257cb5de9bca62539f88fc634bf4a7530176e462a794734197ed5bdc562429b6

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 12:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_42e5da089ad0df8ad602a600af1388e6_avoslocker.exe
Size

1.3MB
MD5

42e5da089ad0df8ad602a600af1388e6
SHA1

8322979d4496ba934a6448d136945f7b3e1224e2
SHA256

257cb5de9bca62539f88fc634bf4a7530176e462a794734197ed5bdc562429b6
SHA512

214ab441103bfd36e1a6abf1eb045082a2c59ec40d614ca773c9d82b41086b168768dd881433985dd1143de79914f0bf2512db562bc23d8c2a3b3995cbd1f122
SSDEEP

24576:t2zEYytjjqNSlhvpfQiIhKPtehfQ7r9qySkbgedt8NDFKYmKOF0zr31JwAlcR3Qi:tPtjtQiIhUyQd1SkFdtgDUYmvFur31yH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEDiagnosticsHub.StandardCollector.Service.exefxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
4300	alg.exe
3668	elevation_service.exe
4676	elevation_service.exe
2860	maintenanceservice.exe
1740	OSE.EXE
5088	DiagnosticsHub.StandardCollector.Service.exe
2684	fxssvc.exe
4556	msdtc.exe
4032	PerceptionSimulationService.exe
3900	perfhost.exe
2188	locator.exe
4020	SensorDataService.exe
3820	snmptrap.exe
1104	spectrum.exe
3520	ssh-agent.exe
4948	TieringEngineService.exe
4572	AgentService.exe
2560	vds.exe
1564	vssvc.exe
3984	wbengine.exe
1820	WmiApSrv.exe
3988	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

Processes:

elevation_service.exealg.exemsdtc.exe2024-05-24_42e5da089ad0df8ad602a600af1388e6_avoslocker.exe

description	ioc	process
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\483f0b3c1ed82f9f.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_42e5da089ad0df8ad602a600af1388e6_avoslocker.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exeelevation_service.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_107921\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_107921\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

Processes:

elevation_service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

fxssvc.exeSearchProtocolHost.exeSearchIndexer.exeSearchFilterHost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a41d4b65d6adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000e0c1965d6adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000088a47365d6adda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002be79866d6adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000ff38165d6adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000bcf3c65d6adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000088a47365d6adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c83a2b66d6adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

elevation_service.exe

pid	process
3668	elevation_service.exe
3668	elevation_service.exe
3668	elevation_service.exe
3668	elevation_service.exe
3668	elevation_service.exe
3668	elevation_service.exe
3668	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

664
664

pid	process
664
664

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

2024-05-24_42e5da089ad0df8ad602a600af1388e6_avoslocker.exealg.exeelevation_service.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4708	2024-05-24_42e5da089ad0df8ad602a600af1388e6_avoslocker.exe
Token: SeDebugPrivilege	4300	alg.exe
Token: SeDebugPrivilege	4300	alg.exe
Token: SeDebugPrivilege	4300	alg.exe
Token: SeTakeOwnershipPrivilege	3668	elevation_service.exe
Token: SeAuditPrivilege	2684	fxssvc.exe
Token: SeRestorePrivilege	4948	TieringEngineService.exe
Token: SeManageVolumePrivilege	4948	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4572	AgentService.exe
Token: SeBackupPrivilege	1564	vssvc.exe
Token: SeRestorePrivilege	1564	vssvc.exe
Token: SeAuditPrivilege	1564	vssvc.exe
Token: SeBackupPrivilege	3984	wbengine.exe
Token: SeRestorePrivilege	3984	wbengine.exe
Token: SeSecurityPrivilege	3984	wbengine.exe
Token: 33	3988	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3988	SearchIndexer.exe
Token: SeDebugPrivilege	3668	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 3988 wrote to memory of 3648	3988	SearchIndexer.exe	SearchProtocolHost.exe
PID 3988 wrote to memory of 3648	3988	SearchIndexer.exe	SearchProtocolHost.exe
PID 3988 wrote to memory of 2884	3988	SearchIndexer.exe	SearchFilterHost.exe
PID 3988 wrote to memory of 2884	3988	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_42e5da089ad0df8ad602a600af1388e6_avoslocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_42e5da089ad0df8ad602a600af1388e6_avoslocker.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4708

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4300

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3668

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4676

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2860

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1740

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:5088

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4296

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2684

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4556

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4032

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3900

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2188

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4020

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3820

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1104

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2848

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4948

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4572

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2560

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1564

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3984

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1820

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3988

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:3648

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
50a1a7571178585d1c1968ee2cdf5017

SHA1
1c3862f2035653fef0d33c22cb93e0a36868cabe

SHA256
41cce13a49841f46e964a63d17bb11d134b3f894892f53b11e68e1b442b88ba5

SHA512
19dd17e0192cf5f3000c274462764bacfb8e51a2d2161d8f4f15778a516356098e0d8fa9b2b6441a2c14b9e90358f4f39fade9c05490b9aaea4d1ecb14c4e27b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
2155681860b35a130f697013f1b542d0

SHA1
bb636c78c5b89fe5fdf6f4d4662b90974cc952a8

SHA256
f29c9f11039272540ec4e8fdee02b3cf8b8e846f5c2ac24c934d8953b18de4d0

SHA512
d6a19b1c27b7a3783e900a0a27d82d941803c7fb30f2bc81049d7b209e5422ccff5215ba169e5f1c024cc2f5ae504686ea7160c0033b456f6c6f370197b8ce2f

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
48a28c1707a3979a582050ec8228d2a5

SHA1
9440d854bd55b0d77e6781983c81ba8287132db7

SHA256
6f7d6a9d1ef39f3d3fb1041079c3b4d5feed2bb1ee1fd5052fbd083870d88091

SHA512
ab8cb941afb2b2d1c0c35e2b8739ba5938a69288abc8fde817a2046c0a2b0761c0572cf65022ccbe85cc1111dc17ac735e7f7cb1196fdf2d7d0340093bc4afd2

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
26fc4db5ba91f1f9a7c2083699bf2316

SHA1
48bc78642c6ca8b68c44c30fc8f6f345eb3b9202

SHA256
99fa42ba77aff3d712bb9055731bf56c87da44a8bc8268fe8fef148a99b0c1f9

SHA512
4e7cd4f35deebe3206042be6215f639766145ff2def7920e45347a95515a2d07421015d4cbe10b9ca8b10163258d08ec5acb2a41ebf8cff9b7a607d6c3f3d2be

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
2f8a27eb8d0ef82e0c55526586b2b560

SHA1
267c2460c52708672af6f98914430fe0d56a2bbd

SHA256
e648908286e41cfad8543982f2100304eecbff4992ff109369251f50b2f380b0

SHA512
f8031321cabf318110d30682a7baa083fcfa918a46f10d511ccee247710dd9daf09c2090089a045cdea2eed3093d8e2e0af177eefcc358713fdadcac1617deda

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
2658fb54aab4a5cd3f39a50d30ac9656

SHA1
efe8deb789d4d2765d4f3c015464b02e1e069e6e

SHA256
0784fd0fc7689cd5d6fca3ed9a0f791a43de28e1ec5e18e7051ea769d1ec00a2

SHA512
3ce46d00f9407c1c955c01fcc7afb591461431ef13597ac9aee2d01c65ba0b32dc6e6b60bc96553604a8104eefdd300255761a6c1c1e197ad225aba189518d7e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
ff890ab5b623762161abccfce22fbcff

SHA1
d943e2aeedebebfa64907ef6818bf6158508a7e0

SHA256
dcc8b1abcb79e4e57a1b385cca7ffe49ef51c47c9a5fb7a0c19ec36013819793

SHA512
d74ac8d047a8409921b6d2654c89be626a5a91c36bd30dd22c927d5632cf88ed54eebdd60ad8f40eb16d113d96fbec2c51672bf4c24802c94e13186ff15d9993

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
5f5e324af0f15b665ad0608f63877957

SHA1
2f87c7c9380f99bfce6d8b6df6d4e2a3e08812c7

SHA256
70cccd721c5b8aa51ce7a28ccc433ee96392baa8a1e48cc345bd6522c0b508ae

SHA512
273297f3cdf94ddedbca0a071480904224bf1cc3b026258015d74722a68f94a007449ee33f13a89ff4d05e7e8d6572ec88297c6e7c2c99f1cd5a882b67285a17

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
43ceada7447885932209fa8d7759acea

SHA1
2d3587c18f2400f1ebc6b98045095820353c95d2

SHA256
cdf9baefc24d2e9186e86ffd0b620b777cb97d1d9c34bc8f6641fb91f47968eb

SHA512
a60214961a0c5bdff697873f49b679f84ac94fdb7bed6e37b7fd2cc95849e2e491cfe1f288937cd974c1f73517f039e31af470e0b7b452391a06dad40bb45183

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
d9d06bd754909d746b434f3fa134c857

SHA1
a37aea18e9f39ae0bd66750882e7680d6e81d4a6

SHA256
8890d757b39d4c50df1f32407849f52dc2f77fd225aeefc1ed8f0a0111d2a5c5

SHA512
7f7e73ffa8d9b1b15adb9d4b9b80b336d4647bbd56381807aa8dea1c0895f934f83918c4f683b52130d6a64abd1b03e44eac6a0034510d1ad4f0c2c375dbb2eb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
f161e4142446f24d6631b687a5fcbb8c

SHA1
68e892bd3342f3a0f2d249747979fd01c895fc9f

SHA256
077b7daaea1ae608c104e36cc106f6b3d07cfd44ce384a06c8eea7a9ca5ac8b1

SHA512
63118b6e1b82b2bda94642fd2e0cf0eca56683c7bb12a438c4d4fb089a7cec36b03876a52ff8d3d30cfc71f4c36297611cb58b9922028c04b9629cd4afb8a998

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
6de1fa36bb6c41ca0be8b4050c6c0ff5

SHA1
f7d2a6f834e0dd9cd9ebc3d0b1e7195c4c7ae67d

SHA256
283e2521af27ecb3577607ed201b55ff2d2749da35e23b091cdf2c577af26556

SHA512
d7b006adf39c9277c915c42e9d50680d878b045f7631a1f934f605aa5997b24e4f6b3aeafda50913180c361ff7c5ab8931ae41a953660adce8579066be0a2238

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
e0bd38b3d49801f8a5d3851f42ddc2d3

SHA1
9fdba3f7dbf6cef269648f4f2373d10c51999913

SHA256
efb4a528dd91b9f189e214047d497e1d83e1b9384535e0c7c10832e30e656511

SHA512
5c621efbfccdcf410eb27708c75bf421c8231a8a9363fb859efcba2d545d4864e44f816368a07d2ca268b3b1dd1114221cce635656bd8b81ae022457d5021a45

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
757e14ca15b156bc129a53c361a17e0c

SHA1
7a2c35e96f2c24a8fb8157fe4ec7923c68e57e3c

SHA256
de07e167b4842b422cb6e778e6ea802ed149434d9955a530521c333527134092

SHA512
b52609780352c8483222ca4513b7b37883d69f436cdce4d2d89ba76e6bb40aade87d3750535625de59bb81bc5078eb9dbabf8e6a5e24a6e9bb93f404fc9fc9d8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
4c2b707232637d793fcd552f5a6c2076

SHA1
02c5bf7bcbaca5f2cdec74bf150173f5c4eb61a6

SHA256
2efe438236d02217fa3fb47005b12583cb9b477f0ef251f3c6af2d3e018c34ed

SHA512
b5fc7f657d46f149f44e4f965ab12e6e3be382fdfda3dea72083103eda7d7d36ed1a14efbdc74841c43abe67123bba9a21ff73bbef31c3c140e2efbc5d92ea66

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
9671b7769dea1d6cfc52f544b70ac6d1

SHA1
07fe143aa28866d6c805567e8e9363247b135123

SHA256
66cbd1ed02d4fd504ec01f4294273428ac6b55113be4937d2fec1fa61c21cc4f

SHA512
cca70913f73a9e5d4a4a50a97a0f1b8c9ef1e834f361c540173e3c38faa57c77ec155907abc8a9174ed0f294d67b8075e32ddf8c4bc9c3e3405742ed83d51764

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
b80daa65071002e314559ed2b63f5047

SHA1
873c4eb27d345750c51465aa17d6a817a3459bfd

SHA256
0ec0d199d96b8d51a77f8deb19f936131a2d7a1181f789f03c3560666bd080a2

SHA512
e4b127f41c5f2b1d42f7206216f8621604c51f7537fa53dce35cb6375ecfa778700c4927c424360c8f2298c611662b25a9ad0713f26c034a7accd105c149cc8e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
647e7f97ad0bf73c3f7a06a2dbfa7f12

SHA1
4312bd84825edd64b97d36088c45e8af242c5d43

SHA256
2a0d7386b1d865a4b219bdd14bf4bf4739930fa3a84e1659e2ec0b914b3a044c

SHA512
53b88b4f3f0853fe2219679a0f82dcd4cd1b746c69d84b45e3b2755437586396b52a29895d3ae954f57b5d738ff67f0b44411824b470453a5548465ac6911624

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
8da40b18ea3f4bebc512511e3e15bbd8

SHA1
77a720eda842c92868a06c8abab0673fc39245ec

SHA256
e875f299cf9edf2dde619516b79e11c0c3251ed99506531bfcbbb19489e88da9

SHA512
be0081f34ebef24d9240dc8569175b55c11b453230d94a1c3676ef5a7aba07dc79e3f98b7529b3e78556b3c877fbd7e6ef6af3c1d39ad6f407bc086bd9f57298

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
e9d83cb89a1926599ba7b0b29452503a

SHA1
4470123a4a75ccad1b4a5f50e5108e5117434bd6

SHA256
a1ce407faee7c00638fe773cf45090cf7da11b9c2261346a945d907d5a7cceb3

SHA512
6465a2b5c0f09e88a806d4bd32b78159962c25f6f8e13081d1e909f3d60b68e188e1e7add3dc733b01980649f71727740b2528e9e9d7bac79e04dea701fc387f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
6e6d604de118bab56691c40cb08200df

SHA1
bf7d39a52f735a8706cfe21dc0e1b7cafaaed508

SHA256
6a30fb7f9557cf543515638411c5c3911587b4f1e7ff8bab6030da36038f81f7

SHA512
81a536d844ec7d8a9c389eaa32417e6d2ae20fa616137f9e601d47be3bacb9a1cac70a666d24ecae3baee222d73ef4ce2fbb927a46a8cb9744c86ca7567016a7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
11ccd579796e25781339b1c2ecf09805

SHA1
ecea8210eba88653a457a648d61ce5d6a06bf62f

SHA256
a40e724b97841c8357ce0e6b4debf43d79d9637cac2560b3e7d71d16ad593d58

SHA512
898b93fdae366dc60d15446c7324b0104a29a9a0b56338ab94da5a496d6468fa01f5d7748530ed1367fd91ce3ca6122e362cdd25f2c1e9ef9641749cf280798d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
9426679b9680424bb16622b38a01fbcd

SHA1
7b402bd010683640d9fab4dd2529fdeb7647f7db

SHA256
ff4149a1f019a438826be0f402597e36add6faa588fe96e1c7257ecbd0c40c3c

SHA512
c9bca0d0d8d5da1c4afe9bbab84f2562c4092c38a64949262eb0b35288b09e6f27ecf56d1f40832a0e372360261c672a520acab51284e42c39dc70a8f4e58d8b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
82608a9b056893de80a0b65935120284

SHA1
995557978be056d0afa5928cb502f1ae5431b71f

SHA256
c45ed7e1b1e08d207792e5c66128d0769c7ee342d3386ce64092bb248876f9e2

SHA512
a633817017abc406e3da67a037ef58e94642aa470f436cc879ffd0cc02faa5412cec0e131a730160ac4fb1795c49eb5d188f7b9390adc597d77bccf2e4c86275

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
33dfd47d9c28556dcc3c82dd05c83de8

SHA1
6443a17160ee1304626d66526d3ad94451030426

SHA256
8e4a5a04427db7f0e8ed83d2c45e0b5a6098c23b15f9377718e7aaffcdd364da

SHA512
7dafe80eaa478278bf4bc9fc158e3d2a0dd9ca9c953413c419636817cb9cc8e30b587f6c04804517314de87f31bff8fe3f41cc8525a64983cf5f67dcdc846189

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
95885e76b7ad0678d4a00d80ab1b3249

SHA1
4d9d319f529b56f0658387532fe9f748c968d8d9

SHA256
ea436bf660e28037ee6090a68e3a71fe27be60b517458144122a7934b64f1847

SHA512
9888809d079de46b3bffa12f1fb84dea146a047af8519be28d4997a44668ce8d0a44e5d7519756844fde112516ba027b814f884e133c830b75d49e589a495989

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
00fcb8965da6bd577c5ef9ae7cfea238

SHA1
ec0ae4c1588faf6f93aaf93e1e143b3defa9afdf

SHA256
1ebca6dd7e9413974d22fce0d0c06d91fb63422a2dd0dacd631824db4d19cdca

SHA512
9e1e4feb4a9074d796916ce7c96b19814e82f2e5ffbc9ca843d5ef1e04bf61f2f9ae83cbe9d3f613a7d5161f8fb14ee1e0add307519d8d6015ab647ea05bb904

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
49a7cdd4c64f6bb5edc95b56ba8eebc6

SHA1
ad018a764eca408f9a3e607dbfcfa53b8df501ca

SHA256
38419138127b3276496fe437517fb9d9c06afe3b660321cccf807fccf164fda3

SHA512
e1f076bd2ce156ff83f377e4a134a5dabcc03478d8c7e9853e9d40e9dc0755fe19a805ea0d6d8643c070c1e8c4d80573b1c99f3486582ed2420267b20be8d990

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
0d6d0897dc09f1196031bd4af8cc46e8

SHA1
a75f284b68ed1d63351f70eb149ec7854a9915ef

SHA256
1dd649d6659a2248887bf701d92cc0c657ba5908e2f4bc3e2c6361eb68372ce6

SHA512
98d45d31cc426649e072424cd562dbcc8c020953dd79ce53cdf416074ebf11c6915de1c16cca405dbe6bcdc4c0daa827da582b059b34a88525c5e745b9c0b2c1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
a12207143b376312c5f432cf8de91f8b

SHA1
c74dd75520dba724e6a66bb5f41d97ff69b6061d

SHA256
dc08812a8e05ae7af46b08b12695d83229e9ed321d1faecdd65f8c24f5de4459

SHA512
cd05a5b3d42f1f7f8991c14d5fbf1d7ab49192027bf32114be8e2e2c56d37206969a212e4060574094470cdb960b07ef406c7c0c1708debb22d8b2e6f251f8fb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
194735af9a48a3b00bf621de80c090fb

SHA1
8f9d0ff27063eeeee70e9286fd030911290f0c14

SHA256
4318364fc324b653e4b0aa8e6266e44eb265589cad5b8f29eddd3a2e760a8037

SHA512
b30d7d469f9809ae6e810b921f2901f99ed0eac5cb06b249ce9667ca99759e923112e3304b16481ad03ea3890b8e30f13a7ed5f04f81782ddc3a5dd1296e6415

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
f020e6bbf7893eb4ca1d244edb0053ce

SHA1
d6739c4c6ff9fee7e2c0b040477d70549ded5c53

SHA256
2ce65d949353607012fc325bcc54692c044435324672d294e648476a9c42baa5

SHA512
195bfe6c2210a558593fe4979318f5a81bf118b6a9f14d53095177c874db4bb6154109a3aef8ffc0b340539cfbe305ac8a7f4b8ee2cf9e9f226ed5445b2e9291

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
959c108bb947e01f3f20fa6a7d437e33

SHA1
23c7d8f7ad733c8be669858fb3cd3644930dd25b

SHA256
b42041a73f1a5fbb791ffa010be3fd5dea41e36d0914ebd07dcd515d5f746fb3

SHA512
8136fc856dd1e0b5ade116a6f3f1a8b3c577920ca09567e03b5e33053316b44789f487dded957459f4de954d5d89b4fa4f183b88e0befa6ab33d11f8aa329347

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
df470ebad51324d1d8e6c9aa7e98a502

SHA1
7e25e1a16ae7e025be06dc01f0c0e32aa947f6b8

SHA256
bcd0bafd3f5b6b31cad4072138799f69cd162f5c39d44962351a09490d9e19ea

SHA512
7c8c937c616b4f0aa40e8a5d93ae96b662b2f9a3d31b3b04f7fd3475005e0fcb9961db95aeced186db8bcec2fd5a1cd723fd79d371d3c471d2116449d520bdec

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
3d7d19b86d037d7a9d4c9b89cc7b109c

SHA1
ce4519f0265e1b40eb9048f532b38e0895d2ebda

SHA256
07f793884d625f7aa58f38c412906981f93261115df47079e10bfb74fd0906ed

SHA512
8bcc71eed85a3b026c7cb98310ef8443404defead164cefd671c55ce2fa3a7e6470723cb858975d0ea9484c78ee096c228d51fb4419b21637f489873ccfb77f3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
34f362a4a3566f72958e2b4d7d706555

SHA1
f90a1382942156d1f7ef194cb15f767ef4191f16

SHA256
0ba3f671b571383940e77fc8da72d9364ce54537bca968e3b0d222843680cedf

SHA512
5ca397f14af1403b96ec1d6a1d34f1424a5273f7adf2a16aceb9222dffa7e511dd124b1717e8ca38fbd9245c5393984530238f39b6213c3c1d58cc88937ccc01

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
59909986e68da4d867d56d61f19bf7b7

SHA1
ecac159aca7f64165650552ff042222b6b9f1047

SHA256
97ce94a43937769846f7521266f1ddcc0edef9130442390cda2b5f5ab5554808

SHA512
e64459ea911a20991b1fac91448b88fd2706a74acecaba9ba631832ad9fea9985f9c6be5ffd21ccbbbab1ae52e168dd4709c4deac0b1e9040ce4c699c9ff3354

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
207a709d09abc3665590cd83ca089c71

SHA1
6c3052fc1c0149aee695d73e764236a668f1705f

SHA256
dd0914da56bb7bccfcb45620869fe5674aa0c474cfba00e2afde448a7ad9b73c

SHA512
29879cfa4de2a7c7f090fde458bb6aa8600b0cce69d81f43a3268e3415d76f3e7c909fafc487165c4e0dd85b58be6869074dc3432ce6d7074f7204aed8b78d46

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
263266a04e76223f269e30869ff07207

SHA1
0aaa6b375209942d01709fb7ef04efe43e1deedf

SHA256
8e6d22773b541647319695c26270f9b57d15ed31aa6b73fb82cca8245cc90053

SHA512
b0c189447213fcf3f141227c22d56632b1f8038b9aa395e1e0636e4994cbae6650915395835a3cdbebeadde980050fd3dc2debd5af70c7e93890320ab36b38dc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
e0c24e4666304f9efe444e5c9dd37d44

SHA1
1bf695efd00794226edec94a8cf1c0b15e6ff1fc

SHA256
2153c7db004cc99a7bf1bb88e477f63bff43abf937e307eef7d455fe7b63915d

SHA512
3a6ae39a37a8929dda7add0d6deee6c7ee3a9972415f70a35b8f5bb399659e36165809f029811bf706d1e09736f79313e3565338c5d582c81c3899b34d509b14

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
dd17cb67030c83ba87ff2c575d8a28bc

SHA1
fbef311396a75ee7950a75c9d4167ff6dc8b8d8a

SHA256
c7c70cd39a125384691b6c5447fbe2544f39eebb7b940d1f9f3ad2a939a8b49f

SHA512
dc31e07365db05cf3984a220c43f54de7d31290a661fbeea0f4670ebd07ce8d3cbe149e4b51fad0b7b8cc8b2c70c731fb2aaa2067dc6a04ad37e71b8d74f786e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
f6f67cef3b6f2c8173b0bc63faa394cf

SHA1
7afd1114bbbd1f34bafdf5545a60ccc410b85acb

SHA256
f5ec9c167b6e0f00373bf24b755b6598e377db47994a2bd85586a0d0847eb63e

SHA512
c81617cf2e79d1856161cb5edb89dbb4fc9d3f07e491c5e9948e93ab67e003a88e1d1f912acddaca83c47d4cbaeefb22948fd127f07328c6468f453e9ab05d49

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
581KB

MD5
3d3fa23f4958ca074d6e651d92074694

SHA1
7959c980395067f7ca0b66f53fde6ae5206d7d6d

SHA256
50fa8bf87f2d8ae4aa25159dcf163fb7692e658c0b91f8c9b172e86f8c303a56

SHA512
d9cc67b97e5f6f2737529d94c2ed8105c7e9f6f0004769f0300651575fbb7cf1150fe2a6f8cc6b2c136bc50f8ba23b78ae71804b7546aa107aa949a199831c34

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
5be1a87391bc8f1a871a9d4daa151e76

SHA1
c17c5947bfa88c3d68e31b7cb8a33ec17dcbd159

SHA256
9be41dfbdf8a88c6c74dc648ae62cdff7a8f5b130c5f915445e4ddfb850c9dbd

SHA512
f381a97311489cc3d41db34e563a485fb8e2a294657616e38a3bc2331b8d31a344ea5d6394461740aa3354bb372cacd8b4198c89453eec36c36323698ffef96a

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
6340a8ff618ad7e15635f9b441778518

SHA1
ccd5eeba635fa59d29f967eecb134ba646e44868

SHA256
42b6a4b9740a434575a28cde20fdfcab90d74d2ff7a8a3b9b49a48cd52a56d7b

SHA512
a2218f43882a6de03416a6c0945a4927983856787aa06cf4973ab420b054648613e0d990b5cbe4e229890dcf0881870a132740408db13897957e5707ae6d077e

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
25129de53edc0449fbaba2119053b5ec

SHA1
a22a4e640d114699474b3dedbdc20251f7d29671

SHA256
32f03453ad8a6bc79a8ac86ba1e2c9377d3146c2b07cf6f150ad6349fb7d10c1

SHA512
8ab7c96e39106219632d16133834c859aa4eba5efcaf5c816d39ca175dd838a0e06aee94c9fef9bf9b012fb50cabbd7d653bb55933515cfcaf50ee9962361dbe

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
8da408f90c159705f893af36971e6e3e

SHA1
1d8859995a92049be0c010d8edd2c41b6a50f7e5

SHA256
972495894e07c9532e0b4e9920cc4a29656dfef504aa2ee968d6da5b75ae8307

SHA512
1a07710f33f28a2e477b6bc66738b557fa2fd5de135e010c72920a07f25e0666a036a7a9d42bd54710051dd51c656ab7df92ff81ff8c9ad824705ed4e273ad31

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
bd88c75bae1658fd6c6ec0c2a964ac4b

SHA1
87eafcfd54c1db10e033eba06db7d86536e971cf

SHA256
b774f9ed6c612ff041f8512a39c56bb078dac220bbfb73ac81a2960c2a3d3c8a

SHA512
17e3782ddd4d46c1ca16097c6eea1d9a52a5123967563f31a6f8f823e52bad1a11a536f04361c818e2f0772ce47652c982f2e464d082029b83340a091ef00a28

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
26721c729b5873cb80b5ade752c0791e

SHA1
a93f792eb6cadf8ead9f543f7e6189e96d281ee5

SHA256
7ee62f0beeb59112449d3d60bc1d45d878034110ad14c232cb2f160236dab122

SHA512
3882fcef287f6ae3d87e2e6ddd1eb0f603e8b0dbe72144cbfdc179898e40f889b828414863f11f956eb0ff520a3a51e7837a0fb5bffcf48e07510c367836c655

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
3c8c849c18109caf0d93c2f436b3617d

SHA1
6c1dd8c53201e3c3e3687ce949d5273c18327db1

SHA256
bca28d7551ec13cc1c2651781f89cc648ba8faa57cd1f118ed23472d485eef35

SHA512
0bdd2f1b32d5c9486f4395dcb642279e4ebb36a6ae695550f65eb1d0c091e524b3330bac941e1b53898454cefdfd13ba83850eb6125ff7617c85fe710b46a8be

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
41ed9eafb0203e94f4c571c74b472485

SHA1
8632eeffbfa3eed6148250f190f9c61cb8be5dbf

SHA256
d1d84d52d2946b03367c54427dd712826ece66db8fb0df93191b089cc6f51035

SHA512
d60ee136db9b149eb717649c8276882c97b9f5284c6676ac9c4d0d19affec3ada11331768f3ce64d535366c5c9bcf260a385df5a1320f9e56659dff05ae97a54

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
068f72203fb2eb8818e71b9d3195315d

SHA1
840d7a02e9a53f4757ce0754ee12ecb374f349cf

SHA256
53f0516b2cff4b61272faf295cf54f5cf06100238557e8f31bbc60993e146ac9

SHA512
40b0ce5198591217f7ca6d3e072f075d4e54da7ac9fb7dfdc6b1e4024c2732f759f3cde8b9cc1776e72b348ffd794c431b875bc8ef0fa31db269ae859c1292d3

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
dfafef58feba4cdc93a8a53c26ad5617

SHA1
0f00626fd64093f697f72eb5c90d0d0bd4ca8254

SHA256
6d26b3446eaf23de2c0ffcc73db2b6c4b540a22f9961a17de14f8a48b9feade6

SHA512
118765ba4af1adde0c30801bbe4342a1bec3210b285529cfeac72a7a28243a51c3f7fdb885f9f3ceb33d3398ff9aeb6b9028820bf80a75af89b09574b92f9427

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
39218710c3981e98c1f04307e4c7a641

SHA1
82cf24a30ac9148762b74659eaf416e2e998aad8

SHA256
584bfb597edab63190d3bbf832c05e7bd04293cfecaf25372cefac6679f95b48

SHA512
e7d3877c9350b9d5ecf09a7233ae8452f3a64aef5ad684a47c531428bc646bbb4b74a2b290f649c8dce900d9aae87e63ea0b0f40697c67d808e3a6582d639090

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
78f65ada5a1fc11e992b6a17a8fb56f1

SHA1
90a0cb10586910e82f5bc8c3f4bb77cabb84a68d

SHA256
162e4ba38484f590b934a94f637cc05dbcc47995832e64dbcc1fe5a1898453c4

SHA512
36181b1b87c9f221e22ea2a7711cc99a16a2e645ff1db1f5d2c3629e7a58a3733f45fd10e8ce6b65ef165a131e35a1e7c02419257175618feb145b24a7646500

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
50861b1535aa7d795c1739295f2ee02c

SHA1
11bd20595443302023c7916c6e023ccd5b4400ea

SHA256
ea28f6f0770b99c2cea3cb3055beb83a32bc7f1859d5e593415507bb5fb5ed66

SHA512
c06f7bed479401540128e36fc45c155abc6fb41bafd14ab05737547d5000279a8d08d9035b560d58be3eab6b3bf9e7f6164e5c0ee1e9319f30198bc401421b52

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
a3ca2022bdd73aeeb911c2ab3c54148c

SHA1
6b070d5a78126377643fe2d65e808548700da11e

SHA256
07fddb14ce86d5c7ce29cbbd1fa784d775944b659b70db3339c308a2652cf15c

SHA512
70e232a136388fd8ac30458e2bc7cc008c6683375abdd40dadd939cf3165a74dd9ef4af141e5506ddaa17b565019de2ad8173547e739f0d00305bee054949df4

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
9d251c9d40ecd68cd0f4c6215c207b96

SHA1
7a81d908de882989354d2b8dfa27df903f7f4b68

SHA256
ccb28991b754aac062d2d3c595da10c336c31b434a69b939c28c783cdd512ff3

SHA512
f8aa330e9120a9b9efcdfca14283f0dc5d6f04344e82a087892b44f4a56182411f126e1d40aa2fc132d36fb1a5719c53ff3021fa2287ca5f4085e51808fb4a1a

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
34d4418112e2603134d264cae67f5bcf

SHA1
11ac8c342893e070d6bc959f8d0ee2c5f50a2206

SHA256
4bd08d83ec5cfc42d524f5e8ff70feffc2837ce7c074bca2426aaa08ddd12fd9

SHA512
ad0357656fb532eabb3a255368048ca72f8621513f3856ca18d78fbedb780d22308afbc1d8cf08efdcecbab19624ad91d4162c456717171ffba1e1891f1a47d5

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
a40a3ebb057c79da0ca0185cbc3532a6

SHA1
a9f8a4497f0bcd159d00b5aca3b8bd1c6dc80d8c

SHA256
63fb5d694677ba56dab7859ca75a4fbd7845759bb5746e4da14a5998a887914e

SHA512
e9e30fe1beec709ff3046e7504e4f5b58ff9f21f12d625c55f03f1473ffff6df006eab5a0a1028221f9da57448860dac07ae8a620abeec45eae6f4aed2964cb7

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
4c3459b284253bbeb417efa85c82ac2e

SHA1
2499462015f087a1b65da8514e1c64c3277bb24e

SHA256
64440769cc9a8117c81ced54be8840076a330055bf47c8a4b6a2bd21b461e47c

SHA512
3ebc5e4792ed2468fd11397c50d37c3e3df0f46623d57907c2a972082e14608500e96a3569e6f36f4d02e06e1af4fea2cba9eda7471440cd26ba0be33cd557da

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
7a92d36bebb908fa7522dcc28e93f984

SHA1
e99c434d40a4b549160ed3ddf67bd6ba295a8889

SHA256
5e5b68afacce7d0f076a3d80e782d50ac2f31509bae4536ab2f8ee03b259bd84

SHA512
e83d5093ac9a92ba5e8f6a550801dc6cf6013935a473b6acfc172812e967e964df09d439352cffea0871c2d1e824208d0875536e52d10ebf618e8cb8bf50b246

Download Submit
memory/1104-341-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1104-641-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1564-402-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1564-650-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1740-75-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/1740-240-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1740-68-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/1740-74-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1820-426-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1820-652-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2188-425-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2188-307-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2560-390-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2560-649-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2684-270-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2684-257-0x0000000000A40000-0x0000000000AA0000-memory.dmp

Filesize
384KB

Download
memory/2684-256-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2860-64-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/2860-61-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2860-53-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/2860-66-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2860-59-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/3520-353-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3520-645-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3668-236-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3668-32-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3668-31-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3668-38-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3820-525-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3820-330-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3900-297-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3900-413-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3984-414-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3984-651-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3988-439-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3988-653-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4020-644-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4020-320-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4020-438-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4032-401-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4032-283-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4300-235-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4300-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4300-27-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4300-20-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4556-389-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4556-271-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4572-388-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4572-375-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4676-239-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4676-48-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4676-50-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4676-42-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4708-0-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/4708-19-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/4708-8-0x00000000022E0000-0x0000000002347000-memory.dmp

Filesize
412KB

Download
memory/4708-1-0x00000000022E0000-0x0000000002347000-memory.dmp

Filesize
412KB

Download
memory/4948-646-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4948-364-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5088-253-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/5088-251-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/5088-245-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download