93c1fa195040b1a6ab0d4fdefc2d9a57c38ad1f014a8b185096a57e4bb7b03c8

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 06:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
Size

2.0MB
MD5

9c842ef6c5217bde06529d6bbd663309
SHA1

ff48da177aab336f12e44f5f0173475708e5ccea
SHA256

93c1fa195040b1a6ab0d4fdefc2d9a57c38ad1f014a8b185096a57e4bb7b03c8
SHA512

1dcffa2a61639c39ea17634d6d163e6727a1e655e31f0210d7f3566e4731d28d1b950e1d7f3a059b8cafac4a2bfdc8824a73b4cfcdb424faa8cfef0ae560fbcb
SSDEEP

49152:d9kZUyP3pgXWFVeVpPsRRE7P7S3gzzNG4QjJOL:dcPFVeVpU7KxG4k6

Score

7^/10

evasion spyware stealer trojan

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe

Executes dropped EXE 23 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exeReader_sl.exe

pid	process
4424	alg.exe
1612	DiagnosticsHub.StandardCollector.Service.exe
2680	fxssvc.exe
2108	elevation_service.exe
3752	elevation_service.exe
3028	maintenanceservice.exe
1020	msdtc.exe
4028	OSE.EXE
4912	PerceptionSimulationService.exe
2892	perfhost.exe
1776	locator.exe
4508	SensorDataService.exe
4876	snmptrap.exe
4636	spectrum.exe
2152	ssh-agent.exe
748	TieringEngineService.exe
4296	AgentService.exe
5068	vds.exe
2476	vssvc.exe
3572	wbengine.exe
3836	WmiApSrv.exe
3704	SearchIndexer.exe
1188	Reader_sl.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe

Drops file in System32 directory 38 IoCs

Processes:

2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exealg.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\System32\vds.exe	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\fe241294c3136770.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe

Drops file in Windows directory 4 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exe2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exefxssvc.exeSearchIndexer.exeSearchFilterHost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f35d08c5daacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004f4652c5daacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000010840fc5daacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a84733c5daacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c8d7fbc2daacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000084220dc5daacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b828ebc2daacda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000962348c3daacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

Processes:

2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exeDiagnosticsHub.StandardCollector.Service.exe

pid	process
5088	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
5088	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
5088	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
5088	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
5088	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
5088	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
5088	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
5088	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
5088	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
5088	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
5088	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
5088	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
5088	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
5088	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
5088	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
5088	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
5088	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
5088	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
5088	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
5088	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
5088	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
5088	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
5088	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
5088	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
5088	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
5088	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
5088	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
5088	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
5088	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
5088	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
5088	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
5088	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
5088	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
5088	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
5088	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
1612	DiagnosticsHub.StandardCollector.Service.exe
1612	DiagnosticsHub.StandardCollector.Service.exe
1612	DiagnosticsHub.StandardCollector.Service.exe
1612	DiagnosticsHub.StandardCollector.Service.exe
1612	DiagnosticsHub.StandardCollector.Service.exe
1612	DiagnosticsHub.StandardCollector.Service.exe
1612	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

664
664

pid	process
664
664

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	5088	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
Token: SeAuditPrivilege	2680	fxssvc.exe
Token: SeRestorePrivilege	748	TieringEngineService.exe
Token: SeManageVolumePrivilege	748	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4296	AgentService.exe
Token: SeBackupPrivilege	2476	vssvc.exe
Token: SeRestorePrivilege	2476	vssvc.exe
Token: SeAuditPrivilege	2476	vssvc.exe
Token: SeBackupPrivilege	3572	wbengine.exe
Token: SeRestorePrivilege	3572	wbengine.exe
Token: SeSecurityPrivilege	3572	wbengine.exe
Token: 33	3704	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3704	SearchIndexer.exe
Token: SeDebugPrivilege	5088	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
Token: SeDebugPrivilege	5088	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
Token: SeDebugPrivilege	5088	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
Token: SeDebugPrivilege	5088	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
Token: SeDebugPrivilege	5088	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
Token: SeDebugPrivilege	4424	alg.exe
Token: SeDebugPrivilege	4424	alg.exe
Token: SeDebugPrivilege	4424	alg.exe
Token: SeDebugPrivilege	1612	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe

pid process

5088 2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

SearchIndexer.exe2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe

description	pid	process	target process
PID 3704 wrote to memory of 3180	3704	SearchIndexer.exe	SearchProtocolHost.exe
PID 3704 wrote to memory of 3180	3704	SearchIndexer.exe	SearchProtocolHost.exe
PID 3704 wrote to memory of 556	3704	SearchIndexer.exe	SearchFilterHost.exe
PID 3704 wrote to memory of 556	3704	SearchIndexer.exe	SearchFilterHost.exe
PID 5088 wrote to memory of 1188	5088	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe	Reader_sl.exe
PID 5088 wrote to memory of 1188	5088	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe	Reader_sl.exe
PID 5088 wrote to memory of 1188	5088	2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe	Reader_sl.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-23_9c842ef6c5217bde06529d6bbd663309_avoslocker.exe"
1⤵
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5088

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"
2⤵
- Executes dropped EXE
PID:1188

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4424

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2828

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2680

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2108

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3752

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3028

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1020

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4028

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4912

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2892

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1776

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4508

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4876

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4636

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2152

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3448

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:748

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4296

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5068

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2476

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3572

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3836

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3704

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:3180

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:556

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe
Filesize
611KB

MD5
5015aa72411f31c2de0f936e787a1cb1

SHA1
c0e9cd8586ac2337a459478e7ac2c47dee60d42d

SHA256
2bb593f0a3c24cd4ba3fea112983f37fa6a5bb963e157e773eb3e5704d9d9756

SHA512
db05a75a2f4cb78206ce340d72f49937f94487371361cab1b68ea61c96f6869f70f97f180e68582b381d4092ce22ccbe160d0b3e63f3bd5c06c2db8e4cac435a

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
38659d8af02b7afb785ce5024f095c89

SHA1
9e6b418e4dcda84253ae3d5933cb61b913214ff4

SHA256
6d542a389c5b3d49f9a21c8d92924f5ff9a3903cb1be514f131ea6dc302851df

SHA512
d523e24d99ea77e172dcdafbec9f16ac56fd8bb526989865e4f5dc30c7bd7f27543078bd4af80b011c4f662c48433ddad4fbb4d61d96d79b8514fc4b007f1769

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.4MB

MD5
d54371cf59c89abddca2bbbb76d3be94

SHA1
77932a9256cd9a24782dc4352c8fd36719bea9cb

SHA256
fc2c3da0463969d3a5bf6f0eb9031d428066d38535d69836ae147ca3f8e39ea6

SHA512
94e0b48959cb35d22a8d5d477b19836ccd55a807c5382e6e01202e6efe73764c1af3d002406ae8a29d1ea7340b58538ac96755f16e1e85fae8c714134789fa5c

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.7MB

MD5
24b6e2a8845806a5742ac3076184ca9b

SHA1
55d077f6392e3bf33f279753a880e1d8771cb698

SHA256
9d4bb37a71e0611d697438bc1f940b6494b8b0fe116131311e173c2b519fa279

SHA512
975814d11bc74939840e7b9e5f8e783c752f2903b68b1d1804cb0892dfa344ba6d64af0bcf368dfa237305b2fa8409e79a998d7c02411b37ae976a9193c1566d

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
bbe9623984bb9349211751dc0d38ab88

SHA1
c502b46e1e6f394b110680c212b575cfa6ace1f8

SHA256
a2bc19c1373b5833e3b6ad920d489121604c1d8f8f25c5eaefb97a3cc55b01ed

SHA512
7d41ea3d87efdf2d2d0bc40a27741d57e9f01f2f9d98fe9feef600e6b120b682227a98360de3e4b99817ea2e988aebb6f40db4764ef3b08becd370d5729698d8

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
474910939678513cb0d2e66e36b6aa78

SHA1
01ccf99b14bd6bb3a967c27fb1d93cfd145f509e

SHA256
7dddf731e4d3208226818040c26ce43195a016907a13db31c6d7214aec3d68ec

SHA512
3b00f7173b96e0662289cd2fa1944085efc851bf1209a92736013ff0e34088d7e5455a3b013a4e2f9024dfc1716f544549b607419d6ea71c63d059142f91cf88

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.2MB

MD5
fe8608f1fdd4786c7fcf096d60a75387

SHA1
0d17c00290b366a2f5346c0e2498ea7e81c736e3

SHA256
6517e6cf9535d441c44437e4c1efd5254c64370a41a10ec54d735737d4c1e96c

SHA512
019f255fde23fd6b082a60fddded9fb2f0f877455acc1bd0e3cf2413dce2be7419a729f8c26360e5da39099c170644043b9cad8af1bec72b07c21bfa8f07b63c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.4MB

MD5
80d24293f3763165e457339f923bb724

SHA1
1a43d29cc0e3df2d736167ea36ffcb1c4782ca49

SHA256
fa1a3333bb23f6e255da65c39bc772c7f634215e9aa255c427da83d3c1b99892

SHA512
bf47bf40f3eff2dc1b7932b48a06808af52fcb9952c8278b0aa451c9b930e1eebc55f79683431d7c0fe11dd207b06eb888253a7e6ca6d430372e3f5620246241

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
64202dcedc0b4e80b5e42c83af234a20

SHA1
c9f9e2bbab2165f68c0d38d33b5569dbd2bdbd37

SHA256
53b17101cd602a1fc8982d7eec0000af8661b54683b1fbea423c120690f1c934

SHA512
dee5376e4226b7ec4ca4b01dca7a696b6e09616536e2e2e8c675238c1f4c44cdef59d97cdfd20371119d2997b6dbacb0a5c37ef07f83549e19163e1e8cac15ea

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.5MB

MD5
911b2a9050b45cd35a09a77c9087ced5

SHA1
29a1ca3a3cbe60fdcf72be6c00736f871adc9abf

SHA256
8efe33b5fcc5a192dbc2e2620d0ea0ad015e3d458cfc5fe3088c942e06a3883a

SHA512
7e7e0e58713c5172ccf70e3e5a62bff1b76848361ea05da5fe0a19b4b0a94812e2c7796149819fa6e03d31de65d4574e4432f1ca84a3a11791c897d183cf29f2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
a3582e6e4433677abf636a36d76c6a7b

SHA1
eda5842c139de842304e540687647f3c6cbad3fe

SHA256
5284ab6f73559415f06cb9b56b5e462ba4b162b72cf31345a349f360437221a7

SHA512
335fa5b63e258a1cf3b694168d32f647d56041b9f352c8207237ba7bafc6090c2ff4ef368a9aeee6aba3a61725040b56116af68140a0abf94f08ff3484058840

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
ed044aac6516112ca3908f1f2d22f38c

SHA1
ca091fc2e5744ffa5a56bec2e555be66fce83c45

SHA256
466b43cf07b527f73195af673fd0b14bdc42b769dd86a8f40aded79ccfd69d92

SHA512
77357d179cc6e06afeee04848439ef856daf2172be3b8c356dfa64d3c001ecad8f3b5f65ce52b33c09248a670254c72cafed159fb6f94f1f8cd04f75ebdcf191

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
9c934f4e66b819b7c4079192968edd99

SHA1
f6ae21b7bda85c802a857098a9090c7a4b97bec0

SHA256
579c4ae86d6643503baa9e8799b3b780081bc2fdcc76e0f4f6b2497ceed217ca

SHA512
80a11987d488b037f75a286a2ff412e5698aa8a623bd95edb99dc6d406985e2a05239a90a30ced682ae6a8855850c58ac034a987273cf30b81aac9ecbd50fcc3

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.4MB

MD5
3c32a71e34c0e5e2e7f906bdebd183ac

SHA1
8e367d6d6f052314a7ac0774e06ed91380942312

SHA256
ccc19d8b827ae27e313e3a4fc50e348923a660dedcd9646ae2e6afe179fb0a32

SHA512
94191bbbcb9fd9966cb536b7b88eee8daa8d09ce937eb21cca99809e9d36b9a392f31f5eb47f5e0921d9735284e61a0697b1efee862bc5b446ca908b6cdacb67

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.3MB

MD5
a2a30ade8c8ffe390b9ce718f3ab9739

SHA1
243206c209cc8b2cf4094c9b371cf2f55b47bf5e

SHA256
a83f7a73e664050084ea3f3ae8b698dd20a11827f445ec6dbfed4f9ca8ab1fc4

SHA512
4d6b5c37b46a53de32a647185671d01738283cc63aee117700d70b0c4642e18f325b6a2bc10dfc82f02b319d3c7241bdeb8546ba77adbc95a12780027718414c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
2e588c78204a83056e46ce9a674689a6

SHA1
ce20c90edd362eccc8fdbdc47a54e6f8a687f875

SHA256
380bc3d274b52297d0d5247acfbd47c38e1206960407ab5b006d732058599f7a

SHA512
d338ca11118b2081df05e5da4f6b1492b0ec433f63bc7f77b1572c400cd43b6ea902fb8368ff06b240d35a86fac4869575f3ae48905c93f825ced7df1d52a54a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
250df66e1e54b307904e4131008019a7

SHA1
8e6aec1e7238b8195b14956c08cb63b12ee436f4

SHA256
0116cdb4176b4d3962108bdb99ca4aacb8d38a32eddc19b64678a49c7c8b9942

SHA512
7332c6d1123da92b81425962529eda8e29fb080f4735ad9ac4264bfbee4eb6b134af910a23073ba474b3093063025940afbe7c23ad86d066ad63c4c4d9d0180f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
e0ace8ac40c7fb21b2a5a866d2238b7e

SHA1
72b37c3ad7c6ff26833f2f09388d51fdf4095713

SHA256
e21b368f182c1ff40046a80b43f015f0e369567d4c0bcb11ecad1f1b5e5ae03e

SHA512
9ff4b4fd0c292731f74e77347d1f7e1934783f3e20ecc968ad376ca517d1d81099dd500a38a4fc768f3777ae79019250c2a9af4a0affaee53fae626efb224217

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
09a10b450615f7268426bb66f9bf9903

SHA1
4e9b42a039d07ea3868685115a4e3b9000c75216

SHA256
d68b383c6bc01c29800ce4ee41d47c615924c3cc9492c966d7381259c630499d

SHA512
1aa1111f6c0d3ed04009f64876ceb1016a48f69cca0c22a2ce620815aaf056fc954fa356c583c179f1b64b1414d593a540d3776939c836d5eab9632a46dd4737

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
fe05114b68620e7a174eac9acb5c96ea

SHA1
43e94ccefaef286415608edd2f682768b6f837d9

SHA256
c1f456535a607fda36fdbfb0687f327b6f6764565fdb64ec0962bab499d80c03

SHA512
a18b224a97237f801d5467f0caa9d3d6ed560c100c632b75269983d18ea3febab4683c46fa076ac3b6af0fc1b494f4061db4a524751658ac1c8e4c990eec72e8

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
dbaa5dabda423160e8081fa10d5aacf2

SHA1
c72b67d14b5169e2df83725e95ecb7f92c35df79

SHA256
5c7308ffe4473610afbdd31d07b8342135c58f2c5fe7f65823540bf120296136

SHA512
d2ced6cf2790250068edacc8593b868ec36cfb949943ea7a95406b1aaf095f5b19a5beaeb1608f51f714318d1cc4bf4324b73ac17a488f978d86c65de8b77c85

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.2MB

MD5
6e7cf2c2cb18ec081c1910fb3739476a

SHA1
8c742daa603f89c7746230fcef9d67c7b9465875

SHA256
1c77f3c8511ae17788eef830f1e8e566fa298a8249409a59197f317b89650bf7

SHA512
8007ada6fc2272d89f918c00220f9366472244f38a63d304dced77e5d27f164f9b64206230719ef9329fc6a77b04a5ad796fed4a8e80a13dcfbb208e5fff07dd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.2MB

MD5
7fb1554632e945a0bdca4b5a7d236589

SHA1
65a0b8c24b47eaa0e08c9ef0b42460dd917ed5a8

SHA256
cd54ea74c295485f0b1aa9e2ede4c3f9d2f0cc287c321b175366ed3f485aa888

SHA512
376941277afbde0d7b7d3e07ac347b2980e74cd896b827455b8f1cf2e8ca1b32181a31f48e614cdf8de74b55271e7cf1169eab4e87b4da42414a24353d386fd5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.2MB

MD5
60473867b71be1ea02f6de35dbc93d46

SHA1
39dcf1f93cf493c533a81969f3d74489f1c1d6a7

SHA256
9962e4da5e664034817157232012108b3daa75cda13342adb1e03b0fb81ce812

SHA512
df29da504a7d39f408c4a736f0594687ce069dba47eefa937fdfb0198d2c76567cf3123a98418631258061587fa5dc1d50abc9182d4fe6fc209417ae6c549826

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.2MB

MD5
77349569728721e7c4dea12f532f76d0

SHA1
13e4207b1a9b49602b4ce6d4ceaa86c025eddd38

SHA256
06d50574542d7f70c3d7f386105b3ceb37ff10fa3037715dd905f84549849df5

SHA512
e2b18a7fb2472c6b19d0d099e3a386a57e203a727b9ee9b8cc016f135a49a58311e60ec7c732c41b7951de369c85f2f4f9e081fea6c7939a128d1b7f5db9ca15

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.2MB

MD5
3012c34c55ae1b65d1463f236970ea2f

SHA1
27622dbe16e28f70065cadb733ae1c198b8440a6

SHA256
e763db0ee286b6a7e3920520cc9e0184014efa662a4accca1bcf00c942a08cc2

SHA512
d3ace51e99c7411dd9fa5bf15e4d6da591eee601a9efe1d1df3cbeefbea6f2c449df8643741eaa5bf944e7a62f13e5f5b9da1ee6d249215a3ddc8d2d0b80cb00

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.2MB

MD5
cd5ef33c8cbf507161b79de828c323c2

SHA1
16630f97122d52e1978c98347ef4ff58f502eb0c

SHA256
949f34839cf8cf7a0995fe013b0c8aea81c456e64e9b2031f7bc73352698ad4e

SHA512
afb2b148828340f22edf9d9c35cfa0cb041770786492327e7dbf956249136b76953d3f9fad5d34a5b288ebc2e2c7a7b0d8dc952568ded40d77f114fafdfdc033

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.2MB

MD5
08c9842c7ebe652ff28ad8b8de4b019e

SHA1
8b7a70a3dc6f88d60058d9734a4517d81170d515

SHA256
0c63629c7141ce1086d1c7d769e9a00553cca73fd8beeb520e1a66dfb9619d92

SHA512
1886a1c17438c473fd9ab9233dc0f3a1993884ab4f71d2db1af7e0e2dcb5e1661c722588ef4818aefe1b4fcc7c6d30478bc8d0609b3f28800cb91db6a3716f33

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.4MB

MD5
ec595e4c3ff5925ac001b5e32621472d

SHA1
f0bc6b68de2633d8eb8ee44c408851d1924c512c

SHA256
45cf32e14b9528f991bfa8d95c187d0f1717aec52b33189a221fa206537049bc

SHA512
b371d6208deaa0c9d8f4933a6cf5c3a9e1a5fadb471c968b668abb210bcce6be3de7dd31b4d9149c4240efd6a68055c10a21ef9eb71a65096075a12c4360d152

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.2MB

MD5
378499ff6cdd207557479294b9c6ead5

SHA1
fbca6ab9dc29b5bb48d270614c94e9210cabcdf3

SHA256
49959a01fdbca55aaeebb907c6297bbc93d8e1ca766fda052ba982dae441be84

SHA512
2df7de647bf218b7457c7fe670349b34c4217811aa0829f7ff0c2f649c2809a47286b008331d2469598f43c762441e530188c7cb7e7f146a427e3016dbd67df6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.2MB

MD5
da08dd1c9a27f72730374d69cd86b14d

SHA1
82e1f7bbae217522d4a6714d1a89220d14f1cef4

SHA256
fc2c709fd0fa165a8d8deea392b0e0cf271426d8dde780aa247acbf186c2c71e

SHA512
9e468815e63d9aa95f5f5c799d6d42f3340428cce7fb63a65c955a8fbc78c31a37bcdb0a75918a653bb48997d94fb8778bed950cc95b09bfb82a5fa6dc7e294c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.3MB

MD5
88b1ac06525688794dd4e3462c78d964

SHA1
b88cd43ebf497688454585c903131846c5f82515

SHA256
5f7591f94582525e663bd28ce3d537404bba2d29243ea1ef2271349cd0e57225

SHA512
cb3685f5f355a8a4ee84bf8bd10d1bdc5e23bdbc35b074d9e1e877b77c64e2679d2899c0ac8112df724d2a7ee0630fac19970337fbe54a3878c81ceac6644c4e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.2MB

MD5
45cdd970a1f38aa612a910c5c44cac99

SHA1
9dd9a6a7874c397abff99e66cb4926912b8675ae

SHA256
fcef2ff17183a006fa0db6e9befc6daeb3e5241e61d71abafd3d96944b50a897

SHA512
172a6092c294d9291429c3c9efe7c767eb23d95414b5e7db7e0726ef4873af8f60e5c3c51fe075f9b24ac037f54dc0f4de5b4b8e61c6eeaa4e0d72f8bac55aee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.2MB

MD5
8c5a1296da688258dbb289493d122737

SHA1
23f4fc793ec81ab6c006441e6e593a333809794a

SHA256
f9e5f3d996f3bf5986a5e8bba63be6c72a2fe2e386dfc07e53eaa703417823e8

SHA512
7581f559a0b75358799871a398f51f247679f40e4463aeab61dbcc4b0ebad14b55fdcdaaf8cca0cde6cafebb23f6980a58ec6527139c70af08b94d5776f99d2d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.3MB

MD5
eb13eaa949413f952e66569ba48ca2d8

SHA1
35aff8d6e89b8d655c70028f0ac09485c67168c7

SHA256
2f3843397c3b6edd07763412abf87f8bb72e12c6084d88eeb20fe253e5dc83aa

SHA512
5605ed931782fce15c3f940aa24a86cae9950fad4efc32881cc524f5236b3303b0b5846371a4667eb977ee50aa6231753489196669f4111f598808aec41abba0

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
289e02c27d5477fd5147767a0a3de2dd

SHA1
8ce9d1ca6975e91214c2e9c642ec95ad5422f8a9

SHA256
46f9fb573a0108b902e903081f04afb2372cb160c4164937d913aef8f8d09ea1

SHA512
bd6315f952327ebfb0762c0f9b16f5505636d418a6e274978f578d64edc522da809713d6235017ec711b3398ae077a144406ed0a3e4d348d1f692d7f2d0e07d4

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.3MB

MD5
76c10e6343d790524ba79d44df347e20

SHA1
0a4a64e3a5a95bda94a9c824634a8591f749c3d9

SHA256
9ec5d2d3135a7a5b2ddb398118d1432457c3fafb0566c9f7ac9053d3108663ac

SHA512
4dbf1fcf4bb889e11ccb03426b33df85d6b0eeb74114e9faef7133debed35c5d26f6a38a2ec38ec61acfea1b5b040a6a882acb1feb0feeda8dbdffd2e2fa4740

Download Submit
C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\RdrManifest2.msi
Filesize
14KB

MD5
0162a7a6ca55dd442e64f02c36187314

SHA1
24392ff794633445f4fe12a8a422046d24d67482

SHA256
5aa41c7e3160dca492317182e2cf5ad947e91457b5d4a39fc5d7aabcc0c9dd8c

SHA512
36e1fa17e868670b433206734fe028ce6b05dc3c6266c557342152fb3cb1984455fe6a9345c877eff394bf6959c6130a861ce7f30004d23c4a580227256a6332

Download Submit
C:\Users\Admin\AppData\Local\Temp\ReportOwner27011.txt
Filesize
4B

MD5
455831477b82574f6bf871193f2f761d

SHA1
f44217a81173869e08671753c52553646ff5d95b

SHA256
69bf0bc46f51b33377c4f3d92caf876714f6bbbe99e7544487327920873f9820

SHA512
cbc0ee58e447428bdcf72fc8b03c8cfb086edbb14205b918e75ebeff1d85ff1dd254e9dcb387afbd3fa766c803937c306e0a2a79870c0d87abcb7ab93661cf85

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp9347.tmp
Filesize
5KB

MD5
eea5c3b8ab21420fd068d60c1df38b85

SHA1
4891795ab900af8e26b88604d84076fe7911c407

SHA256
5c89686dfa61670bf1df890857583703d11932f4987ee4b5f53042c1dbd1b1a4

SHA512
753daa5720e173e9f6e70547a0ed7f6a0a0d69508c03cb748f1102c951657a2e17b79815a13c36fe4d46ea10064d6eb59184c0e2e8bedd629a9d893f1b791246

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpB23B.tmp
Filesize
5KB

MD5
ddb8f08ea958100ee5970f534c0fa9be

SHA1
711b2069ceff68616672c94075a74f43548f61c9

SHA256
10cb0f42806027c65f4cdee639e3023a911414eeddcd88c56c83aeffcc85e3ec

SHA512
cb574965bcd81250020dad28bb735f842aaa3b2b0ccc652faaafa49e0dae21e19f446fc8fa8cd86e19221d4acca60a2068ff0d741b91fe816224a884d551700b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpBAD7.tmp
Filesize
3KB

MD5
a58599260c64cb41ed7d156db8ac13ef

SHA1
fb9396eb1270e9331456a646ebf1419fc283dc06

SHA256
aabf92089e16fdb28706356dbc4efb5a81f5277946f2e67695b31676616ed2d2

SHA512
6970cbc42e7ec64ccdb8e5633b7017b1e9ec0d4ad094869e221e9275b814b1442b84827996190159543bdb5e86df6885c45197c533d657db4660fca8ad761a71

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.2MB

MD5
61d99258fae050fff2c32b7e957ec87b

SHA1
565955b7e36b56d0fb23d49f0bc324f80e2138c0

SHA256
aafcc66f2b549e880e55f710fd916e22c3e53431cf0de7d2e9efbdf43bca5fc8

SHA512
ca53b3563bf1018b1fcaa9dd7a8cbfa3cfdff003c6c0585ad7cf1aca33e2ba408517805aa127bd1f2dac84f319d8876b34cb02f99d2af815e62d5ed53ac07bba

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
03e5f5e15a65bd271c92f16aecef173b

SHA1
785c420bec283ab18b7a773a43e940d14a1677ad

SHA256
e00508f637cc2b2608d5f89aecc64a729989be82a688689ce53f655676c3b96b

SHA512
37fa8a503dda0c0ea00ec18f1ff95ade5305c637fa28febc15ca7fda83c7a72def1df69bac6db70fff4738e5ea2588a02c4462385497675cbda3cac1738a20e7

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.3MB

MD5
a4add7c9b5584090729137ea00a869e5

SHA1
536c0a380708b11b29213b6908640c3ca0425eb3

SHA256
145ed08565fb63c3eb1a27561ecd7d0f426fc77b65db8dffcc8468fd5ef5e747

SHA512
1cbf94417601b7624c87e8b74b13074a1b8053cdffdc199cee3fb4998e2dcf9daed7c1436ee0f75347ed0934d6e060262c4eba2ec175188761280b9f18998848

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
55e3a5615a65cd02982d20449fb73071

SHA1
6bd8bd876d6ded019a2fea39354a18d6af0dd72d

SHA256
2b78da90c7b4c989a63e1e7367e97d0b22cf8043ef1e5b4844133e3bda551b37

SHA512
0a0ad842fb0a4cd16bf8c73e7a8bced8964b76baeba82f89f652f3ba06d82ecd1c3cb5ecfa9b66b6c40f4a81aeeee257c7285d281f1f47a41ac25beced4ac299

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.2MB

MD5
6a1497a093b413afbc757353d9b2e089

SHA1
800c29cc65ac5e6f587ddb86b23e74db0af7c007

SHA256
f510e1530a6ee05d950d77f8fad96d5c975a76d75ce26e89967adfd60d7d2d3c

SHA512
6610a6aaea89d3ae694d9d5f61f6f60eb4eab4a576eaa79aa8cf95ca810ba95a761c498c6cb89e11764e0686acec1a81b9216f726ac429d12716f35961612c87

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.5MB

MD5
157b98aaeafc3de9e7f9540247ca496a

SHA1
44f328c1788f57f4cd3693a2827f3f75b24abc02

SHA256
65fde4c914654de20df294fc1bd607131eb04c37f35b3546c0370d6ebb42d2de

SHA512
b4a7b9406ff4205b3e565091feb5862d659c02ffe0347b925451851d87505e5d09aa366fc2d566ea858237190cc0160ce92f1e186f0217957affde8ca06327c6

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.3MB

MD5
1de92079a07361cdea897e4297ba7797

SHA1
f64d12cd7c40ce18e51057ff2bda14339c4ef699

SHA256
ea67b7ee22a1f1406e8507c10d7f546c32125e120fe3292b21c1ab1a52c28401

SHA512
1bc7ee38ca5c5476593caf043e334307d1f9370a2440b9f5683107de434c714e210faad6cc597ea73214b80c2ff15e15d0ed0a3f34c17930b321d12f211dc8e3

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
3825e6ae30f44921c4773c8cb935055f

SHA1
4c0dc0958822d5191c232616d073821e9750d1a0

SHA256
419428b46e43ee8f5f3884e435cbcac576e0fc8b5d2fea25f2fd3a2a0181c743

SHA512
93d28091c10061c27b71933e48c5faef460a8b5d817a19c0ba8c8c081eed75bb97f4802aa6643b8ee61f319d1cfd31e0435caa8928a925195a0012808318eca0

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
5765e6f9c952aba0f33a05af9d8cd754

SHA1
843e01738ff18f7feaf1bf668c2caba8dff33bf1

SHA256
9771a196ebeb9aa2c6d9f873140263e3beb463bf484279d578d723ce990c1c58

SHA512
c2c95e016e16a4bae43e01c446ffe8df3ab2bfdb0776170610fc0878fa626a59a7efa3d7b4183452ee773386f0119c150598fc5b037a783b7f60a0d056ca87b9

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
d5e90db70b9a5f34291193106daddb4f

SHA1
9db72ff64088d289e2aa3ebaa1d1fadffe4a28d1

SHA256
f3a2f8526c94f37f6f953f752a9a344a5308ba097af5515237efa7ee4a9c4c91

SHA512
b050c34fb915c371fd8ab52e5cd6970d8e9d7ab2cdd8cf48c2211e255e3d7892d290a96df8cb6b0390a400423b338f280933c3979a6c076b8b7e1a93b1c45bb6

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.5MB

MD5
a54ab140d4ff533e5e830c85e92347a8

SHA1
f1ea3ec150ff364bee5acad4db1d68cb0bc08b42

SHA256
1a5da21d2b2b2e2375f11696b8a75fdedf64b06510349b958560a265efc09c1e

SHA512
78b8d1a62cb0f494e6d67b4409e2814c6d38bc2cc1b4163634922cabf8f6603fbaed335a7e9a975c39e85adcf6b270827aac0b2a6c739c223ca9de7eed9560fe

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
e60f988aa984b605f6bfdc84a58ce9b1

SHA1
04f7a8a16406c1cfb24e7df7c6c4e1701857f6f3

SHA256
876f9daeaa7541f187a8d9431ea6589e7bac8b68b13e4104760a63905ab11f96

SHA512
3e98e048acbddd677588e8540ca08c9217e0e0e55ae5fc57bc12fc12fd354b37a8e368f56c6b341fe83aafbf52b4578fe07407afbdc66f3630242b450592e3af

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.3MB

MD5
1ec47866ff363b9982a50aa70961ae0c

SHA1
659e4e0294dd52cf3566c918c5efa87362be11ac

SHA256
7292a7a33c7302ecec7b99ddc5a43a2e0c4f5c904a0d2035cb11f22cd95f9c7f

SHA512
41603d3a4197ce2883c1ec73dae28662dada1bbe923fbc1c2fbe454b02a3a490104267bf3ed307a465e96fae0e3554cfbda67cff3e37a0ccef3be0cd4b7c1b5b

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.3MB

MD5
ac6719ff154de67f4d030dfefda7ce15

SHA1
d50cccbc8bf4c85a4a8533249a10fa2fa3f7abc0

SHA256
f1f0cdf89522dd8d44168a9a66045fbee633c8c1b1760ca399b3dc1374ab7b06

SHA512
80bcb0865e2f228e86514ab9aab8530930fe968a7ad8e34dc5347d0816f9f9db6f728297b3c4275c39547f267a0118df1d226c9c3df2f6b1b1d7c7d70dae0f1a

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.2MB

MD5
e8b75d3395007d5649dfb56da3c17f51

SHA1
68fd9a7ad664ed1ae7cc63c856513e481ed8638b

SHA256
ec7cac4096535bf76c52d7a06232d051d98353ea48b74082bbd2b22940026528

SHA512
0ab2deb4e48ec1a3a6c5c9eef164bf816efe487b3b03c2ce90cb05a5d587bdd2e577b3c67be0712936eda42cac92ca86d45816ce4e21d0145d5073d84a73faaa

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
bbfac10168bb32100a2e701ac5a08c6e

SHA1
cd69ee5b425305f62f15589670b363bde1f1157f

SHA256
1e06e75f55f6397253e774a9fa85042dc223999947136e81f162a04f3b63233f

SHA512
5e687c7956b76248b737c78dfd8dce11084c6cb55e1d0e7be4c44ecaf3b5541bb62b8cb0de091e7b0795e81046e154aa0b1648ac6d3034cd2510e900060263a2

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.4MB

MD5
065134456a3ca7882a37b23fbf9b5efe

SHA1
49e8282dcb4b30d780c4c0f40540b0b86221190d

SHA256
1894d0987e581653677037a6b24ad0f2fb0e80ce7d980030b00abeac329d706f

SHA512
315282ad6dcb575c9319c0a4c20100983ecf7ce1a977a3c594e7dd0420bdca3bc8cec20cee77222f3be4613abe25b4f8a8201cac58d1c32649b5caa038e27155

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
f3c3f8541d1238d0f55582f8dc1df726

SHA1
95b2d6bbaf131653beff56d42295d97ef3cf9978

SHA256
97fcb7e4f3182f9c73e8614b11bceeb8c4e34967b7668e44ccfdee28299907d2

SHA512
5d09f4cfa32a750ed80e01941011118019612b4b39e9719c88ff34c042366daf74f46d94d362a9489994f110cad3f27030726ad8a5f0f3a3926b81f23901e688

Download Submit
C:\Windows\Temp\ArmReport.ini
Filesize
472B

MD5
150650f8b4ce06bf6720a55c29275c38

SHA1
c69a908cd7138d119f38c8db07031364b1d21388

SHA256
9d7407b8bcd4af6820eae7da00db7598246d0f58dc502ef3c89aacbd9cc8a104

SHA512
fcfb7f30078c6e1c43cf272b96b5fbd599fb6ea694cbb79a7a3e40de0eea9e031a4b67d1c2f348d3ab19760b48b67758fd7b4ddd921aab9f3e8d3a064c662bd4

Download Submit
C:\Windows\Temp\ArmReport.ini
Filesize
596B

MD5
dc1ecc554b3f04dc9600236cdecc8a5b

SHA1
5ae617e99bdded544273928e3e02147405e6a032

SHA256
550a13ba1f49e521874c12f8908b48d130519016d3abd734b9ba3e3695f2a8bd

SHA512
5c18ad0696a910c5806e952965b6ea6a7943443714eab387cfe0437c5546b6b43c87d70495e5a21ecd284faaf545ab0b6c7fbfc5f89b27ab4779e3cef124f11b

Download Submit
C:\Windows\Temp\ArmReport.ini
Filesize
726B

MD5
66912ae2193d013c3bf5b8b031c7a36c

SHA1
e5288840baebf03420e92c9deb1a60121f24467d

SHA256
c89ff4970db3664d4435522769ed127af57f09ba648689de94c00a60572db3c9

SHA512
c519bdc0aaf38be5206f763c6ec85e3b1d245ef900c36f2fdfc8865783430e62e09c53fb344e4559e939e4ac40a2fe4e81b79e396264be2dedf9a237cdfb1462

Download Submit
C:\Windows\Temp\ArmReport.ini
Filesize
764B

MD5
f42344a5ea9de1aab44141b96b820a34

SHA1
b23a200020fbdaf7c23e39945d381fa814d68d37

SHA256
9e41e1f570b18efff9faebb19e8992be6460165403129aa3db838a2bef8956ef

SHA512
a5534eecadea9dacf00907bc06ce7eb588fd234570c9a6ff1d903f4396eec46b41fd4203f07ece98060f7ef4c44063c3fe1dcab970b80bbef2162b6ff482ff16

Download Submit
C:\Windows\Temp\ArmUI.ini
Filesize
234KB

MD5
cd12a965da4fb66e7f8a07e3f421196c

SHA1
f6377f231362acbd1063aff829ced283a2660b89

SHA256
790b06745f32e0f56a7af24c871ffce225ba05ebf0d8f8a71a00c727c97dcf09

SHA512
3fa242c3f573c706e0f36b477ce03f47d9ba0712ef72b94eae4f426dfe21ebbaf1dbebb0981335970b5186d416b4d25e175773796486f39e17de1df0a68a9b0d

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
e4ff08ea2a0f6a26f894c75f6c4a9eb0

SHA1
38ac48baa40d2d5fe43421e584edaad2cd07c928

SHA256
307fde2cd34bdd0b406d2105b321466fa61aca99ff298d24af51e8bfeb32607e

SHA512
bd1e6e0bcc036724602c1d07b81aa3a9ba2527cc895df940000aac3eb79158305beefce6b911b1e41d94fbbfb84c2c27efd1f7e3ae636fdd75fe893a9d9d655b

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.5MB

MD5
ade7081297657989915a1595f8b072f0

SHA1
ab49201b13f084f54dfc7bebb6bb3c1b084228f4

SHA256
e8f9efe5420800ceb6930919fea45d750e8353273d3abdc322cbf4553e20c852

SHA512
f51a974661bf1a92f85c5010fb5635bd7d0eb00671cc125581e33201136f972aac028c615297371e7a6ff1c8c1716a1ab6f625556f2d02c4853c9f0ef34e5f53

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.2MB

MD5
3760619cbea7271c9b41d6cf6962ab05

SHA1
628bb052d0267c30cf0a2719d0fd3327815d2f4e

SHA256
bbf5af7237a4d432cd280b0c437e5e127065679ecf3dcbc6522d020445a1b476

SHA512
5662abc6a379de9bfcde0a214a18ee6ce6b2340355be3ed475fcd8055cf630a45fce4b431243d13865abdac1dd7c204af4c46c4767a6930b7acd9879f5a916e2

Download Submit
memory/748-624-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/748-279-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1020-173-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1020-192-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/1188-769-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1188-882-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1612-118-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1612-119-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1612-110-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1776-274-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/2108-139-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/2108-141-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2108-133-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/2108-579-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2152-278-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/2476-353-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2680-128-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/2680-130-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2680-142-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/2680-154-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2680-122-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/2892-273-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/3028-169-0x0000000001690000-0x00000000016F0000-memory.dmp

Filesize
384KB

Download
memory/3028-159-0x0000000001690000-0x00000000016F0000-memory.dmp

Filesize
384KB

Download
memory/3028-158-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3028-165-0x0000000001690000-0x00000000016F0000-memory.dmp

Filesize
384KB

Download
memory/3028-171-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3572-354-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3704-356-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3704-768-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3752-580-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3752-152-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3752-146-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3752-155-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3836-767-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3836-355-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4028-620-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4028-193-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4296-293-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4424-16-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4424-63-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4424-62-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4424-472-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4424-61-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4508-545-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4508-275-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4636-623-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4636-277-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4876-276-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/4912-208-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/5068-352-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5088-272-0x0000000000400000-0x000000000060E000-memory.dmp

Filesize
2.1MB

Download
memory/5088-843-0x0000000000400000-0x000000000060E000-memory.dmp

Filesize
2.1MB

Download
memory/5088-0-0x0000000000400000-0x000000000060E000-memory.dmp

Filesize
2.1MB

Download
memory/5088-8-0x0000000002380000-0x00000000023E7000-memory.dmp

Filesize
412KB

Download
memory/5088-1-0x0000000002380000-0x00000000023E7000-memory.dmp

Filesize
412KB

Download