aeca822d2c1f7c990dfaede7c9ef6e3d7e76efaae9e0440ddf83e3f180a5220e

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 20:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-22_adbfcf53d589a1b5013b31781174fd06_avoslocker.exe
Size

1.3MB
MD5

adbfcf53d589a1b5013b31781174fd06
SHA1

98f0e421e08243278235828e9b1c49a59bbdc395
SHA256

aeca822d2c1f7c990dfaede7c9ef6e3d7e76efaae9e0440ddf83e3f180a5220e
SHA512

649432513fee0f2c8ea057d74bf534d86f3fb4191a61e76f8a8d848d4581d216860ef0dcf72d4db3d535cc5e3d4d8902fef154dc551040385272a56a1a81928c
SSDEEP

24576:j2zEYytjjqNSlhvpfQiIhKPtehfQ7r9qySkbgeduZiUJXca/VQBIe2dhi8OP3YGv:jPtjtQiIhUyQd1SkFdu9TQHj3D

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEDiagnosticsHub.StandardCollector.Service.exefxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
4932	alg.exe
3116	elevation_service.exe
1864	elevation_service.exe
4108	maintenanceservice.exe
3840	OSE.EXE
4808	DiagnosticsHub.StandardCollector.Service.exe
392	fxssvc.exe
2196	msdtc.exe
3568	PerceptionSimulationService.exe
3712	perfhost.exe
2080	locator.exe
4032	SensorDataService.exe
1004	snmptrap.exe
2596	spectrum.exe
4188	ssh-agent.exe
2620	TieringEngineService.exe
212	AgentService.exe
1492	vds.exe
2416	vssvc.exe
4952	wbengine.exe
2300	WmiApSrv.exe
3032	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

Processes:

elevation_service.exealg.exe2024-05-22_adbfcf53d589a1b5013b31781174fd06_avoslocker.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\2e2b3b30c8648821.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-22_adbfcf53d589a1b5013b31781174fd06_avoslocker.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exeelevation_service.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe

Drops file in Windows directory 2 IoCs

Processes:

elevation_service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003795077b88acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000031de727b88acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b9c89d7b88acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f5740b7c88acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005aba2d7b88acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a28bc17b88acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001e04997b88acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000543bf17b88acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

elevation_service.exe

pid	process
3116	elevation_service.exe
3116	elevation_service.exe
3116	elevation_service.exe
3116	elevation_service.exe
3116	elevation_service.exe
3116	elevation_service.exe
3116	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

2024-05-22_adbfcf53d589a1b5013b31781174fd06_avoslocker.exealg.exeelevation_service.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4652	2024-05-22_adbfcf53d589a1b5013b31781174fd06_avoslocker.exe
Token: SeDebugPrivilege	4932	alg.exe
Token: SeDebugPrivilege	4932	alg.exe
Token: SeDebugPrivilege	4932	alg.exe
Token: SeTakeOwnershipPrivilege	3116	elevation_service.exe
Token: SeAuditPrivilege	392	fxssvc.exe
Token: SeRestorePrivilege	2620	TieringEngineService.exe
Token: SeManageVolumePrivilege	2620	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	212	AgentService.exe
Token: SeBackupPrivilege	2416	vssvc.exe
Token: SeRestorePrivilege	2416	vssvc.exe
Token: SeAuditPrivilege	2416	vssvc.exe
Token: SeBackupPrivilege	4952	wbengine.exe
Token: SeRestorePrivilege	4952	wbengine.exe
Token: SeSecurityPrivilege	4952	wbengine.exe
Token: 33	3032	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3032	SearchIndexer.exe
Token: SeDebugPrivilege	3116	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 3032 wrote to memory of 2548	3032	SearchIndexer.exe	SearchProtocolHost.exe
PID 3032 wrote to memory of 2548	3032	SearchIndexer.exe	SearchProtocolHost.exe
PID 3032 wrote to memory of 2984	3032	SearchIndexer.exe	SearchFilterHost.exe
PID 3032 wrote to memory of 2984	3032	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-22_adbfcf53d589a1b5013b31781174fd06_avoslocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_adbfcf53d589a1b5013b31781174fd06_avoslocker.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4652

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4932

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3116

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1864

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4108

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3840

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4808

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4432

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:392

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2196

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3568

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3712

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2080

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4032

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1004

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2596

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4188

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4464

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2620

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:212

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1492

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2416

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4952

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2300

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3032

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:2548

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:2984

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
b7c6d0ed5704a47d094589a38bcda48a

SHA1
fa97b2a77c893b9cc90b6fa6d4e529e59aca3f47

SHA256
d793ba46041674540560020091ba17c5ba644578a5e60039b936dde9057699c9

SHA512
2bb15a90f09d28c14cd0ced9aa54e8f8c6605ae067a437aa781250d3876b0bf05585aea18434a968ac0a634c52ebf3ce296ae673cc7900eda979ca95ea94da50

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
76688e2148c1a73724e3b3f47aebd4a2

SHA1
c64d01312fba466c7130f0710c59af1e69e2a929

SHA256
0eff4eff178289ccb018f7d9833a4b2f14e1f7817a91e83e6bf48471e5d1ab95

SHA512
ea947cfb580869dde9597190784545bf48fb2c9dce9279a84de07add563b460602be49304c18b3e1a252d7e95357f1601d63ce4c90d560f86159f8f6928a29a6

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
d95cd576a6f175bf9c2b03e194f54951

SHA1
e4af3e2c0a541ebeb30d4b2293cf28b3ed84b1f3

SHA256
9ea6fe510b78264047efb73561210c23871657ad11e4e4baf95a4856de7f7670

SHA512
51fb0f21cdea873e7663288b29c6604782f2ef4a247fd8e51db1eb15807278d12f7c21ef8b4ca62d2a771bf5c5dc27154d7c8b30e342a5e03aa55e5a400d5c2b

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
84db13861788cba3d2582e04b3a9fbaa

SHA1
f1d18b7409b9e9260a81a76369205739b27603a2

SHA256
f1095037cf108a15fa56b1fcf8d902ea6c11de7647ef4dc75424e6b735edadf0

SHA512
0e40528f7dad3e66820b073e5ec5f0efd2d470c3852e4068a0e68ab9006eee2871f4e9b0564498cf2a7f5d4469b9e9b98cda107271434c10c460b149f2385c23

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
9d3a04605baf2feb627019fdefa99b36

SHA1
a2f86d76f4c85ab37457e7e80eac8c56f31df21a

SHA256
d4643dea27f6c786e0a01ba01d6e11f04986f4f4f6e33a0e2116bc389b052261

SHA512
611fccfb2940890ad379e73ab517cc2be05200c2e0cfcf27676ae041071762eed404119a033dcc50ec84d0d8ddde759e066449a3f6840c55a915301844a0d6e6

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
1b62db2151d9dd2c8d0b5a357a8ca532

SHA1
b666f309acc6f763cb87deb66e8ceee3ed788234

SHA256
abd4bf16a985b76e4bd0b7c435e93b663f0b101497bfa576cfc16b9b033066c5

SHA512
cdbea1e8c17cf9c3ccca423e2c41840b38d3edbb23e9c4c854b0409f49cb7a6c9a6553b7981f02301a53eab6ff68d489b633868bd8ce960d822c629799f27bad

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
ff61c6db0b2d0f5b93e3cafdf5559b5f

SHA1
75afcfc70e9ed4dd13106d9f75b3209884420cfe

SHA256
a2f4d511c0fe24149a7ff672cde5a841a9194b5649b1119035bb1355b6064921

SHA512
2dbea02b12c195c0576a5968269d4aa124af5edbc274924dfc1f5ecc1c0fc3cbfa875fc0ead83c8264bf289b27ffa51c8da2e3b7e06befd5d44114ac6366560b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
35cc7e64bfd84614304a0479dff02b3d

SHA1
6d58a2e8baee8fa0223f57c4d3330e77eadd56a5

SHA256
2b54c9e5f44bac607ab4f726886a1ba983f07c5b2fd2a933b34beffed10d88df

SHA512
ea6b2b34d296b5fde989359553f5360a35e40f9133df802968e4f3290c365a300a38596a3f75cfbec73a063f9ad71ec853c4a854c9225f726ac39852b13581a6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
974b7f6b617376a957d0d18685d00813

SHA1
8842d7e24026c36801068c6d37a0cb0109556eb6

SHA256
2b100014598ff82689aa5fad798d63bde06e75adb722b128ec5e327f6ecc3a00

SHA512
8f61af860e96fde870f0c3d31f3fc0953225bbef353ae455ac2d11ac2cbadb7236e6b9f7aecb0e4466bc502980a247ffdd9b7172b4f71a35bb5a9e6fe0717db3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
1deec2f33dc39663033b134fe7c6d6a1

SHA1
134e52bbd85891eb3488fa6489efc7f298eab0bf

SHA256
a78bbae155462c4084608f86e1fd86db7d49eccfa8a7f0acf80b1f795b436831

SHA512
ba07b404a33afc2a238874bc99aec46f43fdf5b3fecc1ea43310a588ded2ad3db00b683e2a7f3d57cc158118be9813cdbbe5723f17340aaf23fd42be38776387

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
62fbfa59b426098d3a1f7e5387e9a7de

SHA1
88ef78e57241bd37effa4212f42e6bf7e8470fa6

SHA256
cc635c854829c5a53a6afb29d67cbe15353e1cdb30bd2b46e8c9bb32f04a1d68

SHA512
00e27fe8b76887c204eebdf8a3494da88dcd099f7953c5a4b40b93a314ba8c71c15f43a1a0d7751e2bcb767283e6aa2a9f0d86fb8582ae076b072f2c6eb3023e

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
229d07458fd48330b3ba514994b38975

SHA1
28095abda3da74a6a5ba63b8bc00fe85348ba735

SHA256
0ef037d2ce405db624171495f31ccdb9a1e76ecf0b2196d9c21e4ee8f6787982

SHA512
4e643296289f8d3da92fd93f2ccaf1576d1356d80c2fa155f0865596f9e6b9edd37926f12b42316a5364fc33439594a7db35bde4a6ebe933c30b2590832cc3ea

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
73693132335ba2ee0eb31abbd7ca9c3f

SHA1
8d555424ef53e3a2865793a9bb7ae242f568e966

SHA256
25655525191726d1288ad61f131f77e89573a3e9a2c842b33d821d0cc91c05f0

SHA512
0927d898cad8f4e602ae5301fe4e458249b2475dfe9ab79ced89551d599a0a7e1a770456bd90730f91795cc9b9429630384363e09a6e63f21e9d1d7a937081c1

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
c16e1ff2cbcad00829f5e393e26b7d8b

SHA1
62a86db59e04b3f61d9dbabc6b4d3b39937bdbbc

SHA256
2282de44ffd3d218df226ae30e6c976dd13832361fd700ed9e759ec343e5825d

SHA512
66c6a77e3ad11c46499b054b20f1513ca9389abd20b19423b801f39cf711776801365e4684d378dfb64378e1468ed711ba5219df9bcd98d6372a675e6fd5008b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
4ed0f2f1f17343de18f5e3832f34f006

SHA1
fd485d526713f2257437b12b6d135e262fbb6db2

SHA256
aa38e09c09adc2e7fd15d5abc121303104e2763ac8d31b109dc6e71c3217acc0

SHA512
0969cbaf85ff9defdd928936026a2ede781cece8a95971dbaeb18d09aa0e28a780230517d5c397903a2fc92556d5acda4599f01a4df959436a89ae136ee01843

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
d3943c958c959125462afe18866f84f0

SHA1
8855fe280efe5443aff5c6139cc7cea2483e53f1

SHA256
bdd3750bc4f248d0599489533b277cb1e6c2dea17c2e04205b0ead220bfaceb6

SHA512
28cfd9a52cb101d0199dcb006fd29a89c72e154d158837ac53d2a1c5b7546eccbbf7170fe8902bd8e201bba3f50a9ec6cd0ed28f3cb420d8aa03669606afa72e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
0a54595928978f847bedde03ea3b4a16

SHA1
daf94bae63e39172a7b4e3eb5f6e7656a0070981

SHA256
c1d7b222407f9570adf7964fe234e57e904a9f317c822ebeb68b5b322e99ea86

SHA512
c113d4fbab59d6bd3e0c727ac5c480da8e4287e461d8ea02a0740aca143e806334312245b71bb31ef3ddd00c372e82aa3025c3fe74abf422b349438b37d662c4

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
924b30df9659cb32e3a8027ad4385def

SHA1
5b21c7f3f60e3e387d7ad13c93709ade6a056575

SHA256
144d4a943f36397e4454903beb55d35d7f143329b0110d386eb85ae05c0f8e11

SHA512
dbab9a360b394e70da29a21261bd066078c1ca1a208e35cb08139aaac84c0fd6dc44f5f9a38242a33a6039cd7defa7a1883a9183c9c1afc2190e30ad72712e6b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
ca51f226ea7783b38f78dc46c1bcc20a

SHA1
a2f15779f46d045ba23e01f1a0a2d2e9bf011c56

SHA256
8fd23ba24971d4dc873de293211ce989089e52196a21385860e9caa484da3496

SHA512
2ac8e44fa196e6c8ae3d78607df282c65cfd4c7994df9569f5f01fdc73588b6484e68d0a4b73897d2e99f6561b858c0cab92b39c2a7ba6a2d2d975d2814cc96b

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
501c487192a2e4aec3f0b10a44664874

SHA1
0c3af5c092397dcab50a1dbba4130bf3fb2e57dd

SHA256
7110cb167e0f81cf185c5571a3cd411d43ad5d371aecc44130852b55e67b3b62

SHA512
db353e92d9b7365e7ca36b05138e29a014cd8fcd860e64cc3285f5d4b10599c83415c1fab4a06b0c49dc0c7d97e0e4fc26277a8e687a990a75a6eb5346e76d5d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
31c7c27d5a0dd846c43a5b61034f93b5

SHA1
c849f0f41f0e9de19d9afaf4ac5907b2683a13ba

SHA256
dd2168b6b9b7b25cd2ba70842b750209524619dc79bacd662ecd094f852e7f59

SHA512
c8e8bc1b878c9872eeb33274784e5ff3092d16f916e7553047593b8505541035823a2037d15954366f3f2418d1e9e3d70da90b37cee0aecfd5875b59406f3710

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
8f09cfe6d1f53825635a2737397f85bf

SHA1
72d4126200513d4d401fc1267f51094eea8beba0

SHA256
32cf3e2a66118a7a09ee7797a32ffcbc1c0b8a20fa281d4e32739e7b56c3c031

SHA512
a2f8eb9c8bbcce3b35c545cfce5e82216efe0da4f869c8cf33413382b5a32e402d116caa8746a7fd58f5b5abf5b7ed960acd4688506ede6d6f08a933a7617ca9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
fd6c27dfdc0ac250c1944ff69bb38299

SHA1
e90e0abeba3f59631ceb8e279fea446d4ca2a20a

SHA256
6ab737a07afb81b8b46c35af072cfa12fc2f669d705747c2e73208cd5bdfa827

SHA512
4c0c5de3f8da5cbf9e29f88683982ba81744ff8d6c6947ee5067bfacd79581fc46970bdee380a565c688c7349c58a9935231dc7ec5725bf3f8b8fc9b81e1147a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
c6a18fe96c16f69db8fa1afef201b49e

SHA1
13b8137850b3fd19de1f0b3cd485641d899c32a7

SHA256
b4f23bd88dee032dd746724021931c98355a491ac18b9bca852b5001aa5fc5d4

SHA512
c12dd18935ef4795330c9f89b66c85075425f668fb35b73fb2067ad473c74ea6128108d415af560ded15366ec68b7fd4f0ad4cd7672ab121e8e89f41c5a522f9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
ebfdf9ec214cf256c05f49fc6cb58fef

SHA1
dc17e57a422f691e7499b321709f6dc37cbf2a7f

SHA256
bd8cf64575f0da7029ec8f6a6e94cc2c230dfc37668eaf4adab0b7bde8559a41

SHA512
b369f2efdc41a57990c1fab1e12fda08bcaa431656cf93445adc69adad2dd95e735cdf28433b03d9f1611e74072aa8fc23d73f37485f0efeb00615e02a2edaef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
5776fb2d129262a8901ce176b7177feb

SHA1
d36d86eb91e0ff487c1bdff6acd88f2e86617363

SHA256
702f63d6623858d7174d4507be134be39860f86832140dc6a9caa0c4bfa57281

SHA512
f3856136265341ca4af45ed2ea605a6ef66f23f798a43a88273a8047922e36be8506eef6806f06f725507503d27f37c6c4363932ccf5a1b77881ec9f039ea3fe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
2c554cacb8914038a63f87f0add34f40

SHA1
c70c28b62510577b1fdb41ef77b0a02a22a14bff

SHA256
31dcb677917a1d4ab1ec22b4850195cb7843252e79641667622e3e062a3724ba

SHA512
7edf02de4fb48a11fc3bb10fe89ceb966d05320c49009769dce2d38fd30c20717ff50c69a1ed678eb2086ea5710089ce66b4064f7f333bbd03badd898f4f2f25

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
948715e518e65f9d0825b2eec6380ef0

SHA1
4dca9a402c8ba0d7f22bbe936363228328d52a0f

SHA256
6e8804558df635195101c4a81838373f913d5c2176b5c4639e45187f8afcb385

SHA512
c3421a8a263ed7d52b5b01b7813aaceea8dca464148458f796b5e0ce6a3d9e788baf1c5f1de028a3bcb9149060f20ae1a7e1aade68c224f0d6c4e6757a434c8b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
6963c93d649a4c5ca52806a37bfc6003

SHA1
49a12ba58d93b172feb38838159a2c371db140e5

SHA256
db81e131cf44136cc10138986fc8a6155c4dbb0c3c145120445f2447fbde119b

SHA512
ef39a8d15b8b7d63781ed088db0b2bd023d9a0035e8b78f133531452df4bcbf39d0305e8385a37f3208adfab781057bcc7dda75fd9f3aa475e59b3c91a184d01

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
1cd3641ace60d55304ccc6c6a4d1e3d8

SHA1
1f8bef407e7b9c58452a0a59ecaf79dc580ec932

SHA256
bfd5f883889519cf47ac1d21530bb03eb3f7bfeefddb4b23a8b9b3241c6a3af0

SHA512
e8f181a5d0c69e3d663abdddb55d4f79e3a76db62a6be0a40d7826413dad1c13b438f2362a9e2b1a178c5e64b9b7adfeefcea710a4b8ed58054beef353d6a2f9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
758390152acccc609e393e15afffb526

SHA1
d16f9c609d19a2910f5412c723e653c4fe40bf8d

SHA256
e36dbe1599d8e8c3fe66a69f7fe8df88623a871a5920d107c8f1c81a0843d52c

SHA512
00af1f28bbd71532b477b61c1276dd7be092d1d372025aacad5e41117df23c5d39b22c860db6f69ed25538e89a02ee3b071a25f8233452f8bc87c9833413a9ed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
c3385089c992550d3304951a7990b750

SHA1
07f192dfc34cc7a2bd6c37a3897b9dad601a785c

SHA256
ea4a05223682422e06890c0c53874a6a080354f32f70b0d981008ff3ca789206

SHA512
2f4d4cdc41bd321235d2aab0bfad77b16ef2045ccfbefbb48cd550a76c6c3c4da025b97ab05e4ee55f5efc9faf04ff5edff6e9f5a2cf4733cae865c08b2c0d4b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
5c26a7686f95b01f0752019a7b6b5f0d

SHA1
49c724c0d6502152d05448ac41c2fd9169f5543e

SHA256
056dc4a587125968ee92a1778bb8700f2dd6e5baa829cab5db2ccf99734ad446

SHA512
204d28605d51d30bd5473eb1af3649c64b113c91e95b606247639c15f411cc8b3b26bb550e07fd3bb62f47173cfcb242f5d19b3f1b3b32ce363d906728070b53

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
93668ea0ee45e7a33afb5623bea4a6dd

SHA1
57643a9f58c7f9ca8b61f065f7c4fd1bcfc061ce

SHA256
b944af7dcd827d983601e1878939497ad883ef321dd132137f1a20a5df4a0605

SHA512
7ca4e53f083d668137579e12eaadef2525f6fb4fdc2625e7fdfac4ddcd11a2e71a119dd81fb4f1daaad38e3936a70577d183efc20f92166c74979a77ad1cef34

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
eea0afd7eb770d770e7db07997abbbe0

SHA1
c7d08fc0ef8901e991d97eeb44b7bfc2fdb004ff

SHA256
e0df763aaaa5b9b6e394046d9316a7b0bb02613953215c4b79090d492a4ce4b6

SHA512
54ca2562f7aaf6b80c30b396ed48653384aa464e8a9cd467251c31c74843ff469cee8ca3de2f324e0121e374e17e6aff422cdbe622b2faa28e0bdacc6b7d18e3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
48f55a81fd47d82f2381ef7e240e147d

SHA1
94018d007fc74dced0f19af183afd957aaecd38d

SHA256
d142751aae6ec57b699df6162914d66f2a469b3999990d82066a5d047e3ac8f0

SHA512
ce9f902bccb593c4e1bc97610c73cfbfb70e0a686650a368cdc7609870f0388d36ba0e5e08a2e760af91be93f2a818b836c7d3ffd39f0a4a7305a3a67a87011a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
581KB

MD5
61dc12b84070cde7beacae9cf62da7a0

SHA1
3601eb9d947d5f089637c341ccfe5fdcc541871a

SHA256
615f2bd58d0d9fe02abdcafb87a928d0a5466d872cd310f4b26bf91e8ce5d62e

SHA512
2e62226d9e93ff0da57de3241b236f03ed9ea2ed321b0f0e902632f950140fdc552fb8d0983e02a5fa259eda3d413fda5af60dd039378042ddbb1b217c8ffc37

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe
Filesize
581KB

MD5
dfe9e81137fcd893c9042248b5e24bc1

SHA1
eb730b7e9b73c7ae6716ab38e7d5be7f1aaa37fa

SHA256
1a0acf27381b79508cd26c280be31649a6a4e817d0ed51440f69fc4dbbe76a14

SHA512
f53f66af276c3708ca7eb42cd424c7beee9bbe07726e3c9cb0a532d5132e7e7dc6237b2be5c03e30ef6dc311e8592ab72a7e4547ffcaa7ae57defd76d6c4a47b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe
Filesize
581KB

MD5
6316734ca6a6b34b9ff1b7383eff1705

SHA1
6523ddf3cc37f3992fc34517d32b1bef3642946b

SHA256
0bd6954fe4d88f847c848e2ded39f121f3c8333ddbfcfe9e6e945068da0c54c7

SHA512
34afb62e818dfa3c7c2d5013eadd08d43b5120bc03bd07211143a442774f88cb2cc221debf5a8be6c8e4ac7427b46cd609f3f52f24b7e933158444680892857e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe
Filesize
581KB

MD5
4e5c853df139032f7ca88bca98592f2c

SHA1
1c9299ab5ac22e8467efaafdba36dc5c51e79988

SHA256
c30f938c23643422a482f37ca89eee1712a3106f3766279cea73aec279ef6966

SHA512
ac840508160ba5a164910bb9242809819b10711a6cd2ff4777d9c4b57aa6589520434baf710dd7469eda09eeb071462e20c1801f9a46210b6123adce760d0d0c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe
Filesize
581KB

MD5
51ee7bbcb4f3082187b5fa448c553a24

SHA1
dcd6c0fd6c666fd869e9a2813f5c131af572ea2f

SHA256
0e001f6f06f016afa2127864277b66d904b888f7e62d5aa50b89d147417fefac

SHA512
8359652bca1f9a92a41bab56e3fe1a3752b735a53e76f512e48a1ec2b822af79d3ff6293682a8ae8e7d9daeefc9814d837263e2cbf25239cc5db29583581d6c1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe
Filesize
581KB

MD5
0947dcacff830085906b1ae73a4b8b54

SHA1
e5e978ad50ac391bac75b44e39946e01996cb168

SHA256
eb1501d9fee5953c0579f9a045e568145f8793ce164ee7265444808aa43c5ac3

SHA512
3210dc7c6a1769bbf9c4ce9d82bf5d22de64c56f666b0bf2412c7be7d016e6c44ae704bb319f26101de3607bfc78c7e44855a1dbf738a7003626d98dab3e6a98

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe
Filesize
581KB

MD5
d734a2c836d0fe31031358c9bf2e4161

SHA1
85ac40fd6c8050e0de0f0a5b8eedfd5b2b827b01

SHA256
26c9bbee1d70ffea8677ad6ad602ec21b73b3e9b5f7e31619ccdd58c1809e5b3

SHA512
0cbb9aab545dd022563f6e2bcd94eaca89b75c41e1df186227a51b4e54706ad1f7ce64f41a7bf81b35c293eb67e32ecaf1ddd2597deb30cf907270097878894c

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
fa7229af5f5068112491658edcbcfa5a

SHA1
c2fabf0848790244b977d803d54d854e623ef1c7

SHA256
fb6c3229ddf846aece0111d85a5d4f8d4b7b99de676983f82c8bbedd35772df4

SHA512
46bc0e0a3ce41488ac7623892d3b99c8f019fe8447cd7b0e90de0a8dd8e3bf40598efce784c3b5a923622a10b7e097fc51f342147bc546efa44fa442bc5d300c

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
9a89747a412470c2d2c1fd5e4e338030

SHA1
8d7f22bb817ea1160d5bc033a8ca23c4baefdd5d

SHA256
a1af862fa4f477b38bff148f2ce941d20fb59315c0c1eacff3e500697b71378e

SHA512
7b1b2b5896891534a6de1462b32dd21001842de28070866721b2eaa7bc5f7c221287e0e5ca1cafa3375bb56d1c867c5e19e5b93e6e937d7921edec2eec50bdf3

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
72a9f95b413b8d73dfae0b48371816c6

SHA1
acba280ed12e633b84cf2b64e1857499578dc0e5

SHA256
1a9d5200eda275af444ac0587a6f74b8316d8e680e8f6390fbffda97c8e2be18

SHA512
2172a0c96f4580e6e33022212fdc88172bc6e7f5405ac23afb995d9388f32b3487d7e3137456556c5ddf1e462ff5a50405af75c5aa2b79197bb91b64c5266207

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
28d598191891c464ccdcdfbc13c13628

SHA1
4d6c195358111085821fee539ea93307f74a8b1b

SHA256
2b0a97cc3fbcbaea589fbb1cf6d0a01b42ae81b89845e5f86fd80492d8124aff

SHA512
3415f909cc695de1593247cceafbfecc2fdcbbee6b0b33b0b8aaa6f691e342088d3788d59c0c4a37a616bd08857b2429e9581b8e5db5fef60cdc26c4cf77a141

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
7c0808683e78f7739670ec2f56c2216d

SHA1
b7cf90acbc6bc3d664a3aa718dd8966ba170d99e

SHA256
aa45a2a94cbbc10e66eae20f7025b8d6fbc9bf7acd31138459900e62daac867f

SHA512
4c6182a61856aa3386c8c97f768546c159a7c446439f8d934d7cdd02063448d3385038903bb65348cccc7e39c2de6325ed18fd7bad76af3b954862ea60f1b822

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
352c046c37fbfdd29f9bc0ecbeb4f138

SHA1
69cde1d29aee0c7984a7c0684139e9a8a697569c

SHA256
fa938ad33dc9f4c7a355638a2c5d063cbcfb1fc661a7af99d1496f7c96598020

SHA512
243eed01641211d5c9f1773ca43218769651769d734663c6a23ddb0e04b63b36da3a2cbb1e3684d71108a6e23e4e56d3af766f57029b1477d155d38e4c37e994

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
afcbb47eb901cac24a5f8cdbdc9f00db

SHA1
d12ddb290de9422a797c7f2238e6b66f9dd5b200

SHA256
892339942edf0b2375e7ceca293bcdd380b345eed3a975629e689b48aa41dd41

SHA512
d3b03d51bf738e7fd1bf3fbfaeac2e5992f162fee4e8129aed749297afb496f01a7264c8a5fea18336fe4023e648c44859cbad6cc1b7ddbd3dfc1f899d8efead

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
9f9ba3c3b2c4b0c507c27a1c4b34fb67

SHA1
8be925bc9d8899345c77e93fbab7b4b4c2f4eb72

SHA256
6b96713c96600f00c5ee98dc14abec1c4b94dbcc310fd5daea5778766b189e1f

SHA512
19be76fc8711c3a7b55325f1bcdf54e617da648bf1f40eca036739bb98f4b46cdb18a0dd3d4aa0011477166cbf4cbbce055c6418e060a93839f3d55c621641a1

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
d078223c1c682370c22f18a01fe9dbfd

SHA1
1bb1f61e19a9a9754dece7e2cbd350aadeb4f775

SHA256
5b5101f0cb2fca87f86f2c60fd7cbeb9de32f1a33a820a32087f9ab4a9d191cf

SHA512
92970e6bc66ea0067451c49a02960add52ebbefd03f2a9e3a6fae6dfabafb5131b84df0dc118d85ed37639a47ea5d617410e9f609809b1f9f2fade76c0cf8d2a

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
d5a5b37a735150063485687d2f931e83

SHA1
b2c800fffe83b5c527de2e84ae35c99382c8e505

SHA256
bc60d577dfd40ee1b018b9b39aabb61947f49866ca8e4985ac4b3d00c1e0e4fa

SHA512
a13b99ddadccd22b3071d1f9760fb75f632becb4133b995fe7975bcce4a5c360150564f59e3939fd87873154db87b3e7b68fcd0f4a8350a52a41b6a4d01809c8

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
2ac91b1df828ee0bc1d93dedb151cc9a

SHA1
d85269e8a275b990d31be6741ca861c7b8018114

SHA256
06ded05d239e12082b080f7b68416a28af0abe1372fe7a70b9c4a0e1c323985d

SHA512
452086caef2a7d66c3fa882cad4538ad4d1ae4890d4d83991f87ec2b8dae53fb379aac2ffb143aad3bb3ddea0315118836903a6145b8a8272ea68ffaad584a32

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
236fe4e3148377b0c49a6b7e354963f9

SHA1
c5c889d600d106bf3d9c60ed35d22f17fe4e84bc

SHA256
7d4ce77e5ce74ec7650de476395436139c2581539cc11bd07aa5b2d3d07e015d

SHA512
973b8f3bbf6b50726bd2cf755117b11fff188f717e07aeb7ef0865e041edc1c8546cbd3feb2d0ca3f059ab4c1acfb1f221426682373f8093c0c7842377364bb0

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
fbb6ab3459d3415648744f554032f1bb

SHA1
b9b2fd2e8eb202d775bb1406f19b6ec503ffcc91

SHA256
d21645d244ed4c2ece1d1a170d6b8a5363791d19068a1705e0a8dab9ae94b51a

SHA512
de674e558d950d5372eb5b604c10e3c93eaa1c9e5da74bd27ca03ba4697e0a2a9338b804c7cdce58d9ffa81118bdcfc782bdfe14c6c9cf261deff707f8bf214f

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
60daf4ef7675352da67c71852758fdae

SHA1
2bfe3dd1a55461ee1ba0d1b90f004113d10f7980

SHA256
357f6f2c525f9f10f49727443414238fda8ef0de7cd84652de52ca4ea81fa016

SHA512
7cc586b07014a2ad6cbfe6329cf632157c7d47914c5c56a80cacdb8f577046ab8990c909a6885ac76e908ce5110754de012d510efc759c3a52d9fc9ba4c3c1fd

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
94f17b7ed868903736ec92cbb731fd5e

SHA1
a2b8f6e1a120a2ac89b2e12fefebe28bbd75ca4b

SHA256
f9d26ade92affa22dcb95690708e3807a2463de38d7bce9e9215cc7d4d567990

SHA512
0cf95a3696df7991b948988c3734d2e04be8e22f4c8fcf237e0515e4e973ecd0206dc6ea11f3080d72063674fe1564c34cfefb0a7766a1fd92d835bd3c763387

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
64f73aaf3a7639bf9c5f60656ee6d715

SHA1
0c94e582da85f0ac7acb8c32506533e237445dac

SHA256
cfe646e84c5b28664a83d40185fb63d003f6688feac8b25c154663d54b64ea3d

SHA512
98108cb8f78cb4dfddef35ba7e26853c08b9fa38dd73d5e90b7c0c7cd78185372432ec51e193718e78810ebc68256852d6d3c659de396b7b1bb4b5169859077c

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
f2339b5cebfd5cbcd6a43f35866fdd75

SHA1
dac2c01080cbc457db29643c695aa84abacfa971

SHA256
ca8c63e7bcc52ad18f8de4b6e0e1c3ec5af7bdd6ec85461c25f8c8412d1b381d

SHA512
716e62d706e6f0fc11a1720f1f2db7fc9908d6e5ff42ada8fa4c065d2e2038cac3a90202d86cc49748b46ba01a8820fcb99fc01cce6f1c04388c8deaa1c1f61b

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
220364a9eeed862af7f84e8ab2f24144

SHA1
3c19136f4ebac0e00d0395ffd0c441df4e3a5140

SHA256
fe780514e8fbec3181f987153367fe2dc83d71dc0606331d44a9462c92a22811

SHA512
03fd894cfebb0632ce451c81a3277e9ffd39f14d065024ccf1038bdb18fe1d94cc05f05ee1a4c761e5efa45484d6607decbb9fd46f8f21152b42ad1c4b8924ca

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
a8ea44e667933ab79100a6023b985bc2

SHA1
d0a80c91ce6343b36900fc69adb99d69f391ef2d

SHA256
23a913db9b1f17be15aebc26c86c4e473f921e69a15a03320a63792cfbbe79cf

SHA512
2f5e595a4d4887b592083ddac3ed02774a9161df0e9b84cf0ec253e3060d3abebdef9eb8f940f55a89d9875b7a515643c73ec82a3e89cec8b5f5ad0c070b1704

Download Submit
memory/212-374-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/212-386-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/392-255-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/392-268-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/392-256-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/1004-329-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1004-528-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1492-389-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1492-569-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1864-42-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1864-51-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1864-239-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1864-48-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2080-424-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2080-306-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2196-388-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2196-270-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2300-572-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2300-425-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2416-570-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2416-401-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2596-340-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2596-561-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2620-566-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2620-363-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3032-438-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3032-573-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3116-38-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3116-238-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3116-39-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/3116-30-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/3568-400-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3568-294-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3712-412-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3712-296-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3840-68-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/3840-76-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3840-74-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/4032-564-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4032-437-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4032-324-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4108-53-0x0000000001AA0000-0x0000000001B00000-memory.dmp

Filesize
384KB

Download
memory/4108-64-0x0000000001AA0000-0x0000000001B00000-memory.dmp

Filesize
384KB

Download
memory/4108-62-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4108-59-0x0000000001AA0000-0x0000000001B00000-memory.dmp

Filesize
384KB

Download
memory/4108-66-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4188-352-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4188-565-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4652-6-0x0000000000690000-0x00000000006F7000-memory.dmp

Filesize
412KB

Download
memory/4652-16-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/4652-1-0x0000000000690000-0x00000000006F7000-memory.dmp

Filesize
412KB

Download
memory/4652-0-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/4808-252-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4808-250-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4808-244-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4932-18-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4932-235-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4932-25-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4932-19-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4952-571-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4952-413-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download