66f1a701ce0db0ef96eda54e484096defa92e68c8ec120e7a69134311e11f7b9

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 18:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-23_b3f5bf6c904886cc3c4f7985b8553937_avoslocker.exe
Size

1.3MB
MD5

b3f5bf6c904886cc3c4f7985b8553937
SHA1

f88b31b1b57ad833a1c71d5737ccfd7c050b7511
SHA256

66f1a701ce0db0ef96eda54e484096defa92e68c8ec120e7a69134311e11f7b9
SHA512

2f2858528e0e52fbab0ae0b82acab19907fc47b5c18c6fce800d39ad2d96ad0ab4353131c6797835236c3bb7bd300f2f7fdae2c16ea05d9bb8570cd81d8c79e6
SSDEEP

24576:h2zEYytjjqNSlhvpfQiIhKPtehfQ7r9qySkbged+qMrfUgYbkhqfj8uqw:hPtjtQiIhUyQd1SkFdirfPOkhqvq

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEDiagnosticsHub.StandardCollector.Service.exefxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
2204	alg.exe
688	elevation_service.exe
3256	elevation_service.exe
1016	maintenanceservice.exe
1736	OSE.EXE
4568	DiagnosticsHub.StandardCollector.Service.exe
1012	fxssvc.exe
3864	msdtc.exe
3416	PerceptionSimulationService.exe
2280	perfhost.exe
4044	locator.exe
2080	SensorDataService.exe
2700	snmptrap.exe
1580	spectrum.exe
1060	ssh-agent.exe
3640	TieringEngineService.exe
4216	AgentService.exe
3584	vds.exe
1772	vssvc.exe
1452	wbengine.exe
3120	WmiApSrv.exe
676	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

Processes:

elevation_service.exe2024-05-23_b3f5bf6c904886cc3c4f7985b8553937_avoslocker.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-23_b3f5bf6c904886cc3c4f7985b8553937_avoslocker.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\7dc1fab5c8648821.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exeelevation_service.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

Processes:

elevation_service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000022baefd53dadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000024996cd53dadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007b2095d53dadda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002c3589d53dadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a85b90d53dadda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ebbe92d53dadda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b01dd3d53dadda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009b366ad53dadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000065f98dd53dadda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c409dfd53dadda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

elevation_service.exe

pid	process
688	elevation_service.exe
688	elevation_service.exe
688	elevation_service.exe
688	elevation_service.exe
688	elevation_service.exe
688	elevation_service.exe
688	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

2024-05-23_b3f5bf6c904886cc3c4f7985b8553937_avoslocker.exealg.exeelevation_service.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1808	2024-05-23_b3f5bf6c904886cc3c4f7985b8553937_avoslocker.exe
Token: SeDebugPrivilege	2204	alg.exe
Token: SeDebugPrivilege	2204	alg.exe
Token: SeDebugPrivilege	2204	alg.exe
Token: SeTakeOwnershipPrivilege	688	elevation_service.exe
Token: SeAuditPrivilege	1012	fxssvc.exe
Token: SeRestorePrivilege	3640	TieringEngineService.exe
Token: SeManageVolumePrivilege	3640	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4216	AgentService.exe
Token: SeBackupPrivilege	1772	vssvc.exe
Token: SeRestorePrivilege	1772	vssvc.exe
Token: SeAuditPrivilege	1772	vssvc.exe
Token: SeBackupPrivilege	1452	wbengine.exe
Token: SeRestorePrivilege	1452	wbengine.exe
Token: SeSecurityPrivilege	1452	wbengine.exe
Token: 33	676	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	676	SearchIndexer.exe
Token: SeDebugPrivilege	688	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 676 wrote to memory of 212	676	SearchIndexer.exe	SearchProtocolHost.exe
PID 676 wrote to memory of 212	676	SearchIndexer.exe	SearchProtocolHost.exe
PID 676 wrote to memory of 2508	676	SearchIndexer.exe	SearchFilterHost.exe
PID 676 wrote to memory of 2508	676	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-23_b3f5bf6c904886cc3c4f7985b8553937_avoslocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-23_b3f5bf6c904886cc3c4f7985b8553937_avoslocker.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1808

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2204

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:688

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3256

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1016

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1736

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4568

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4000

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1012

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3864

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3416

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2280

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4044

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2080

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2700

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1568

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1060

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3640

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4216

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3584

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1772

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1452

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3120

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:676

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:212

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
2⤵
- Modifies data under HKEY_USERS
PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
796fc2b9d13bbfe9d9ef28a7dbc6d781

SHA1
33710edd4fa3ea21242e20c4e26113a5f0593420

SHA256
9f1abc96af42756c64206c1a0733de4b7fecddb9f2da381906bcc682513a8c46

SHA512
60a79e1a5fd115ee8bba5f0165a4c817184c8a172ce4fa2900367d63b9c220a36a071c40ec436e6d187cc5e294b32edb98fd68e0799a4ffc2dfaba673665622d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
afc41b5f6640f0e53c13fb07a51a48e6

SHA1
89a3a247ee12685f471396bc2ec7c429f41215cb

SHA256
d35a75444730491f5d1103fec93da742b72a5b0ce57d1ec944bc45f8c5e88e80

SHA512
fa1983ff459e98f73b6b13ee60a8d55d3272d3b81ac6f2e1dadf39ffb47323934e2ec317e67bf0ca5459c0beb4865b360e357269a2c3908673ed1586532e54b6

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
a6a554dc14ba55c6263f92f1e61f7947

SHA1
24cb4c1c72d655c9599177e5b74bfdd848fe9a60

SHA256
1a4ecaa0f6239003a0820c4b1f7d00a9981f6d5750d5fc30cf3d44e5211482b0

SHA512
43a27816e092656b08a555a49d2cd4ff897565ded36d105ed8c0339b4eb718e8dc6d597dd92e285232c2f8b42159646a037773ca2373fa2f55d859ac693a54a6

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
2d9bc34f03bf1b484a7fd16118c60cf6

SHA1
3377df134be3367fbee426cdea40ab46d2980926

SHA256
6e6de98bcf8639114addc81457f5265a8b0d3d5f5bf591115c9d6ac22b8ad720

SHA512
8ee3d6abc0834d43e2e1585ce1dbae1675e440f3163b92b0134ee3b5c63d1ff567f1e0747740bb21e2c8568035451482fe3f8886a3568f8ece82d5b402dfcf0f

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
3414efc55eb68e948da1e7fdb14c75c6

SHA1
63393b06eaf288772525cfa7b8b0b784f3946618

SHA256
52551a5f644d7d46dcc9c8410bcf947ca7bfda89670c77b6bb4e84eec2ef20c5

SHA512
63ec7f276f36e239b3d355717daf225deb1eb578df268d53dd6eaf1abde3c258a806862d543c9f283ac021dc879bd3e96285f17cd2b0fb4165778e0b215cbf3a

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
1e1261c36f5266c00236d5ec958e72fe

SHA1
9a032f85f115653a5397d7cfbe2a58e2fde3607b

SHA256
f019cab563f938d93735edd71a349f04e2c9b1afa6e2e622358140246913a3c4

SHA512
cb11bf62fc4fd16d637ee1436c9154761a07a621817642ba59f32ad17637e33bd990337d6be68df34ae4bf4fa9231cd9d9864c4ba7d7a99b74ef83e15eb135b2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
60886bb4e3ab47ff8fe1a98503d1078c

SHA1
cc91e1d78a1e7e207f97ac71f03261b71d6e9d12

SHA256
b9bf238334218039e9a111118cce9b570545e2b9005828e2063502e48d92d2ed

SHA512
05a3b02868700838f8e99209a61f526f5dca6330cce24b123bb730d549d7df03377f4b7c41b564097b9350f51f46e601794d8d9ec28da7d7917dbdab262e6cf4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
e3a6dd83340b4178703e440dda1a4b3d

SHA1
3026993c5479f577713b8ead12e725bbd7a122ac

SHA256
abae95a8ef271fdec06ecad4fa17a07987b49d931876ae6cd66793a5e0c1e512

SHA512
94f2e78858251baa0562956545ee5fe16601ba771f2416e544cc134aa489942e5375adfc5d42bc3464e8a02aca1a0debaf5e1290f997926752988b16d9907c1d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
80071fa255be89fb347d1cea501db7a7

SHA1
aa15a70aad0be7737490f41c932214c0ded4413c

SHA256
871a7609fff596d6d2fc7969469aafbd3aef303e1c9d8fb891beb46f6dd5b655

SHA512
30cb78012f950e02952d9d51a5b517a2366626265c53d55d5c1d6cb6b275d990d9b7829972f466f5cf993bbd35136150db74bdbfbc382f2b00249791161e92e2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
cf54a245bb5671030a9b45d11ec13d16

SHA1
8bb1e9397fb9ad635e55207bf79692fb6f7af01f

SHA256
6a27ed77a356bd9b0123fe7bb3e65c192f7806fdfc62591e9ddc7b921c167f5b

SHA512
c6def88755f0624715b47c18125ff9338ea2fbde191c0c252044d8065702681f4993c06fc325a3de05036b34200a3510460e86a2277f94f6ebbdc8299fd4c300

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
7c5e6572cf7db2eb424589f77e72f109

SHA1
a3b9aba2bd2d3c52c48c4a2b0168ad7496f1b352

SHA256
be2755e000aa8ad648da8352b5b3a75b9b6b394715994cdd2203072cbfd559c2

SHA512
1c9ec530979fba32d8ae0cae74ee34bb35f54008f0b07067708c0cb1343339ec059efcdd903c9a6de5249c52aa8011e878765d3389095201a4e9f3094051d1e5

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
934a58b869fc12e3b69ffd297d98bd45

SHA1
f6b3cf79df91d42c1a961e201c69f6fdb498d4d9

SHA256
2fe6c81b1d70c3934c809395020d010db3fac6467d662422d36d04f56ed48a7a

SHA512
6ed246739038c230f35d340787839502ca34eda15c4c2e891232ce600c93a1d57544e2ab099582e80fdd589f865ccb20c8dd4728758b96a300146565f48895be

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
074f6847b449ec6643e0dbab189d3700

SHA1
26833f1b8e689a724269a383a3710bebc7dcc0b4

SHA256
9d38c7687e7264e93f0019fbbd7d9bad332c2e27e79a9f5269419f637ae6c793

SHA512
7ecbda9bb374af024399eb5eabe0f6201ecae136bb0f432bcf514e8654585b3abbafa2fa1dae9789856ec3a6c1ea3d047118b5279fa421abe9ea5bffce416653

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
b203d7abf756017b8cb5a98f064f3b26

SHA1
e992190f51fc4cbdd7edc39b871053888a945ff5

SHA256
7468ab5c84d2fceabd7186af1d4d22c9e82ed7ba7f627581f3d14147ea451a8e

SHA512
155ed9b3df37fada89ff208ab15e17c9bbbefc1e066d1f7cddb8793361da676fc159331ff264efe7d027194693d7b3c45009bb0fc81c6e63a033c5736c9c56cf

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
4a55def522abb738c313a2d2781c93d7

SHA1
f7af879d1812bf3092849f8dbbd90818ce189d51

SHA256
01957ed0bef4fc0d874653d66e404938d749ba944c7bca5bfa103dd5ead0e934

SHA512
a7a88b17297912f2ad3a899cdeb3b34aeadd1e398220c3eda6092eaf2b175a3ef7c437356528303aea0b3e8f45eba29d0491a10b86c63fb83fec3d5c055a200b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
9a8e3a9bddcca5de4601e224daa425bd

SHA1
6cfa69e6d87518ad4b8a053c8c23cd38f4f99766

SHA256
dda8bbabe4b584ebfd9dfc92c2b050003e67551d2a226752917c960cede2a66a

SHA512
7d0644c2276fa19f80e08d5a192c44334c1d64d82f719d3143f7329729ee166ad6963a4a40db2cead5420c0e45d95a30760a65a3b4bb038c4a7a709cb9b7fefb

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
c4ce045f06b309e39d4688640dfe94b6

SHA1
dd4a6dfc1c721959c704d69d8b6e39374f889fcc

SHA256
87de705b6c00383a2917952c4096a5b5e767fd91cd8290f11e9fa45ecbdce0a8

SHA512
0bbbaf1e7bc3c539fc8938b2823bbfcae78c6888bc6bb9e0503dd0c864d586c9367467b20170ca7f977a2be8d05896836ea7d02fbdd353ee4fd81bf1e8268d93

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
437f1a02cdfbeb2914693547f03a5b6a

SHA1
fc1d0d98c885fdbc491526fdaa4d1f118e609873

SHA256
f95d9806145865ee3a277e570b696c7022f37d14b9ef77e2debe7fa631dcdb17

SHA512
81e2abc6fa495486771d0670224db7c6234cfc50295ca42ecc999bb72f1ea44de25da01a640da7bb661363402ed3ef830466967e128e934ede49e4d2cc701abd

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
23d2de3349f83811365b4f2a3372e1cb

SHA1
9279b49e80699dcb9f948e93a4b434687f3e5b8f

SHA256
8fa2ed646cb11ab6d30dab069b013b7999737bdd6c7200799bfc57dcb0cd6bc4

SHA512
47d3829509389fcfa7abd63d3e1a6f13df6747060ceaa7b4e57c5e6a933f190050b3c7dc20fa51b79f8fea5c19acc547175a9b3e7e881c865cfd38d3ccae599e

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
079693a95a89245ad7a357118d146bde

SHA1
cf464fc27783d043b0410acb44aefb1e2c83998b

SHA256
a3347fdc159b8fe1909b43956f5c8581a9394d92991106a4d34154188a6afbbe

SHA512
ea02eb5c55e04d510e85ab51bb79459a902f7aafda2c98baf849fda08dc63270f5a2c90c0a25ebe7425570164d2ee27be7cae7815e99cf4f204782668186e8e6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
61f4ba07ae36c22bd4e51e48b1d1b41d

SHA1
0e59e48c842beaccc0e0dc39a25858fb31075273

SHA256
07e4110f7ff64f680eb3c347d2472999e5bbbb1d76043993ae65a96342a5b741

SHA512
36ac695f1b793a0dee7ad82b57a1c8333246ca62f3d9a4f050d6a7ad383aaee6238375b2c6cd60c589657a599970eb1ce93a46f2bc6e2b3466161d2e4affc1c4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
eaf979e02bb8360faf6d51b55f01716c

SHA1
ccba81ae1ae45bc969374fdad3b34ddfd14d2063

SHA256
eaf814dbe3b6e134032ca975cbae31211ef71620804ce691b61a0c5b375fdf44

SHA512
9e47847e39c81db23cfff74f7f871fe7cc4dff8817f49ba8afd11f47c2632e23ece8ecfb0128cbf5ebea2bd1076874030465ae40cd90881d24d65e670153fc1b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
55e47a57e5ad80b00dfce460059bdd3a

SHA1
02332245d46335caa4c5182bf0690f6595c950e2

SHA256
b70908e5de8a2ebae2e8d5487427a487fa44da2783689491c98f1bb0a7b05b99

SHA512
688ff32e6865f70c8d238ab4e7c6dcd859d275323c88cd490e0fca7c3a617bc8e2aea1714875ffc73743c59ca7505e0e021690b93ccb7efaf01fbb2467582ac2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
69c80490751939668cb99f070f5ceda8

SHA1
92de71adf1d16a9d8ddd5a4a3918e2be89dd8f69

SHA256
ffde21be04b9490a207413d5a014a4714f4ebb195f062260540061d55e3190bc

SHA512
8a5e4f843f1d62679da1938bc811bd46b3efedad68f1e5844e1ab00e58e7aff6e7a700475533b2cba1bc1b22f4bb701a6852db3adbc01759485161137e71f9fa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
c6bb8c0e8385b779357118a499c01dd3

SHA1
9e35f5189b59eef59a65daa00c526a29600b8b69

SHA256
166b5f4af314984f241cd26cb6e9504fcfbe9d3fcb91f6b027c64fb45440342f

SHA512
b106adc12b82c2be5171ffb07c4f2d3e307defe678cfa0ba992a4b537eec3a2548bd6ba74ad42f3e7a9ac264622c6377d36dc2453e5056264b9eb8ba17db1eaa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
62b51b127c20c4a9e653c88270b79866

SHA1
2f7a8eba657ff927612c14ef1a7e81af0cb83ca7

SHA256
5144d6c25c36631401a937612f613438c293a30b03fd41a9452866aef1fcc98b

SHA512
7482119bba1051c19e978f8f97eb5a19df5411d0ae3e1fe5afd6d2df67b34e24676b9b0b313c0037d31eb7c027ddf5461b54a689bc3e8ad3efbda63c6209b472

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
a632b43703b6b5064416a4b310367edd

SHA1
f84ad073c8d05b8059c846c1eefce0d0f39be887

SHA256
6c8a436ebaf00a67f524ea4e7cf34b778f99534e45d2abc7ab3aa06b84dbe479

SHA512
f5989d83c39bc3afdd6b5e0896557614295f44f00c42dae790acc6183ed12e6314ccf388f360314891544305b467b444f401d94c359491503a1516fbb245ed7f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
dfbd5e7eece3103c3cb8343973d0b594

SHA1
714e555e2aa8158c4ffade10e305dd26f43273ab

SHA256
1fe949514e5b865a179b8d5ad511a787c9bdbfec3c0c3e4d5bb19851082baf48

SHA512
13c6fac2434f2bf80b944740a86612390223b315febbef07ba711a62450ff689781e6abf43d9ecb22610b5008b37f60e0ecc2e5456829654a5de5081f224aa0f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
5e144058da3b6f0f90561d7ec7bec382

SHA1
d78c4641e602a5760a3bddb8859a7741d177bcc5

SHA256
72220f7174fc9990142d4c9b65c11f1f9c99794713f5d18f966918001257e862

SHA512
0cc64f2b29042a53d92230a1acded5878be04afd7a28fcb8838f84d9a66d6d6c97eff1047221fbe25c6a567f17b615efaeaa20ad3e2ac962bae817f6f820a76d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
c865c6cc43f6900ddf82a7fdf4094021

SHA1
8ff12b3325ebe0a3778ff242f39f2888751fd6ff

SHA256
0936f9ac29b91cd5f5eab3934522529658c4a1ebfb6ba869aaf186f89378a5d2

SHA512
712d2ac03bb9a160d3775218ce9ac32c2e7acb201c2bee9084650afb684d4aba5c729603fbed4d23eb723300e1bbb0f3c81f0d9e1cc4db63fd4249f0c4f24439

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
f81239c7b113ef45a55e6b327287f3f2

SHA1
834fda563761f751ee00c5ce99077e93bcc96b7d

SHA256
cad272ed1e5e6023b5465c442b785808a01a25ba7de9858df0011aa016b18887

SHA512
7517d8acc111de9f6b007405b3de5dd19659468125466fc0222a6588a595240227d97cb75b9ffd6b947fdebce0562e6f839e748c73bd3a3f3ddf3c5734a0797e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
dbe3866fceaa5a00603c6fd6b28663d6

SHA1
8b17cdf5a403c2acdc26e0332d06cb51f7a788b3

SHA256
530fc31876b4c4ff753dbbfcd2659cff9093149c6860bca2bdb3bd5b781a1fbb

SHA512
e23bbdd67538e365b7ef6f7acc27519f11cf05b1fba2a7d51551f0e20bb83c36403378d383d35ec8295c270e4c1362167bc438f4bde27fa99a4fbcf842b06bfe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
6633496ca5a0ef4c69d041c7d7ab5460

SHA1
1d0d2a605bf57d5f91f35b58827c569a76bbe8ad

SHA256
abc13a31e8ad6f23b26ceed6224aa19d6c18e690854de36086c953005fd8f923

SHA512
f0a10a353af3e01811cb5f184f759496d8d9d526aba03272395c689bf9a233e119bbe2c8d8d0dd7770af40e493a409e536137ac3d62625e8ddd5254da6286438

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
5a0ebdaeb606b351b70e5118fde639c3

SHA1
0b5d51896020acce5aff5f54d085e8b0197df2cb

SHA256
c717ff89af1cb7ac5676ef6d08b6fda758fc090826d57f34844455f2976f8b9a

SHA512
0801a1a38e36fa577df3d347f0cd9a704acbb0fdeb84db047e076611b100fd2b568596da24e72f4eb539345c6680472be4e6cc9dec35f429230dbc38eec1856b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
412ba55ca867a1d74a96b249ac7c468b

SHA1
3c32cbb815801248a6570c951cf48f40aa7230b5

SHA256
fdeb493e75b0b7f11da8317d37e1aef6c7481195187a1ed9a73a1719bb51dc15

SHA512
da7530ca7e94abb0e7091ca03c0b3d1c33b31356f7a9a834db83af11194672abe66d960a610a8c17edc17903c9074fc4645f07ca28ca9184f2fd8dcfb34dafed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
581KB

MD5
cc3718065d361350615814f6126fc335

SHA1
d3e1d3678eb19cebf4199c2038b72af06eb0158a

SHA256
589bf0c96f84e476b2d7439bf7ea8490674e7c3163c205d5c4b5bf078a8f9305

SHA512
b619b26cc84967199b8f3df7a956d43285ee9094d72db1c636e903351dd053327361feee6adf2cff729f0afe515f2494f8853406640dcd98963bf6c940ebda6f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe
Filesize
581KB

MD5
431e8c9e485ff83a4538687f6a1cdd87

SHA1
0c5abd7ed6a85bccd6abef3e35e844edc2352034

SHA256
3d1a8bfd2a12025ac79c9052ca551699cfe8a0e107d16fc984c8176e61e0161a

SHA512
94f1c67cf013a4fa9f650bbe968ff04880bdfc0cb80a450cdd4d2207747eda223a227f36ab520c7036ab6340e681c0b558d641c7c728dc46d2a8e063c7f64f44

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe
Filesize
581KB

MD5
aaa4977210f4c007045a24593bfacc00

SHA1
027a3c5948448f459a5ebe48864fa506b88e228d

SHA256
63fae5ba76e3e901a591464469cba8bd0ef910e35fb21a118a15729763ba0dc3

SHA512
af917c9afa50a9c99f0c74a0f97432a5a7663998d31c01a83a7adf17eb719d108b15db626f9d737934f1a60e0dbff47bad4df74d592b10b64bc14ee10d04ba0c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe
Filesize
581KB

MD5
fbea52f6190526e1c610fb237838b88c

SHA1
ce7d1a0e6faf7f98f090e484f33e434844dd9287

SHA256
97f6c2120337ce4c44a556637d1ce3bfaef64b15f68d20818fe153ffb08f0f01

SHA512
ffbedb438ecfb919ef9445102ac49e59ea1eeb773ad51bc6680ae95764bb168f3554358dbafca987517fc7b1a85a4db4e127a15f8340bf76e0bf804bf9f9ab79

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe
Filesize
581KB

MD5
a9548e70d7db620d3412d158460e1721

SHA1
69ac38c1aedb85dcc7a7757cf4a5f2d5b98a066c

SHA256
372924a8e9ef243d1547c604738785b38d26586e017cd4bdea1f59a92cb6b8e3

SHA512
e9bfa86111ebccc6ec66c409ba437c6e9279507e7893ecc04619066412f71b8683fc4a7f34273c007a27b96e3b6a2d97eb986d5896bac7e60b57f46d1f75da54

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe
Filesize
581KB

MD5
8696cc130cfb11a549b4d2ce361d66be

SHA1
ff628b68d19b840b82a9c498c31864557bd87342

SHA256
bc6208acf5836f9e124bdf481659969b2b2a370f550f464e605a6795c50df917

SHA512
8cecdc02890efe518a816707a9f956f30d0c4b55b60cc2c661519a3746f50686d634f1f3fb6af6bef3aba97835cf1ee8d60b641635993076dd93a5108976c03e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe
Filesize
581KB

MD5
bf432153cb11e00008559ae2cdaf5e42

SHA1
44377041974d2032a7f3658ddf2ac7c066193591

SHA256
9b7f083ea169fd82a6b5c1ea096e8b228c9499c04e17788ff632fec9614308f3

SHA512
1946033397f5b013aef8e2eff1facfbc29afa57b8a345cef272301b3406a1eb71c8b6d6e2cecb9cccac0a93a430f29d712bb2a77944deb5367b5a75f43981173

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
930c015b62c0d04236fdee79f75c4b54

SHA1
f4aa13f0086d21f51391c3699ca7c7d4081269c5

SHA256
363a0365d1db3754116e1ba121fb2e450bcaf01db1828814216d1966ec8f9606

SHA512
af7ff0dd3379ca69b11eb9bbfbcb6c4270d983ee80b2f295ee0caed80f36bdd5769a6b6ffc51b63c3222f09ed3945e130a4cfc407fef4b50ae303d0eccbaf30e

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
34fb0f632de496341638dc758916ecf0

SHA1
7b48fc17f4552b70f0ff520209d969d8b0d74169

SHA256
2360fad2d2c0dc95923b4c7fbb0e1a1237ad667ad2b9a1d7e4b719c5638a7b70

SHA512
b335d9a3aa6de448ed6d063c8836c804f01c248cfd83a49453645ea3e1eed552fa909af24e79181b9a9ba156a4cf36b17bbcce6f0febb2da94801e6d4006b48c

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
94ff2e5c9cafa7cff656a2e793fcb297

SHA1
b06ec7999b462b2778bf664a0a8d280850cc1cd3

SHA256
c1e7f27d3dcdab6f5473240341eec9730048b48666cd138c5cbdc66b026ccc16

SHA512
fbeff8cfd1a3fc0a31efb263ecb69225f8d0e49c4cf904cd324998efb20e311e8444ecd83550f563ee5cacddaf4eabdb39642daf813eac9ff88daf1710eee4c3

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
bcb37c754e73462eb1fcab2966b23e2b

SHA1
fce33f2faac4cd6f3852231bdaa0bf2e7c54850e

SHA256
c79edc358b0a3f92bf8a832c2339b020d2fa48474be860cb9200077b4913a112

SHA512
8e50b9fad0d2b99dc4215de82dd38572af5fcbaea0cace645284ffc2b422edd09f5865dd30baaaee5543d5ff01ff8d7951b503737c1af2ffaedfb04f23af3cbc

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
97fcb2046c459c19d85aa8a5f8c4ab6c

SHA1
fd64c30a1526eec11f8de27d50e381d58bae7fb0

SHA256
960f6234683be4f8f9d3afc094656c643748580fdd37e3407d38fe6b538c81a3

SHA512
4dc6c6b8e83264a497a724e3efc130f544d8cb86bfff9f5dba507ad74185e6d186eb99c835e22cf452514cb0caba1f0aa4d1e4c49f7e2a06b5e0748298f4b431

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
2c3ea8928d31d182ea59a9a9f5ef5287

SHA1
1e7a37caa0169afca1a3b1dd13f92095a8949c2e

SHA256
2190d423cbcd74440b6acddf98a3a38aaf1fcd1490a801e455c7935f04e2daba

SHA512
a7d2460dd2d7056d54e293aee3244a94ae16e04e531d10f187e78bae387bef0565dd11ef933b98ff35b29c13c9694180c3e45fd66fea356786c1cadd74211903

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
31dc1d82eef6f00bb5092c81f1ab5fa4

SHA1
a525d64ec7aeb757877ab226b23ca5adcd85be18

SHA256
f93ff77bb982a735d8935690af19f481c1c3b1a1165e035daa88c96f3ceffe78

SHA512
e109bd0e538e923ca7d8fd5e95d314490dbe9044e3afa3c955a4c51e6dedfeabce60c416e9a87f1cdeee9b37ef48565d6d44f747251a1ee77507e8d4af062ddc

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
b431718f63598110060cef1bfb9827d3

SHA1
d06256ed15605c0c1c7d36b5348d503bef7a5cb2

SHA256
f2d869db01a823bdd29889fde851f55edde2de3f030a3433c118518d90d2128b

SHA512
f742f5131aaefcf85c04274ba710b17c5aa84dd4bf1c904f2045c7b791b01a39f72df022ee42438b317104f873580fde529538c13e30acadbd0189136c65825d

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
55d46182a41f569fb105f892e73bae37

SHA1
36e166cce562f952d9d6f2f3b3bd129e89e2be65

SHA256
788aca601c19f5d457d519a1b35403fd9e85cbbf372d688a87fc16609188927c

SHA512
6a8001582e237dc0ffb5154266a73c07d1c9bd3aa67415b8772512b5cea9a3b4c728ffeac2f211eb819ba5b074ef760f49a863097505a2f611c2cd6f6ab0e77e

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
2c675332bc9d353be6295848d9c2112f

SHA1
f97af5436124ababf64f305110e5f41c3a1bf2c2

SHA256
dcb2da4bc090eab826245bcd84e4ed6a263297140e9ee9d9bb6683d2720333c5

SHA512
2f238f03da7f77abaadf58f308a9816b97de81b5ffde94b10f6b4cad767a9750e28abb6c595c40b460088b9e137379c5b3bad992725cb7455ff9312028e7c381

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
c0ae909dd9e80fb8b6b3260cf5c30717

SHA1
32790c749c8aac0748eeca66cd26ecd9c4a83ee8

SHA256
c64322865c5995f5eb20b2555e63fa842c0d61fd64d17bceb9bd61b0d455982c

SHA512
2d7de617ac7176a1e8fc26bcd0d6e265195f5caf2131ee78f4dc1412c63340b8f561d18337e3fc359207a46672554ad754e84a7c608dd9cd2595baf2f6195bff

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
3c6ad4413f0ca05784c93c2e3c6f2a05

SHA1
baed5817d42c55f41a21cb8f75ad98c7237728ae

SHA256
8e172549bb84362587e433c08415e11f9e19f82be00b4e61b20a5afaeb3eb5d5

SHA512
482edf6620b65610871f0c857c23a59df9968f52da06635ed50a5eab8a929cd95ad3f489f83d60488565a1daa22348c8ccfee9c8138d286d88e4ada30b7e437f

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
60a841e4db744bbc404088e601afe0f4

SHA1
9bfbbd8e93f227bbed277a208a162403c942a725

SHA256
33fbb4355e2964787926e2d57ce0aa9563fedd5fe2619d5531f1b5af530f2e8f

SHA512
82933eb7cc032e8d1030bce889c7761191ce4ed5a744542c638535c05b9bae5afd9285b3573cccc29f8ec2af77d5255df43693b770d865669bd4d9e0df82f884

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
02f556433d1cd37220480755bd67e785

SHA1
f58d03cce1ef9805f10cc6492236942ea2a0293c

SHA256
5cf67c653963e133e0fa2f54b789b0e7ee49abcfa2560ed273b09103d9ac7483

SHA512
9c7335c553a0d2e101b97712c66bacfe2c1624130bb17ca56555f834bf9178534ef3619fb1153103725eabc1e7be166a3b4d0c52e0669b6b79b05339c14b5fe1

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
50212aece8b419ee7d60b4cde1cb759a

SHA1
7e03c279644a63ea5f735bc3aec24c4c2f8b229e

SHA256
66a8188af57d96ee9f320139497720fb5e03c1399f4b66e0df67fea64cdc0ac0

SHA512
b99125a8e6e0bb12cd01f452b0da82c5116fee223762791d2cfc1c425fbfca917a543ce9cd8426f1dbd550d400a8ee8f3065c803a09bc21a6a800c19cc36a8f1

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
6a788de667adb3fe24ebeef0762adda6

SHA1
f9c28ffa24da6716546ebbe46eb4e704e2e3427d

SHA256
fd23f8f17d1dfa878e018c43e0ac3db1051681a92fb466b28b58af2af87eb437

SHA512
3c23b1c7a4f26561c46de20f80bb497e7c50a62b79822848a1f08188051f5cb0be2000b6fbdf416a3c4359dff26282c7b4739da028f1d04e46c66d015d7fdc02

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
c137e29c29776916e421487e12603512

SHA1
91414b699b031bfd0b417a1f7930e7e1b30cc1a0

SHA256
25fe5d3ea448fe2c75bf1709e7fa22039145afd9aa0f6984cbbf793472849235

SHA512
f4283cc96a6ce0754ae42da1fad031f19f873e468e4944963c8ffcf1f864dc4a3ef699b5ae14cb136cfbb73ef3ba8ce1b67d7e46f68b536344022eb828134b24

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
f2c5dd60aac645aa5df44308c1d4f897

SHA1
511c7348a50db58fd646cd1cde3bcedee6bf1f2f

SHA256
4025807f8204d69f8894be44b8b818055486985cd2a508e415e6c712738a82b2

SHA512
7d724889e107016f5a4107d473d7efb2afbde30698c1855252173ad688497c930c13843bdc01d1b77501ce5fc31375a149bd978d3654675936f9ba31d0639170

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
daac68c546561866a35cb66800793256

SHA1
2329cd9ec3d19d08b499814527053f25d885564c

SHA256
40a9414502329eee46171a46b9e9c7f095ecf94c73e25c7e3af91cc2ee1b3c97

SHA512
56963a86e6faec209825f4e7473c166cfdc21896f57cded934c9c2828cadfcab6a1b4194d17906acd1a0c97ff933b001b4045324e0c3b618f07825101c0f9159

Download Submit
memory/676-657-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/676-441-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/688-32-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/688-38-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/688-41-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/688-238-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1012-272-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1012-257-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1012-259-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/1016-78-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1016-76-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/1016-64-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1016-60-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/1016-54-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/1060-353-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1060-648-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1452-416-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1452-654-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1580-644-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1580-350-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1736-75-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1736-72-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/1736-66-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/1772-404-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1772-653-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1808-18-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1808-5-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1808-0-0x00000000023D0000-0x0000000002437000-memory.dmp

Filesize
412KB

Download
memory/1808-8-0x00000000023D0000-0x0000000002437000-memory.dmp

Filesize
412KB

Download
memory/2080-327-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2080-647-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2080-440-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2204-237-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2204-19-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2204-27-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2204-28-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2280-415-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2280-298-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2700-339-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2700-531-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3120-655-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3120-428-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3256-62-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3256-44-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3256-241-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3256-50-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3416-293-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3416-403-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3584-392-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3584-652-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3640-366-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3640-649-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3864-391-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3864-269-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4044-308-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4044-427-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4216-384-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4216-389-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4568-365-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4568-247-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4568-253-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4568-246-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download