681802201ba0d5157fa34c9d562a00c9cf8a6f27ea77b42178ac830502af9e30

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 21:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-22_63c223656da4571be8de0ac0d98c61db_avoslocker.exe
Size

1.3MB
MD5

63c223656da4571be8de0ac0d98c61db
SHA1

aa0600f88b435303e28e20d7575aedb923e9e913
SHA256

681802201ba0d5157fa34c9d562a00c9cf8a6f27ea77b42178ac830502af9e30
SHA512

4fe0f9cd37b0b33a174b9232a1a55c6f1765ab00c5289f4873cf1cd4622f7f3bdbd4482f30d1308e726c8af0249ccf8553ac62709850817dcf67e206ec91357f
SSDEEP

24576:32zEYytjjqNSlhvpfQiIhKPtehfQ7r9qySkbgedx6LaRFdGJm0Q3WKVSwdr13Ekb:3PtjtQiIhUyQd1SkFdx6KFdi2Ga9x3EJ

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEDiagnosticsHub.StandardCollector.Service.exefxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
716	alg.exe
3020	elevation_service.exe
4284	elevation_service.exe
4712	maintenanceservice.exe
4956	OSE.EXE
4460	DiagnosticsHub.StandardCollector.Service.exe
4660	fxssvc.exe
956	msdtc.exe
4540	PerceptionSimulationService.exe
2300	perfhost.exe
4852	locator.exe
372	SensorDataService.exe
4216	snmptrap.exe
4004	spectrum.exe
2480	ssh-agent.exe
4788	TieringEngineService.exe
4648	AgentService.exe
1252	vds.exe
2712	vssvc.exe
2236	wbengine.exe
1000	WmiApSrv.exe
4928	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 26 IoCs

Processes:

alg.exeelevation_service.exe2024-05-22_63c223656da4571be8de0ac0d98c61db_avoslocker.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-22_63c223656da4571be8de0ac0d98c61db_avoslocker.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-22_63c223656da4571be8de0ac0d98c61db_avoslocker.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\5a47abceb4b1389a.bin	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exeelevation_service.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{28C8484C-303E-4CB2-A704-E3FF47E10F7C}\chrome_installer.exe	alg.exe

Drops file in Windows directory 2 IoCs

Processes:

elevation_service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchIndexer.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c8f844ee90acda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000040f763ee90acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001af5a1ee90acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000da4491ee90acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003e57a4ee90acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000db4d7def90acda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005137c7ef90acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000689661ee90acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

elevation_service.exe

pid	process
3020	elevation_service.exe
3020	elevation_service.exe
3020	elevation_service.exe
3020	elevation_service.exe
3020	elevation_service.exe
3020	elevation_service.exe
3020	elevation_service.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

2024-05-22_63c223656da4571be8de0ac0d98c61db_avoslocker.exealg.exeelevation_service.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2080	2024-05-22_63c223656da4571be8de0ac0d98c61db_avoslocker.exe
Token: SeDebugPrivilege	716	alg.exe
Token: SeDebugPrivilege	716	alg.exe
Token: SeDebugPrivilege	716	alg.exe
Token: SeTakeOwnershipPrivilege	3020	elevation_service.exe
Token: SeAuditPrivilege	4660	fxssvc.exe
Token: SeRestorePrivilege	4788	TieringEngineService.exe
Token: SeManageVolumePrivilege	4788	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4648	AgentService.exe
Token: SeBackupPrivilege	2712	vssvc.exe
Token: SeRestorePrivilege	2712	vssvc.exe
Token: SeAuditPrivilege	2712	vssvc.exe
Token: SeBackupPrivilege	2236	wbengine.exe
Token: SeRestorePrivilege	2236	wbengine.exe
Token: SeSecurityPrivilege	2236	wbengine.exe
Token: 33	4928	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4928	SearchIndexer.exe
Token: SeDebugPrivilege	3020	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 4928 wrote to memory of 5100	4928	SearchIndexer.exe	SearchProtocolHost.exe
PID 4928 wrote to memory of 5100	4928	SearchIndexer.exe	SearchProtocolHost.exe
PID 4928 wrote to memory of 1984	4928	SearchIndexer.exe	SearchFilterHost.exe
PID 4928 wrote to memory of 1984	4928	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-22_63c223656da4571be8de0ac0d98c61db_avoslocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_63c223656da4571be8de0ac0d98c61db_avoslocker.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2080

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:716

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3020

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4284

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4712

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4956

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4460

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2688

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4660

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:956

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4540

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2300

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4852

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:372

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4216

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4004

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2480

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:960

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4788

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4648

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1252

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2712

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2236

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1000

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4928

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:5100

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:1984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
55b7b71b3c2864180d451676705c036a

SHA1
923e20ad5af40a99d53fc239e4364f834c991c31

SHA256
1e96d83aca4554c7fa7190e98f36c2c93edee8801d2bc2f628e5fc6921f7f348

SHA512
17871cd650f4aa21176f5ce6166c0d87ce06a17c1d3ad1a693b7a23d18429750b5443626c36388ec88eddf8cfcdb502d7ca897c92e9a7bb797c46b48254e525a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
8c05af3ce3f8091f68f93e10e52ffe2d

SHA1
4588b46d2450a8153f98298c82e822c94cf55da6

SHA256
26eb16c6317aeda25394185364b4fcb4be785b56e6c0948f3bdd32fe44fd85a8

SHA512
0f2bac16d90d8e8ed073b6439007e9ded68ab4f1d4b28e9f9509f4ca8ebf30c626f662fdbc9a5b7c4e6389e1d3e239bdc515aeeb1d120dca031e672d4da09a69

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
5983487d1656eb0ce5fc1a39b60368f2

SHA1
c20fb2ad6cff8586d2d268b6081c17a1ce47a024

SHA256
7d7c830ba97997b8ff8e374a0789eb747eae0bec4a207bd68b057d368906b331

SHA512
289f92931393f3703b671e340eb0e4a6230fe1e0f828469114cf8e1db2d90ad1d2ce6fdff280190d6fb34fd4bacab0d59ebd83b3761f2252a70fa74430a1ae0d

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
3099f51d65ff189104a166a9e6f2c44c

SHA1
d7b7513de13b6a1e32cf0030bdcbc356f5309448

SHA256
678cda525df486b6005fc3f6ca3756cd00bbceef1df777f92ded7c5e73bd7c71

SHA512
07bc9d2856be9f94c519f75664a36051fce4102e89e5f21e3a09aefa75e5cd2cc96da23aa98935465f2e00f9a9bac3f83e864f9f24fcbc03c41a261827a1e8ca

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
540152cb34766b5916df41ac7d0e9420

SHA1
25bbe2a4e0d5e5ab2240be5bd68802de4b570ef2

SHA256
0d7fafd563a9a9b385f99af1250d432802889298e0575693fc560634867e98f6

SHA512
307ae554b6461158ac03d4d402ac5fc2f9a396cfd432378b09f0c2583db2badf3eea41d4ca949f5e8fd965c77119b6eb7feb822ee0ef1b426233341a1d9899f1

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
a229c15942f27a0e6150c4cda3c4ca1c

SHA1
f8632205a68b92cfa338fd0d4355a71c5305e194

SHA256
8e9a21003e5b9011fd10eef5b529769d3bb2b7d30abeb88b4f7e94df972684a8

SHA512
1d3b3b8fca922baaa7acf1a88ea806679233bfda0a2aea5a10641f0ec8465e4f7e0313c923d69b20d3807f0d07e8badc4fd09e88067ff05d05a5058290d474fa

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
cb74fd6bb41c391e15550877b4e3a089

SHA1
d07be013ab997282e7dd175e275ba48cbdae1f79

SHA256
49d3b58cb3a8436c682548f7e1625e99ad760575e1b0431af88818d94ca06f3f

SHA512
b88727366e72657f229af1d844c80542674e67be585ffeaa2edafd34454f39048e1a86bcad1047a6bd77b7ee9b5075fe1a88b2c4f7f5a60f19438c2fdc675274

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
d0df1432baf56b60407e5c537d6e4fc4

SHA1
b42763947f1595bfce9f9c4650e90460bd34ce08

SHA256
1dd29e886eaa72a8033b22b6a75ef313ecd7b5576eaf4a87194e96da1d3c38e5

SHA512
ef93b81f7385f8ad6e72f23327e97013383bbe0290f0eca8a9ca5b78f9fee5c70589debf89d123db2a1909d84c9e5110214d11e2d718dd8779b09767aceb1f97

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
6045c080bc1efeed819775aa3a1b30b7

SHA1
a6055cdbaa12f202625f2c264f395c59ed4e9230

SHA256
39a4eb224673b4cf12f3bc4c8c4db4d9f9921320f4e7084d87cf4a47a2fe75f7

SHA512
88bd45eed4e3a9d616e3a6c1dce08a3728644cc32a32de09501df137005e426403988155fa5caaf3057062359895a83c2ff7117efc7841c14c392bd1e5b6eb3f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
ebc07114afa8107e3dbeea1980bae4a2

SHA1
aa79f73077f9bd2b96659bb65a3d1288b735b99d

SHA256
e4297f80882057691e68b5a0367fa69b2187287a83e61e240337486325f46a8b

SHA512
b8aa4673994afc4341115cdf3e3eabd9603e6ba52fa60888023f48c2fc63f8a89f24b82fbff2a087fc10451665de78b3fff9fcc6613b1a674737a912813d829f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
7124116dbeee9e7fff4a492df9b1802d

SHA1
538667b88e9d73b44802d9dd0a2d5669ada944f3

SHA256
b95a5af4d434ab0dd575edb95bcc7bb201d18313b5852afca062ecc1037c6b1d

SHA512
9049ed3c678acf0dde83f259a664c0c2b6463f4bba92e615bbf852b716079de9ea732d8a1f41908a6176777b90033f4dbf0ea037cc9fdde89e761eab228d2bd3

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
b7949c8054b8ff9d028ae981d4253cee

SHA1
8856ebce5448c53f87ec667fe35512c60d00c7b8

SHA256
1665228bbb7b6dbb47c70398a38d6ac20132d3ec3089eb9b37625c5e2202e1c3

SHA512
e35caf42e0792366b570ef7f80cf8547ed140e9e76f5d160d5fca75b5f7f06727f8d796ce5317a20cae80bd1ae5412edf7639791e147f5545de34dd2a227dc04

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
6c78330c18be106c184c8fc485a87449

SHA1
ea6ee48f339eaea9d5870c630264eceeb4cbedd2

SHA256
db187778ff84e3587a14ad6f9ce01eb99c8acc5dc0c62b2d6d5fbdcd3fbc3b3b

SHA512
6d7698105ffacef224407929b6ef2d6e315849a5dc37abae3ba6ec9db66aa6774b68321caef725850238c1eb127c80a4c46f12c088422b0b80a892bc2c4438eb

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
44ef1b46affe4c3f945d744b5e2c567f

SHA1
a07295eee848f4da238b666c10c5ca3b9e494eaa

SHA256
7e67a48cb9216bb7b0afa88db22a0bbba8f350adc9aa4efe6babdc34c2e45f4e

SHA512
53c49f23dbacd1332e7eb0cb7f039dc1b0e390961ce29bcf5ade782471f874d57eccc24f9f5425abc1610c3ebcdfc13d338a588afe60de29697c645142e15d15

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
c68ccd2c262c097012754c5b41ebccfa

SHA1
e09fb863b8c4bdcfc3344550df5954ebbc38d997

SHA256
f868b56617b94da19406ce8d0cebdc6a3bb248091c48925a7ee64ee615714dcc

SHA512
dd21ee778d1dfc65c65a96b1a3a1377ad688e55dde5239677937be9574e4e4592bb2c5a850724716893e3f2d7bdd064b72743fd5bd0e4a9945ae44073f14333c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
94d7da97e225a738646292990963c1ba

SHA1
ab0b8b50c35a4adf772c5b7610de2fa6900157e7

SHA256
94fb5701a0bcca4910f7286498a3346a70ab0f5a74424b02c331626a8355668a

SHA512
c6dba1234dd8ebaf96a07c87e00112e5f030ff9461e6af0cad43692bd10596b559699ff5427d6ccc1f5a9d9bdcd100e3e54fb2c5f083d353e1fd26116294421b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
96416518ed6964937704165868a96340

SHA1
2b8635b91ec59684429557152ec32870de40ec83

SHA256
c6e7222d146cadc09bf1d7df4ada0c16f0a4a7f68a7c0ca1857611fac7a56319

SHA512
90b74d745156afb539a652af7fe3cb305c1522192b95623b41eb5e0aad3414a1e30d5eede5015f781e7f7b6d4701d27b10e26e5f4f0ece226f2dc7e9c6004f9c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
1da4b188ac388e8079124705e4363031

SHA1
2ad4d71da658c6267416279adbc18d6df63c73b4

SHA256
7f6696f1d30971f08b9ec8cefe73ca41ba870e31cff5f23dc46a8a1331f142b8

SHA512
b5f187e3bc60716c9c95b0713ebe5f0409a7e3ad331d1370effee79a62efeb783ddd94c9b8c505970eeed5e50b6f98d5598f69acca2cf66fa3f8b514426af6b0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
00b120415425720ec114181cd3fd6c2a

SHA1
e81d92e396f46fb69e1ba4222762264f810b9c98

SHA256
d8fcff691cda26a1a22a85ee5ac46077b83927d7c30b3c962ee0b037f3f99220

SHA512
6faba7b2ebe1ea9b82daea68dd2ffccac7122935c261013d7994c0e4e41605c7081498bbc9aabffdbf4c94c41d4e7fbceb313f344ed63c65d69f955782c3e139

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
7f7c3fdd71eca201509194906ed0322f

SHA1
da67477b42c8cb62bdd64f117b79692176bc2e16

SHA256
fffd570524ca608ec698c4c82585c30c3ba99cb7a62406b957f460edcd9a7994

SHA512
c2004e5ef8bd3b75e97628d0a975395729f9a2c1f4bdd8bf6814da4d587ab94d74650c7b340a55a35ecf9f7f98e06b5356724d6d03b81fc67f4421cf515412fa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
64f88acc769ed5ea75778e1702e90525

SHA1
db441c6ab0bb87232401135a50c0eb032e7cfbec

SHA256
1c09eadfdc9647de73057daab5e2f89e404daee416be94d2e287a121bffc7270

SHA512
f58326f7b1c5a86af840e237a4de58b739074ee876cd2c990f0557467b39da9a50ec55365c1791d879f7b586028677cdd84b3b59472dc25799532031be5e8111

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
d94c1066cc777dc3064e3c151dce6d17

SHA1
c424159b586c9109ceb3a461ce49d69ddb3b6049

SHA256
83722dbcd5cf30829ea5f04f7ac08157ae2747d3fa5ddddee4db12cddd87184e

SHA512
54e71e13c9b75f49cdcf46ec77e6064bb5bc23dfc5f31764bb58ad8746de2764ef414927700a5b40ea424c676d1f02d35a7b6978bced4a0b25d4cfab7c8def4b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
5465cb7a2d97911b888050370782e448

SHA1
5ca4a89e3a941038f257fa0e3039074bde1224b6

SHA256
d66bd80f161544dece8ff03b0fa643ed6e733d3e2e7f7ed8b3390aa1862faf0b

SHA512
e97be1d33fd1b1b72ae477d7ed411afc8ec93d2347df7b1fb39c249efd4c1c695aa21bd77c5a118f837c5a9e1881d082144f77f5b80372464c21ec71005ade2c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
512e5d52892f15cfd8a29dd15718f002

SHA1
6ef81dee16a93fbc0aadefe9361a9c16059a0b3d

SHA256
c12b335add906e6d3cf558190d9ac553e09ce41d6aee89e9156be0e142e4695f

SHA512
be8ee5a2cbd53a0cb7814411be9d68725bdf0ac8abe2b84b07c749df9e59d1f60499c2c274a3f733e162a94ce379683b64491442482171f57d37de2040ccc835

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
370d6d1e16373f84f27bcff484036428

SHA1
ac8ca84fc91fb7f889451da957b2cb85dd459383

SHA256
0bfed3e18a933d1b79c39eda8d3faf8c661623453451a070a756c50c0b944d4b

SHA512
190fb423792dbea5b2047528931c7688277cf3cb1e952f343504947d6461469be180966044cf3d16901664215b3de4cd05a83a34040abfdc817675e3918cea06

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
3ceeb4dfcd5285463d8464943e2e7cd3

SHA1
106b6e4647179b7b6ea75505ba1e01d56f80480f

SHA256
cdf7810473bb5f9045ba1c1a7f134ccd7cfd6954d62314e906b5b06d1f5a6734

SHA512
7021bdcd7fc98d9687301441e305a957e8869a1b70f555e839dc7ca28e306942cd9a17a3fb0a3e5f047f37aeed72af3999aa9e1c6b36765595f79d6a335a451c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
612fd07663da3185014532e525896949

SHA1
1a0899dd06d9298ab37eedd9d865df868aa692fb

SHA256
2ac6624a93b4249f2c0ed17a02d43485b4cc92af34e9bf060bf1549db00dd322

SHA512
3987071ee1707c60d37c21326d693cce80f78864a102fe4f818ea3feb5a358caccb4a612f0d8054709daedce396a240e8d4e66f3aa9005bcc878634df2d16f4f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
2fe01b50e3cd1f374989ef85fb245cda

SHA1
a6c4e3012f64d1e25da3a05481fbb4837e1fe40c

SHA256
aa656e300b585ba65586e2a8c3c92087d88e030549f7359020cec54607819ac3

SHA512
955b31b4b22618ede772d98936fe025a33bc69f9fb35f0c79ae6849113b2bb157cb67ba54aaed812615a3f1f4a4b4fd4b06717803050268dc27d220c8e722553

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
685e84e44130d6ff5d1c172baefe0e01

SHA1
ba3ce08477e790370f6077472e29d2ccd51437a0

SHA256
ba999c8f2bbe724ea402331806004bb413cc27a14c335f444262867c088809c3

SHA512
13f4524b6a65d064269fcb12efbcc22d6eb75165e51eecc0830412d8fa3f36bf5629f8e0e6426f0e436f7a9078538aed136884120f9a0c38717a514c4a0b78f7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
4522be1d9615c6fd5823502b0946b23d

SHA1
17dd156772aa739b27fd430b9146167dab2a0da6

SHA256
e706a5294235ced1fc45014cdc52c5839515ef0083e61fd5fb18e7626ecbeca5

SHA512
22fe91e08b960a2eaa5abc8dc1c516579823a0e9bf15a2e1c34e7e1c63820e98b8e6f64445e974ce4d6b4d375bc377a833eebdd95ee24faec22c9cd0a71bcd85

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
ebab51973baf1ebb8c33f8013290948a

SHA1
ff4085fc71e79874f409a0523041b6b724d803b1

SHA256
89e1d5180993ad51b86eef51fb677f2a7b6f78fe361ead0c139eacbd0d6e2092

SHA512
d80a49cb24ff7064d0a975463f8778fb2debd07faca0cc0d952fcdd70ad269168ecf9b807edd7267387b90e36ac7f8c54acb491d31c292819ae4abde2287c48c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
f96daff629c56a002a52ef5b4d3dcd95

SHA1
ef8fb172dcc71851631dcc9d486957039b2c49f7

SHA256
008d0eb4460567bfdcbfbecea2594ed57b7e02febff169ade4a324ebfc2f1715

SHA512
d653d94b66c9b576ae7513243156055f19cc2f75ad8566061a530c27139f69a38f7c4f85f2eb19ef7efd688c5e8ec73f9fc69aaa55593b98ef30b293b1821b7e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
2d4acf5f75824cb9fda1be7e963073e1

SHA1
eca9a91e3fafa18d3616524462ec9a7a0ae321d9

SHA256
68972c0a080a7be94dd2bf0d3051dd9af8434d9b3c949e343f18cfd87a96af27

SHA512
536b8b0be537705f8b8a53b08665fbd99adc96c8ee7b618cd6102def6fcb94a7b95714507ed4b1a246727f8830306042c40714d3155744a4068a941f12238de0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
11cdd67da378818edeca89c145bab864

SHA1
e478066eea4127f2f2ea4848b3b9e207e2d3cb83

SHA256
cba1b91889e36f4a4611ccca8f388c71444f174b4bdbcf19d0c267d91755914f

SHA512
5fc6e380f9ac72d6bc34de979e4c6cf8be245a43f61efdf2795534d94cc3f20516bbd527c9cd00804eec1785c098f3e5d1c9274f5dc04ac46e897dcbd1805aad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
3aafb23be908bde861b05c2ccb36adae

SHA1
a52364cac79bdf16278d7fd2475ed9f574ce162c

SHA256
273cad635b3d459b9689c7984b909a83cd8612d136b2a357ce80b898d3fb7ff6

SHA512
fce6b4f082f69bf0e19723267b8a36eb990ab62dd6e51931127fd98db6a836a1a704f0bc6a7b22ac03d6498cf3e3cdc2e260c2a8f8c2a2e48022c869afdb5f30

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
8f3ee35c9c3cd9edac12d41c0e5dd9da

SHA1
bfdd3aafcace7539ac05eeaa7e5ea7cfa7be7ee0

SHA256
5096187777ee70b666470ed54c5810d82516efc3e690762490d8575b42413f55

SHA512
853211df75bb2b24df0cfc9d07cc2103965d2cda2719cd3da7a8f013ccaa94d70db07c16b44b91195b5437800c93f4b4d6d19b0f078f1e39e8c486177beaa910

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
2df15d3975a1be68ddab6a5750e105d1

SHA1
765202a94d980f409178b44ccbf0a7a960aac26f

SHA256
8df2e9e00facf2deeaa6267ac195b1c87b2193bb4e43d04b1a38b77bced44615

SHA512
c1c06174e7422096b3bb7f58dfb87610d1c5fc5490bcb862b44c7e5314a7f32ceb31e16b12de897bd6ab6881ef130b076c33dfe7fbc5528ea708a09c5f564629

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
f24b532bc296407b66b1d438646a5fd2

SHA1
ee3a538d258e6b14b394bb47abae5d1c473f10b6

SHA256
daed83eace5e4ce555c2cc761009ef960db6b4790cdac2c1fba6dcbf478d408b

SHA512
4fb949469a89deee9a6576cc62098b79c49fe1a84dd4772b4a29ae835268a4da3e11f1b15fea85e0a82404e3b0120aa83022374349332d4779d63ad3679b84ac

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
a60d6e01bf127fd98f1417a0ae8a53a9

SHA1
a4cd4203ddf3bf8ed7af08f966e9074859eb758a

SHA256
6482898d4835c8a01bf67436b9f6146ed1030fb7c385cd608cb9ca278728c5d3

SHA512
94ff9679788ea829de677b5a1eb66be0ba9216ad25dcc91d3b9f4da6037c82b684fed59f982f8c39fb37d36fa8eb7201adbca90c2116107dcc8c8dedd13f559d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
1cdffdd4d9faa2e3f0bd8463fb311f48

SHA1
7a1b014c736c1fb1fe3c0e6441139539ddbf4984

SHA256
b69646785260445ea2c5a1a0f729dd5f6cc01deb71e2f3ebf6a7afb206988a75

SHA512
4e9056978fd0935c5ab41b609d5b24f4f948984be425e9f5c7dd9dbb754b638037937beea50f1564c5bba4260030561cce913be9b9f924a626e61d5e04d7a798

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
19d0e0b30c16f6aed1f28d92bdccd92e

SHA1
cbc7d68fa86893a0e3d85caab9eb85d9bdcd4eb0

SHA256
2f6b5ce1e1746ae822e38e94de3fb13d73f8404094423bee7c4a8d6d19b84dba

SHA512
7ed4b0d9c8f1fa4f9b7b11ec312991d18273cffcd46587c5adf56858a8237872c5deb861266229d0bca6bcf7df1e67244da8bfda78f5ac08f899c9d80921bc2a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
b6ee69634f8ff53330c1bcdba90ce29f

SHA1
8eb36a3076fb2531739495ec4f6cf66a1f3f71c0

SHA256
c06533eabb67658a652151165ea394f56c328e34926cd9e788d2eb4368371033

SHA512
487b8b073da9a6cb8bb500ae062b42df746f7e5964e13c1f9463c4690202e50cb10cf55fa510e26692755deb4e3918f04298881664dcc0df3adbc7b370700dca

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
ad18bc0e17c01b43b215c4ec74825edc

SHA1
5254647043b284bfdb5e8a95bab12ef2c273b995

SHA256
d87655cc5ed72c75e4fa51d3db5dde089772b1270da85d9b92e22908c8f6dfbc

SHA512
07164e32651ab2aef25c76a90be1cde82012a335cace695dbb155609dbc14b8f5dc9defd46d67ef9f4e65b5b7f6b347717538a8ad6cd30d57021aa628273af25

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
5c518cfd6c4f5a8680930d3e28b575e2

SHA1
3f1de86e8cd7039904aab469a4b106961fda9f88

SHA256
b438301be121916969de224791c26c9afb67a0838b2f273f0fc6da54eb49821d

SHA512
af5262e1346754df7206c29394403db91e619ea0fef31a58799f844d44967f461d6a055869c90f594f2ec991deda4075d3c0ada99888caac626bbcc61b472c21

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
0b85738bbbe2e2d7a5afc7455f2b5f45

SHA1
6fd0f2fbe181905e86de076184c2a8c4afb5b1c7

SHA256
efa04d82f96f1017f4c8da00902032692cb7811c1818effb2b17f6fb851670bb

SHA512
95840af7fd4a43d9f82d5adc63c5efd7dc5cbcc611bb81e12e2304228a10651e7c8d59d0428e5f789276694b00623c02b77d44e4e82ea94447074694eac4b7f4

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
8319fed89d33aa0e5827b18dcffe7a1a

SHA1
c56375d0c2b8dc91cec5e9cca40ac6cf6ce07b02

SHA256
ab8407e45501704bb0356ee11a90e57dbba9c6cf973e339c8b26ba5f88e40ef1

SHA512
250cd948856db8619dfbeaadb6a6f708baa0d816c97ac58dc7b4d33a3c02c7c3347425bf70d2fff8b9963b274bb12a67a4f7a0676e87e810ec0aafd45a57cb7c

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
4e2d2c52f3ab58bd4d19a624ccb555b2

SHA1
6a2552ae238f89f9ae895fb6e5f9d22305166451

SHA256
9c8a311816dd29bd5ed04c1d24261ce923cc6ce497774929250125e8e04494a5

SHA512
3e05a2aa5a21d7a83051c4558d551bc4626bc2b5efb23983ebb9621f70240d7a49648c9e78f991047648e80c64a6f71c9feb264021820983347083376ae2ed94

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
3cd23bd012f9fc160090ac81490b1889

SHA1
ba5fc8f5ed8238ddf93a47613cea95e098a62b61

SHA256
e64bb75fdf83201539140950d988e34fe4d3c895e9a934f582c3bed04edcda9d

SHA512
d437166790e838dba7bf909f442d184868cb396db290d06d5b85551b7857b6e180b397d8a5a7f93b426e374edf72ef57b8c4f77b558dc92f874c4fd4f2999731

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
543db1f4d32a7279805c916702c2bd3c

SHA1
84e52ca86afdb04cef3363eb0fc2c52e2b7d8833

SHA256
1263bbf4579f718d7e1253e8dc95bc67da83c704a9f4548d4d943a5bd49aa912

SHA512
09fa8252904e4dad3f3003174b0a37dcee561f18ef66a9dfba3a679cd216dee4819a4c39d9d1c08df6b39155cc2141d6830b3bed034c75177c6f12f83d81a755

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
5d130f388fed3c0216e0445e84460dc3

SHA1
974666616623fed945d2d6eb84cf377201f8d6d9

SHA256
394c9f7397e785c876b4827ab9096194257e373f70a9c58809893d0c9bc167ce

SHA512
db287cb58ea41adadd29270e2e9f672058013504c6e564f95da33d623e7f67a0317432a747db695639feea63b3a3ec0ece54066796ba6087eabceec83a77c698

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
85229a445ea8bf7b235fbe3fe218800f

SHA1
0eb7b575e3ca179042cd9eff2b2e4c2f70452e81

SHA256
161698c96ee2bb05bc70be6ca6488a011454b65aa2efbb267ae6c4bf2d8b0016

SHA512
52d658b204a3030e1a5b495858d64b976d09d34364ae22d12b76d7d935a25a54cc686677be9ee4efab759c95e16c8f6e3b405f824fa0b87533f0474b9625370f

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
efdd1781c97120e4dd8af5901b6b56a4

SHA1
ce307e9cf427f586ed3eba0f189bd8a7da01a991

SHA256
bd89f70751325445a84960911071bc247af4dbf16236d7f42efd83945ce81b1f

SHA512
f98b5bab80725e87a4f675cbb716fbfa0d3f946696ae639efdc22947321f09d89eefe4548c9b15acab8fae3a9d0648adda4ffa042658727a1aef99f35feb5f71

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
0934fdefd252186a6c8506d2cc3fecee

SHA1
af74ddb4d4540126fd4b1044200200421c485a8a

SHA256
ecce6850af5e190e3b86aab13dd30af9a411c6b7d10458cabdcb94072b61c0b1

SHA512
55e4307ec3ae4c6ea3fe156e7e780cbe55e6491ddb4bae88e011321d7ddd254e7d52921245ef367f631a20a1a388cd874b01fe261632b059245f1d242227e1d4

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
e4cedff7720c15470b719f983d5f411f

SHA1
f6e1ba31ba9b5d95dd8d79d3de3654348fae9d79

SHA256
14728bd0edea40380478e4f02a1c01f1cbeb2ad90766d7aff58c62bb3361aba1

SHA512
12ed2dd2764d82b4c8ed3698cdf0a3cc3830b08b8b1b409abdc012aeba49fe509f04f378038bf8559e5d7800cde297cfcc8c384ad378fb437f0ff376df89b868

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
b0b91e79f2a341910f6604e62e9f2440

SHA1
f6bd200f185632fc7984a44e47814cc305d7781f

SHA256
e0eaf21eeb50acb541bc14444e380fb9a511a8daa21a8f2a2b7b7e74e11eb6e5

SHA512
32b252c16944f7eb3fcf14a24ef4eac158c084305d62647b6436c8f04ab06beacba4da2a00650c61def40d6bb31650d900bd7ce9210c23fe4d73e69a8826a9b2

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
caa37a8609dca819a8b9d15d1a988a95

SHA1
48811ba590b767c16c020e70be95dea5b48449e7

SHA256
96a1472de33c0781d9ca7756a526b5618473629c2b67ab6b16e90f08af3135b5

SHA512
c0776498fe8df0f977b8c122f54f57c59f95b8237eff7509593ad91663cf4a853187a703754219ef063b08a17a589c3eaa4f9f54fcf99213e7a760fe605fb964

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
03705bcfe67b9a5065c470b5b3e0c0f2

SHA1
126bcf2c43d4b735e0247d6008977b3e83be636b

SHA256
82c5aff7d8871f8c76a29b6dd490f32a22b5f74f07ac46e523c630ef42e5e0a5

SHA512
6f62e3c774e9d0ad0693dc01b4e6e1301493b5858943590e84dd2551be75864c69c50813e1fc3a3d41ca2fefc284097d1849ad99259d0740a01a466826140dc6

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
b2e56ac786be9024b24aa1e29d605854

SHA1
cd87a058f2e43175b341568499d309602680ee5d

SHA256
c799c6243eccfe3abf1962f4291a06e8b0822778a3f21267429f22b5654e9aa6

SHA512
aba3a345f7dac2ad6ca365551d46d53bf3b675bdc952fcb9a3d801c6818d991a5f9f96878c8b400458fd48c3bff291d09b9184815602025fd89dd49c9ba2cc84

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
7e9173e02fc1062885c4bfb2cd638433

SHA1
a74b008e43ab9788a643b031f6fcbee8643d379d

SHA256
c4bdcb738d318be5acf309a538e7bacb5d609bbc3b72c9be1d7e38a3561533a3

SHA512
c54d62880a7134265da1ab14437b5f0185ddb41399a9e0f2f448e27da0945ec308f6d213621ca1ec7d86607ae9ffa73438b11f9ff820c431827ee0b53bc7dcb6

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
84d0026a9e478af42cc28661ae83443a

SHA1
11f3e89dfa2410f417a8c8893040f86547f2319e

SHA256
fd86135f85b504f15591330040730a72c3d885676f40a683ae57980b403a122b

SHA512
e508d96785ce48efaada8ae62a2cf4cb832732fea9db1c62e74b0ac9cda33defa07d97a2bc3e3956773d41d022cdbc530e8567cf7115725e9cf73122f706115d

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
75c427ae43ac4a10d0849f919742798c

SHA1
d3f56ce30fd07ad8eddc7cf74be7db596f98c89c

SHA256
a7d5edaf25d1edb3a027819a0b02a4f0fa86a54844582f1fcb4f5c02774e7904

SHA512
bc5669b508936cc83420a8409b990167dbc32cf66dd4ab518aeeee3030553fc6b823fc135e6998556dfd47d231eb8d256dfe7e583e04e9da7f90e7448dc097e7

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
95f2f8002f6c81d0a19d140355d10695

SHA1
0ca405c64fa623e298f12abc23f0c5d2880dae69

SHA256
70f5560ab291585ba27dab9e9aa94e07501b7a925e0300b9650d19dc5abba39a

SHA512
9edc3c32dd77c6d15001f8d318be5418d04209903f4d8fd429365ad94175e79f6f274f15d5f3d573c844a26c9a62178082e2bb63054eeb8b1f118f3958163461

Download Submit
memory/372-553-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/372-433-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/372-313-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/716-17-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/716-11-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/716-20-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/716-238-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/956-384-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/956-272-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1000-421-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1000-580-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1252-385-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1252-577-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2080-6-0x0000000002180000-0x00000000021E7000-memory.dmp

Filesize
412KB

Download
memory/2080-0-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2080-1-0x0000000002180000-0x00000000021E7000-memory.dmp

Filesize
412KB

Download
memory/2080-28-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2236-579-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2236-409-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2300-299-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2300-408-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2480-573-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2480-347-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2712-397-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2712-578-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3020-237-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3020-40-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/3020-31-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/3020-39-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4004-335-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4004-554-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4216-518-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4216-324-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4284-51-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4284-52-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4284-239-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4284-43-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4460-366-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4460-252-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4460-246-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4460-254-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4540-396-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4540-284-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4648-382-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4648-370-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4660-258-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/4660-257-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4660-270-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4712-66-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4712-62-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4712-56-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4712-75-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4712-55-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4788-367-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4788-574-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4852-301-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4852-420-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4928-434-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4928-582-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4956-69-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/4956-242-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4956-76-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/4956-78-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download