5356a0d8f8c2f8e31289994d9295eda3523fc3936e14dcef936d6a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe
Filesize
4.6MB

MD5
37437825c7f65316a40fd039f8bf1c2d

SHA1
03a550e9e5d9ef3fd74e6b68568d37f6ed1b40f9

SHA256
7e563c4afca1403936e44d238dba62f2e107206c8b4832e6d63ea0e01a51a43a

SHA512
fba480f52566898040d0b34e8f1e960ef8f2c4cb3674118b0ed3e124a9a54aa87d20b7707c445df326a4018e8168fff9119b7d7eeaf2d54d1f35068eb0e26f4c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe
Filesize
1.9MB

MD5
e9e470923a2ec66d137034dafaa235fe

SHA1
4378338a3462ca2caab809c6e9e39e81b3713ae6

SHA256
31a944db92fcbfd2654c9b3a1008502018cc647fe8ce6cf3a5c367fdb7f85bec

SHA512
ad1dbd348b73f98d927c35d525c30728c77bbbbc8eda73c2ce9d51ff6fc65d60175fb50f3a4ff97b8929df41bdcd54de39ba5da6c50ee11ddf41005d74b589eb

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
Filesize
2.1MB

MD5
240fd29323eac52fece6b02d2a9a981a

SHA1
9f0e4e7a4671d0fb2de43a0a068c485728d62531

SHA256
e0417636eb4755bb1a4a287bb1093eee033a99bb1a90c7c8fa7b040bccb79b7d

SHA512
f6c1505e019105b106d67e4e6c21845df24394619d443eb84228ea7ca51d562adf0a209d42532c51d038b7a2cdbba94939d13ac319d7fe8dc0dd6551d0fb69fc

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe
Filesize
1.8MB

MD5
c556b4205d82afb27e3c177e0268c8d7

SHA1
976dd929226a5db8a6a0cf35d88019cf18776dd3

SHA256
59f74cdad85ccbd52d14eacecd8a3cc25afc50d2e48ca2ae4552ea7f9f9608ca

SHA512
126ee27be9f0183d81fadae5a2c7bdd5242dc898361cfe7c01894deda0d65bbaad58741bce532b14807c5ab6ea03f5937fbe4cd955317dc783bb021f7c22896a

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.6MB

MD5
4414c772b6227e18d7a303d383f7941f

SHA1
1658f5cb31931e14ac415c712a617ce36c5a0874

SHA256
4e8555ad6c9024587aa86c930a2818d7032aa94a22115b3bb4d68d2d7bf779c1

SHA512
1cd998241996bb16b41da2875c1cc13f9b14d3e94679aab050e342ea8974912b3b682107888c586ce4317f0e8eee3c1d9e3554a5c10dca8af0fc867941e64b02

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
e12c0a09afa2ce85dd14baf8f0a000f4

SHA1
fcb373bbcfb55682234b194151dea30b85ff9534

SHA256
545085b739428af98fcc17a1db49664cf53794bb9c23bc8e6eb76288b6f26fb3

SHA512
7a28091282fc305e007377c678c482d3ef7ee77e4b30167651f9bb2d37835818a6071900431102c26be085df0d938975e11943864918b5953a45c1083cd640fc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
730d7f03c1ec6ee01494c06bbeeeebca

SHA1
f1419c350dfc559dca7fb8f6471e643368ef1714

SHA256
2840f2bcbdff0ca1d36bff568221ef15d775f23fb4e680950e8c5f57725684f1

SHA512
5f734007090d048f8abc05b659de34be6cb215bd1484b5ddfa88424e47a6656dd7ef15074d4d9a9099bcc12f04b49c37f11aef77d763c2cddf599100cbf24467

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
f5f2e9f1a3b2c695d59f4a04313578d2

SHA1
f9c86ea9ec46b23eb4acb897f8bb1715cc990089

SHA256
380fbb3bb3fb1dcdfdb68043a8b094c4db639b91489255658f91858d20d4c8c9

SHA512
d890876e54c43f30b8a6f52f436ef176ebd230bf5ccf96a2e1823af9c4d88263615864e099c8f5522ec6f73d2724217a5050521a59b4b89368113de1bc074c19

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
20b1fff21762b85f2c8b06c52819ef47

SHA1
eaa8ce9a398a5968a7325dd02a22430f94dd7e67

SHA256
7a9c80d39085cd2610fef6ff02b613fa231c3e491df574eb32f140348dcabee2

SHA512
de4df2e9c22e4ef0a3fcbe8d11bdb30caaa8f6e83f18549db8bc9ffac254ce804386f496ff9f6288f5ef23e364a5e89776639f8437d9af376477006cd7dd8727

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
1c11b46ca0463bcb98151f3fa6b8275a

SHA1
481039fc2718be033e690e4f5a531eb2e458816a

SHA256
d5fabd5071647e511c73f0525b8182303030fd87fdc25d815d338cfa8730dc8b

SHA512
f90dc8eabd5f4696ecb88aa2746482537b0b7a834ae8395fb8ece0ab969500559a35ae42975c2f939c433a50a0b83b9a52dedc267a9b4ed33d7c4815b3c55749

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
e8e848bec1ce5d957072ecadc0d0c49c

SHA1
ab1b15ecf8c2df898989c2d914478ab8aa2a560a

SHA256
475e5f58412425bc10f0471f07c406176f2e88391b1d35830611a8e7be780e76

SHA512
371038f58b9acbbb29dfd519f83becd2327d64c811c14e89f554d7fcaedde2f43bc429753edd6c81bfe561bcf360faf11ccbbfe958b9b99d32c597f7af085861

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
1b1436cc67b58f717de00e1f31445865

SHA1
01dd5db9bf1b58e2f6aa95ca55cab03207c272a7

SHA256
6db6cbeec55d732a868cdeb64a8805c5be6f18805048ef5502923c52fecc2c6b

SHA512
dc3a2abad136f2b903174645b6b848ac4da023164bad2b66596d1bba0e4bf65f1fb7748a152870ae347c93e6efb5835a84da0f83a044ab05cbb473a7e9777102

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
a8645aa82dd547ab57585767ba1e4a6a

SHA1
008b8ab111a66e626307b453b65e02c296d9485d

SHA256
efd54c882b9b5157321f335f165b96172f5aab216380161677bf0edc5e409834

SHA512
f02ff1bbe812d0bf5ace89c50ad30adfae96b8b329d1e61329fb91408f2e5a24ec7c23a99cc0dea35e170744610762848b97589c47845e05db69a2f4ffe4cbd8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
46bbbbdd458e4331501c5d42bd53ac70

SHA1
8aee092656124e53c206f8cb4a316ca81204796e

SHA256
7d468add863de7425df506ef3189035cfcf55acc9ccc014be2e7d9b9ebf89c75

SHA512
0e44b4512e24d0ae0b2bb69b9b94eac7e461483afaeebce605e160df5af7b2ad9841301eeeed4e3e8caaedd0e09d1d803665b1fb15498b26d832eaf33d941f9e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
0dbac0db92a667c7a022e91692a8aeb4

SHA1
24d729b3bf355ac011736aee5632ef566a37b0ac

SHA256
2bc514b1fb4d1731e4700baeed9bd010b48624a1e9f77d713ccb60b93cc02774

SHA512
632c8676ad5cf1860b11e25faf148dd0aa90106cfefe7ee88a7d8c4a07a80f9c025faa7ef2b06cdc9cdc17919eed1661510e08e08ba448cfdeaa181d27d8bc8c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
0c3d4b0b2da6e7abc7bcee6af2f0c02b

SHA1
e8da65ea3147d2ecbfb4e938c95401354c0210ec

SHA256
3d08810296a37932cd9d32ab619de017105db094de895efa052b6ff07dc44b68

SHA512
0121762c3067f1a12e131c96f64c713dd4eceb3f8b5733afcfc245d0705e4e4aef0ecd5ff25157071c6f4d36a9b472b96d0560a6c0eaa1fdd07e8ed71a33a8bf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
5ab5210a33630c106334267c0269af9c

SHA1
82ae22549e2f2b143ac65dbd818ace7ed7859794

SHA256
64a10f2edf6522c7ecec6d8f3cf811a447372afbd86d2fa35b6639812086ce44

SHA512
a83a260293baf436deca2d94e2ed9e3ead4088d556b4c572df45e90048d4783a879a0cc19f0f27d51aed2cafeb0924636bffafbf5e8ab4a130eae763a291c2a7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
4c907d99f68e29d262a5daa6afe10d53

SHA1
c38050f8f546dfeb8145c1d6bd4ff4bd52c43f8d

SHA256
c8114a7f10ec3c827f311bd61ce18875236b748cbbd7f2003f0e5346929c8f58

SHA512
c6ddc75cf1fd45c59c986530a1d14b5f4ab01d1b371f6c3e02be5b3286291d056db0904fefac0b93e83b5c6d2971515f916d83e96fd0d13b6c9a6523209111ff

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
66f0a6d259016a1671d268c5893ea2cf

SHA1
8ae3704968e3f887db8f1b33d01188495ffe0131

SHA256
b7b578b4e71a7c832496e6633e97975e3890f823c560799639ad43d6fb3e9bdf

SHA512
561aed31d56449f6ce4f60870fbabab82241eec3cd9bcb24dd21da7def66721a90230734c8b1b27fd4aa6aacbf6b8185cc32729f062036ff9849abe61067433a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
62ca24677aca1f106697a57ab1caee2d

SHA1
ed1e8efbba1867956e161a099afffcdf2c9e210e

SHA256
030e4db257a91f45174854d0fc7328b8826001d9462fd93d7d1ec0c479bd9f9f

SHA512
c78bbe435275ffdd7278c4b7d753847277f3131a10f3c0ef337c7768f5e7746b04b17ea6cf98fbdffe23f44d03fbedc52b8e693db69d121652012232dc3b24a4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
1fbb76f8629597252e9f44c9824f99fc

SHA1
c4bbdd0b76e8cf92dfd7d60ee4339462720dd1fc

SHA256
035e441a693ac3a7e132b711d5e72a5b4f6544f69b37124f264f494c6644fbaa

SHA512
b42faaee935d4aa96f810df97cbb5ea86b9f5f16131ad5a696320e53325de3a455da813e58e3c1bdd0e11623ba585f5a789ee61ae20ff8bdf2f9865dd6d7ced0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
581KB

MD5
8756799fd4741e33424fc9645f6a7412

SHA1
1c5bec8f9e6dba499c3abadab2f3b72b7ee0f7ad

SHA256
6b4b0ccc633acb79581d1a915696b63ae2ce2999caba5471dee7c6e3ad4a4143

SHA512
fd2d7837dc02768e56f52192598f4829795baeed382f6061784d6cb0cfa7742e00e881810eb846d7288a82c637a75a46586b7720bdfbe75c4dd3cf4367a0c814

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe
Filesize
581KB

MD5
3a019231622a9b93e6d5cd67af02527c

SHA1
33bca2799573f3d038b5facb29be332d9048b4d0

SHA256
987634f37d8cd4f409c6520981e73c2fd3e10d861d7d83eb9786582d30cfcc69

SHA512
d2782ecff7e41662709001c23a58ddef474a80dc3f7f2e289391639ee950cba44bf8a20a5d55ce1fde680d40db07f5cc9acd4e160becaf33c8d6e6b4fd35ff7a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe
Filesize
581KB

MD5
84982437aab7a528712e8991609af145

SHA1
a7177baaf4a23702401315fb81d7311f13b0edf5

SHA256
8b02f97e0c105e49b93406b22fa7f84a45f4a590655b8d29e072e38a57600cc8

SHA512
075808a13bb7808cbebf76aa3dc2456cf98d55038c84659a1a75680b331db2d74d0020d9b4f97352d126267bfe42d327b533459c1d8d957b01c2cdf2757ab01e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe
Filesize
581KB

MD5
a9760e3d2a54cadd554a2e8b96873cac

SHA1
e55e85ed65741a6a071f6ef7a42fcf7869dd67a7

SHA256
636470a8a0ad3ba723dfd58d1a73fc812164109b6bf128308c42fa3760ee24fd

SHA512
5153044a0e37918f9a99787edddaba64312e061af222ba0309da3f664105d9ca3d8b64049f61584c32104eff6e784ded01e4be4c9c9129f07ba25dd8d07f6db2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe
Filesize
581KB

MD5
1fd9f6b29c14d5df95be2bb8bb7a35af

SHA1
5fbb40b93a155b3455153e8f518892fb052629b1

SHA256
20d482d00fd49093496018035eb292b650b26877baf72cdc7763b2bd54e7b7e3

SHA512
42552e6087728552572d4747029f4f575dde9b32f0be3914af283b917c232cb608b1c61b86f46a00d40f3a4d4368df50eba892148ddead23789606fbdc100601

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe
Filesize
581KB

MD5
a8f38a092271085d14fe648dc85d5c3e

SHA1
05d182bd5979b661671e7e7188dcb17233295c3b

SHA256
e377ad54cef6610b0b3ad533ca35fe3ed7627a684b0c6fc2ed73d22afa52d1f9

SHA512
b177ed4b428195c43d88393c18f3b9542969a1947cbf95967567d535dd33102f1b8fa36dbd5401e52be18e91bdb4c3d87de1f0a801d79f4b5d70d0eec0c275d9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe
Filesize
581KB

MD5
e60b1585c3d39efddf5e4d9a5b3dbd0f

SHA1
e1cc75287cb2422b664f997ec83c272189a9093b

SHA256
135a487b17567ff5a07b4ad8cd4403102b10a97b994a70ab55b8f12cce171b5a

SHA512
fceaa2c63149fbe95b3e205029e2183d667664e1eadaf8355bd8afe2c858b565de37603346b8951691e6ef81937ee1a1cd9a8f894d5c04b5f351ae3667260e05

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
6c40b5776fa3c7c97546c4390e79a7f3

SHA1
eb295a36b605a1b6f7a144cc0f8efd06f7366cb5

SHA256
f70e90b4f14ba692890867c8e131d73ea83aede758200aaeb531ed02380c153b

SHA512
01440532712763218680079289d5da94d08e747a93d214c6662991f2d199df3d0f5c67fb9ae710e5c56eba129b6f6f9d059007ac5c53db084ccb74cbd26a3a39

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
38daec17e4414154e6cb8837f283ce93

SHA1
72ae1e65766cff575b03dc6dc4ae1dbd16af9aba

SHA256
0174af19c42428aa4fc8523f78c738db3fa5d4491600d7262f9408643d83fba5

SHA512
f8c0afbd6698d13b76fc7919b2e45bc77b6899b33809ae632e8fb9bfe91a502490727a0673489bfd6ee563230def74e866a78a11a2facd9ee511661af60e9849

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
3c2dadd171e46dd064e9cd3925e4800a

SHA1
73291e33c72de9198ae5db2eb9c7e9259a088a38

SHA256
4ff731dc3fbb4cbf6f8df960645e353b493ac3fcfabde3c2c568f649d39ec3c7

SHA512
214111866f560dd29eec22594b1ebb0ccfd77f764cf0e9f38597fcbc144cdae54713076b387eb4f052d0a8265c4d004d26173c2e5ac23796caa72ecf404ec86d

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
8861d4e190779111fc10d5412cb8be5e

SHA1
c8cb0bdfe656d6f273ad953844ec45b33bed4ca2

SHA256
31480b841ee4ce9ce3de8f2d396c9365ce22ec3bf5a8f241c0d72a05faf6f026

SHA512
506e096cda7642d0a2d25156c616604961df7d81c36b0c72defdf2509118fd1fad428569c678754eb35805263507fc644da16a597245865f4f64a058f313e448

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
06ac90a43f3a99ad5a5f355932ac5e17

SHA1
f524fb00a1729435170b304db86886663e1acf83

SHA256
d5d7ad684a30eb74a5e7d4a7c491e9569d8be77f8614797f93a6f03feaae9224

SHA512
86a18ee4b0159dc6a718de0ca30db7f6f2ec88b407eff9a31617251cf414f35ef026a77f2e2351810ce30af2340fae2d335e25e550c24cbf2c0c6602b519e411

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
812eb252a0d97a1806c6bc1e32f78d4d

SHA1
354e28b2916c3fa7bf8bc225c4d10541d5c604a0

SHA256
521d66648239c31744c1010147ed19c8487650354937184eef13f7146c54dbdf

SHA512
250800ee7de18b65ae0e4351d8429ad0f696e48dafbff58b28584059ec96c99952cdd3caf56049c2587e7d86dcd2f242c73d7423907c8043487742cf75ffb9d5

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
e4a1b4b26e614786fdd56fc6aa73fd42

SHA1
d86e93431cf796e57e25432837bb547948ae1484

SHA256
fb8d9582039bac19ad10142c7861dda76f8fbe290906805dddf9369f5a3d8395

SHA512
af828e12fb2f69dd0dc14d2187bb69ae6927eb148246e82d9a061a63e38e43fe60eb8d322fe7b04a975cef700d0abe7d89eaaa0bd1646628ee17adc8d71c322f

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
ce0da1b11328df6f2dfc95e2e390fb87

SHA1
4f6ff5773df6adbb35c365cd5522f784e8b81f41

SHA256
a8eaa248603baaa80fcb472219e9fdb5d46bd125106c70b3b61429a9d30cfa72

SHA512
b6a1c5305ca26253bbf880ff7346bfde0350df1070b60d242230842887dceeb431c0f450271011ded451d0d70506befbe344a5348c61c729401b4557ddd6b8c8

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
8d8cb25f3918d4f42c52a2ccc9ce5635

SHA1
8aefb3f0fafb9cb4b5e289df62ce99da608bee4c

SHA256
57ee02b16c2ee6369187b9e122216752192fd5e9260510b48805b3f58060bd7a

SHA512
d2d92e96425181009a77ed756cc0aa39bfedda1fe53b5c384694a254d57fe235d447850ff5228339ec9f5c44ee42bae4f48cfa0211f39b684e8ec2e743556a08

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
fdff28556952d8903a8a123dda70ef25

SHA1
39c3c5c2776089830a277064ea120c0a28b17d69

SHA256
951f90eab122f080b9ba17efddfdc889350ef2ccb76e130e2d0e4c9d1ef3b449

SHA512
64fc3d53350609f3ddec2fd47aade14305be4520fa306bccf7eda33a38bf40b5bac2fd0e4aa474ae8e88b141ca5234bfe59a6b973d0b97c461c7480e79be2f99

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
c7df55fbcbe74747b2923ba0caf3054d

SHA1
1f4346416a7847bbd1b723f9fd94ef39f494d2d2

SHA256
10346db03dd97faa5b35ca150d085a85154f389628d9aac9aa11bef1ed348b13

SHA512
07f92c999e823e4920ddeb89753caa48d7d2ae246cb2e969601f0307f2d24eaadc942d95869b8d587ad53f2c6feb672a5107556446f931eefe0eac4e30fe0326

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
796058f9fca7f2daed842efcadd87ba0

SHA1
ab1027b9b98e9ddd9d484a955347d362c53f6d8e

SHA256
2a4c2225b1c628f0f8c2944d0088347aada83b355006dba7b365d4881fcb2bdd

SHA512
ef5097ae75f823c83214e959db0f9feb5f0631e61c6afcf4611a9ea5f167f7c7633b83f72b8b435ebded02bf1672f941317fab6503e16be2e2bc5294d077bb82

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
65e59d40b9fc95f272c6084c9d2b7a5c

SHA1
d8ccaaaa81a188bae1e018361c8927dec033404e

SHA256
6f59e547a88be778237fad08dfad998733c04dd95106fe92dcc77ae5761e47d3

SHA512
edc701cc47374e2b8357e18c12df379fa06051772b5628771b1e824b9ba48550c6477443838ecf673a29d82d77a45cfa1b3cdd925df7f8b4a8e39989c7023a15

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
243d97c448ddc4fb31cab03641ad7c9e

SHA1
6aa04fab88c0c5e33f42a0230e9f298ed801a9c9

SHA256
cba78aa9459da4c6aed5cdc123e97b83eb8d84f95361da6d9fd524bebf8a8952

SHA512
e68a53325a572733564e095770ea49d507d2c2e5ad2da507833e6ccc18b07e2bb9c0c179a796cbc658f286532ee11f5fbb16bcfda24b459a05c5b8d621f164b6

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
38f47fd2b1b1004bb038dbebcd4fa7ae

SHA1
0d97931a98780ca753fdd3b5b2794a3910b5e308

SHA256
0f3f434cd792470bbed76f900bfb2b7f7949e6d8b803ffd5cb31470e56c735cb

SHA512
350f3535097965beff74778a79416c978ea9bf29cf56f45e04f1ba3c2ffa105110e184ca34f8c20ebcffb51297034f1178366d8a99c10d8f989ca5dc0b61ec0c

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
540c443d3ba9e70c188e2b3fb1809d36

SHA1
69c7ec92866e5cab4e498d907d3b8d85a15f031b

SHA256
2e1f0c961cbed8f48738bb25310db126dff08a25c552c9f2b77de4fbe5183287

SHA512
a29ce4be0f6189b9bb721e8be8a8ebba9d5c7eb8128b373341c6d03bd1d64c2d8020e889830090520a676fb546957e13ca6eb7e1e2bf8e3ece575f07b2ef4db2

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
0a38cf36f777e35557e021777745a84c

SHA1
2bdcc6abaf84b87f9ab8b571ea292fcf7536575d

SHA256
f58bf46a31d9296a522dceec3c3a62a7109f60fc70d078a597883a8257b7a3b1

SHA512
81b10776b3d9e6828c55f248c24a28825029cb24d662f269d84c21267ce9d0fa8c049e92cb8ac13aea39d81870db8ef95e0190e18fd777a6c564cad2a383e05f

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
13e0cef489ca755dd6acbfbfc0732760

SHA1
0e4bac407d426ae6feca4bb2bd07d268486a9c30

SHA256
2d5b9b7fb3fc0be483cab36372aa4fbb23bc61521eec0431b7b9f22434c05fd2

SHA512
140773d0dd98802ea36411dad28c51dbb9a7ae7a247c09219214c42db7674c1851b8357e353344515f1fe562d2ea0becba4cc14f3b477ec7948893aae296cb7b

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
b967b311cf0544458e8114fe1d3b651e

SHA1
cf32450b82e3bd716ee450f312d4d2f644aa5072

SHA256
a2ac24cafe02f34a3640c73743cc301b56d57994964e77d2fe43347df567c29a

SHA512
64e83ebc23e484024616acbd930649e4c436a31a24150bdb0ed8e2e5ac0a8746de19360455d99420833d895b803d57f5d2b93c5d02bed4f3a674a16790e8b0ed

Download Submit
memory/212-427-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/212-617-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/232-24-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/232-25-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/232-16-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/232-235-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/440-338-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/440-541-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1184-376-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1184-388-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1256-353-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1256-610-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1352-1-0x00000000022F0000-0x0000000002357000-memory.dmp

Filesize
412KB

Download
memory/1352-28-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1352-0-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1352-8-0x00000000022F0000-0x0000000002357000-memory.dmp

Filesize
412KB

Download
memory/1352-6-0x00000000022F0000-0x0000000002357000-memory.dmp

Filesize
412KB

Download
memory/1640-611-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1640-365-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2004-55-0x0000000000C10000-0x0000000000C70000-memory.dmp

Filesize
384KB

Download
memory/2004-60-0x0000000000C10000-0x0000000000C70000-memory.dmp

Filesize
384KB

Download
memory/2004-62-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2004-64-0x0000000000C10000-0x0000000000C70000-memory.dmp

Filesize
384KB

Download
memory/2004-68-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2132-51-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2132-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2132-43-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2132-239-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2480-616-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2480-415-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2620-426-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2620-307-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2640-391-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2640-614-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2872-618-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2872-440-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2980-341-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2980-606-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3068-402-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3068-283-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3200-38-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/3200-32-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/3200-40-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3200-236-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3272-318-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3272-609-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3272-439-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3628-256-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3628-257-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/3628-269-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4116-414-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4116-297-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4432-615-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4432-403-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4488-69-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4488-76-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/4488-240-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4488-70-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/4528-271-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4528-390-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4564-245-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4564-364-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4564-252-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4564-246-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download