7f4ab716ac6a16540f24da43709c45d73d579bd68c01356b7d00e88df641808a

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
06-06-2024 20:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-06_c0072ed5b0728be4fe896d0bade52988_avoslocker.exe
Size

1.3MB
MD5

c0072ed5b0728be4fe896d0bade52988
SHA1

2da74ae5318ec5e7e94afe2dfbb8937087b56508
SHA256

7f4ab716ac6a16540f24da43709c45d73d579bd68c01356b7d00e88df641808a
SHA512

f29072489e4dfd6cc7090d4af90c4786e76ad334d6c4ce38e7fee8cdb7f6f015c9d6e29c81593481cbc76c81578d86a26338c03af62b27583fbe959fc9477f6c
SSDEEP

24576:I2zEYytjjqNSlhvpfQiIhKPtehfQ7r9qySkbgedw4+mIJz5IcuMlQHJxrDiSi:IPtjtQiIhUyQd1SkFdwisGcnlQHPxi

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1180	alg.exe
1172	elevation_service.exe
2900	elevation_service.exe
4832	maintenanceservice.exe
5000	OSE.EXE
4044	DiagnosticsHub.StandardCollector.Service.exe
1656	fxssvc.exe
3664	msdtc.exe
2128	PerceptionSimulationService.exe
1996	perfhost.exe
800	locator.exe
4016	SensorDataService.exe
2624	snmptrap.exe
704	spectrum.exe
2772	ssh-agent.exe
3612	TieringEngineService.exe
4456	AgentService.exe
5004	vds.exe
3600	vssvc.exe
1928	wbengine.exe
808	WmiApSrv.exe
4936	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-06_c0072ed5b0728be4fe896d0bade52988_avoslocker.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\6f9de5a3293b476c.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005ab473334db8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b526c7334db8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f21cfa324db8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001d7a78334db8da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bc4320334db8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000035f6f2324db8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000af80dd324db8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fe5614334db8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c56a08334db8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000061df3c334db8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fa46c3324db8da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000af80dd324db8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1172	elevation_service.exe
1172	elevation_service.exe
1172	elevation_service.exe
1172	elevation_service.exe
1172	elevation_service.exe
1172	elevation_service.exe
1172	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2504	2024-06-06_c0072ed5b0728be4fe896d0bade52988_avoslocker.exe
Token: SeDebugPrivilege	1180	alg.exe
Token: SeDebugPrivilege	1180	alg.exe
Token: SeDebugPrivilege	1180	alg.exe
Token: SeTakeOwnershipPrivilege	1172	elevation_service.exe
Token: SeAuditPrivilege	1656	fxssvc.exe
Token: SeRestorePrivilege	3612	TieringEngineService.exe
Token: SeManageVolumePrivilege	3612	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4456	AgentService.exe
Token: SeBackupPrivilege	3600	vssvc.exe
Token: SeRestorePrivilege	3600	vssvc.exe
Token: SeAuditPrivilege	3600	vssvc.exe
Token: SeBackupPrivilege	1928	wbengine.exe
Token: SeRestorePrivilege	1928	wbengine.exe
Token: SeSecurityPrivilege	1928	wbengine.exe
Token: 33	4936	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeDebugPrivilege	1172	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4936 wrote to memory of 4440	4936	SearchIndexer.exe	124
PID 4936 wrote to memory of 4440	4936	SearchIndexer.exe	124
PID 4936 wrote to memory of 1752	4936	SearchIndexer.exe	125
PID 4936 wrote to memory of 1752	4936	SearchIndexer.exe	125

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-06_c0072ed5b0728be4fe896d0bade52988_avoslocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-06_c0072ed5b0728be4fe896d0bade52988_avoslocker.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2504

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1180

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1172

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2900

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4832

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:5000

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4044

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2744

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3664

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2128

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1996

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:800

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4016

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2624

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:704

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2772

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1532

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3612

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4456

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5004

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3600

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1928

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:808

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4936
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4440
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
531f90a807e0ae26f7b4e66df4c1de30

SHA1
26a94bf6d8f18f98ec0ba967ca784b0c6688f980

SHA256
faf372ec7d8d1573aebece817180f3d951957e0f2e3f8520cc42d84e8fc21bf5

SHA512
6f58fc6514f488f8d41aaa9e2ad9aea43237790bd43e3b255a3cac24d0275568b863c2a363d0ae48ffd19c71e577c8219330966f6468fe2f2ee0c1946479877f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
ea8698b6b244701d416a11fb15d1b51f

SHA1
5bb7b2c5744f42af49d116786202bfe504eff0d9

SHA256
a971408df8f21898ada3924cf876f25c7888731ef2dd311027b2f595ac93ebe7

SHA512
0f28faa7a434aa877f4900f3c7363fa05b501b15c1996da5bea5dbed3010deeea62a39c346715894bfd9c8275dc4043349c0ba43fca3de88d734745c0e521ef1

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
d70500d2683a6cbd1d73bb0d3d444d90

SHA1
e2643524990b0f71a228e955a6218b1ab2bee082

SHA256
9b0a2af1c9ea410bac3886feb48d7ec0344961855c9756988b75c6f310a04776

SHA512
dcf3d892281140e642182606b10f490b66d579240579459b0d3b4996753efa2ec5f8c19d645e35d21b7cbad5fabfa2c155cf1124104143c5655bca13fc6b85b4

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
dbd2d179693fc3586992fd949f52e92a

SHA1
031063575ce586079c315f5b6d018e79181ddcb2

SHA256
1755b1701310c3d9db89ec901c28d22ce12e8dc6c65701921e475da802c9871c

SHA512
e4ead7f2226aed675bfec1ce36c943582b369fe4424d84864420928c8d738d6fbea20f28c95e4f052573627e592347b3923007ded3c3538586c18984ee1d982e

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
9e615e24bcc62e12586b05a22b6e1390

SHA1
ab57526120ad3d3f9a74fdcea9ba805fb48fe313

SHA256
ff5f6b9c81321d838ea20e46f9781c65774743b03e0f45b109c7a97eef2a4ad2

SHA512
61d233f67c3ad3a76e380d75a502ea99a24a6ea05b30fed40dc3ecdfed32425fb4496aa923a1261274e7d11fbcafd68dac798ccfe775fb4a076e523f130d2837

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
ddc35642f008b3ab4668f29bd21ca5e4

SHA1
f379d678171ae54f0702dcdd949573fbca926bc0

SHA256
e66c130b7fa63e1997e8e0b7a5dd15879363045db0bb4d7e37a835e6a0ece2c7

SHA512
1b410824725922b08e04f9675599bab5096a1234cfdf59afde71eb110edf634ecdb0a847ba70be10a743ca397f64c1197f3f946547bc8f4e35cce8c64b43979a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
9aefa49812e2b15ca4f6bab0c3f9c805

SHA1
afa0b5078ee164c8f55fcad03ffbec9a5ae5c13a

SHA256
76b68210d36d2f3582d6e2be4b3605ee2855d0d8ff66e303eaea8804a8780daa

SHA512
f273db96e62b4363ab5f50dc8df8350d9e1f0ccbaebbfdb488e854cd457eaab356943ccf7777b402fb310aec8c2f7128e87bc77b48093214a894def37954995b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
8ae464ae945e89745fd4440d6da07a49

SHA1
1c930bd5c37300bf946533dcbb48c836ef4ac7b1

SHA256
2bfb1d11d9006433f172cc55bf9e2117e3b7415570b1c0ba10b8532128c96050

SHA512
dbf1ddb5750de914a7f6a562e759722757a119eb3eb4c7eb9c9ecdf5f2c7b101fac9770b2b1b0c6a0463680058fa42790dd8865ec780080f05734504b41fb9dd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
616fa0d6ac9d9e88a85a8fb1672bd7f8

SHA1
49a3c8bc7b57efd7f9b05f26897ed7f40de43619

SHA256
81e2cad034f83666f5e9131f9dd2aeacde8b3060434753025831793cf2eea8f8

SHA512
6d92ef7370e6974860f0ca85cad3c2b956a58e5b392deee8d81f93968b7ec97e4a6c35133486bf3e2e1cee82bf0b640eb06f45e74546d306bb4a9717472be1b6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
b0e5d80565fed2754dc676d4981fd191

SHA1
1930afd1ae3df82a44d6770e4b92984335e9ee78

SHA256
47388dbdb8af384ff846f78d04527af031389e2f4bdb1da443de3b6ea68c9807

SHA512
904b2fc3dea04539d5605bdd0c209010d6c93e8856d1b603f2ac8780471e72f94f508ac30216d24e67760ec2cb214671715efc9faab384f81d97d9624e2722b2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
60164dd6f50af186f87a31fed654cfc1

SHA1
4034619e54efb169d2f73d5870f78ada8aef4a52

SHA256
66b6420c37fd40fd8054abe6a9953a47bad7b82c6c8ee624503fa46125a98f63

SHA512
095cf3e98121c5950370a621aeafe9914b3bf0c27496cfbe71f2abca196ff5225ac468ec93878e7a9c3d8ebebd8df6d027f346aacf8df2d1c553811208393478

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
3ea188fdfec39fe110be8497a638d7c3

SHA1
676484b25774df85ba0417bc2beaaf4c6df08630

SHA256
0f8441924a80b86962ed0875d088230528471042e69f0cc1ead9e4889183ca1e

SHA512
147ef246f470050a467a01e22c5b96db9b915db1051a5a748f3676d8d2d4d523481ae2a029ba62f56b8d24a7f43a0440070b48de87545fc4bfdef649b29f3fbe

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
afa06951682c287053fb303766e08b88

SHA1
d632f76579583dc84a91eb54b2fdf4d66eb15652

SHA256
cd2cea7a0faa378942a761a0c2b0b49827dc61199ae9e8cc128bb2d2bc6abcdd

SHA512
a6262315c91eaac2d80514f0e62570c7782596ff3bf8a9d274a2ed70365ff92bb36dcdeb4bbf668250e11ea2d6d840d8d1856e9ba27f4d7801cf460b8aee5132

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
c3aa6d01387adaa1ed592fb126accd41

SHA1
7539f9c1f6c4bc20529c8ff5d924e92b0ca1c9d2

SHA256
9e3a0fa409d9ee9b894f9a9c0df36acdeae5842433739bdc7d84106213a9699d

SHA512
0e38c8966867977ed8f851d669266a9101c3bff6921ae045c17f612e3eb257ff6a2d84d99cdacba8c3fe105bacd8a3bb65f85e2da2a4fbf2e58d24ce02808ef4

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
4d03b71d42cdc75c7d1bd3dd93aa2046

SHA1
b9017d2cce2384d6656bfbc465db346115d8c238

SHA256
4ded916873028f3ab3c70c1cf7632d174fa9093b8948d580cc8fe3d08b6f97d1

SHA512
d3d379c0b39f92a4823383c753c6ac72929ce8a1553fc419505676232070f9a2cc076f9b48205801c9f69637d2b4deb88bd22318eb0acc3ef04420ac80a44c3e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
d8767a1bef62d8207dced53addc10bea

SHA1
afbc9748700e3a637a07421ce73296a797094fa6

SHA256
b804897e48b3f10afb56c198920a2ada05e8f9723d300dc66236c9e4938d7032

SHA512
f6039bb7ea66fc43569c7649b1a8fcafb9d018877de22ae4de1331e739936b47d50cfe8938d4ac4aa8ffb7a25b4c619ac3dabd2b1c3e28933414e04869b8c275

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
65c1ff67137621d99decc2ce2152a324

SHA1
68994673424f02d2de98908f3cee5f3d05078bd5

SHA256
92c48911d2887d5d38b03fded21636ac312df874a8a3a0fc82bcd49f343947cf

SHA512
da746e0df5effbeb69aeff5e9c9c71a27351ce34fe5f377311d4458e177c8fe8053f1a06e5448d492de98243b47b6a4b51324989aefe10d03c6e64446078d48e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
9915a231d94670b6034cd70a49fa7260

SHA1
c16d747cae97cc2ca9438bdd3ebeb55123838e62

SHA256
d5bb2ad583ddc9c68321337970c7ef7ca793afd627527c32640039cf7fb760ff

SHA512
457ef775fe7071dcfa4578e27c7f96be62f1ee8a26d226d6684fb02bcf6b7b4e3da77393e0df61f6ead602c4acf6a4916b779605be78370f508f3f3eebd2daa6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
11965de8908ed4e309d77e1213f4dcd5

SHA1
b9bbe2f1e5b78b00401f72ba2738fa11b91b4358

SHA256
db6525579c6c67266b32869178e64085005347fc79a8155408ea03438be69a78

SHA512
cf5b643243fe780abd32751636a9041c7387f336c7c8091c4d41aeaa0f8f08bacfed12bc76f2b1f744b26c90c231d4026d2732802c929fb1bdce72185043a9b1

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
b1d1d3007dcda6930cb0a87ab5ab938b

SHA1
a1a165c0b7c240e89c7002d6f6ef46bb0baa5f14

SHA256
7dbb1031acd67590b8603186b0cca3f5540b310a1d55053f41d03babfb70c1e5

SHA512
15d0e70e06446aac529fd614a9e298e39379c3dcb2225b03a96aa8e5fb5805965483429917d3abb4a7727f563fbefc29ec4ad045bd5a573d5afd991782961e54

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
37fdddde050063f85756460573f13905

SHA1
a217d20863393570e21fa906ebbbacee1588f7de

SHA256
f913a281327ab104287073a308f0821e5baa8fbf6dcdbf444736008337288272

SHA512
223a5cbfd0fdcf80fef19422fbaac01a110b22fe3d2e3d93c3e9ab03009567151598c295d8f1651f29da4b026eca24113cf8c0b44b46fb965b424bf7ab3d6950

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
edce932f944feaf72a962bc93ea5be96

SHA1
9b74851bdd872920d535696ebf57961e22505fb3

SHA256
7249be3a8518fe5d26bc529eefe01dde19e7fc1b37000c0d5bf1ad94dab39991

SHA512
83347aee4d0d4f5eaa63f0cffe01059acbd95cecfe485b307bf14e968835bfba437ab8952c720bbddebfbd2f55cef54be5c76811c73c95a93d6f05e6b39c9b59

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
fe6032d4b3596df0e902fb7fb7dea390

SHA1
4448fe5403442edc505b5e4fa615ed2bba81f302

SHA256
bbef3a96184af47f77a21c7f6f2ccfd4f722b2dad2855ddeb07c7f19cc7bb41b

SHA512
054d4be698070dafddff61d3dd7f8f6890dddadb3950aeafebc1afa2975d9a01de46934ba184e7e3e77ba6a0e0051f0b8f372f452f7e7204f8f62273f16dc192

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
8b4c2c4789de7f27c8d113c72c10b484

SHA1
e53a607288b63746f47d5e6bd689c9925a4fc4d6

SHA256
f5a16626d1a6dd57fbbdb825376f0d6673f31bb22cb8e944045b56b05385f612

SHA512
231aabe1775981b855a9eb4bd379e0a13bff1f220c8e88fd4335acfdafd4d87bfcf09bd085cf01c16bdff4634714c8b6262eb57afd8aa789f9103de5e7b7c352

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
fbb17f84ec094a5497352973d187d3d1

SHA1
63632824c9d7a180712edd1e7a5d88b5e9178677

SHA256
ceb85dea903aee637d89be25a7ff4ac4898c492e0c3257f256f99dc3fbb21504

SHA512
62888879542771abe8353d28eceb21fbe6e7a501c5890418fc212b6f7c2f459f1ee2018fb31a8c9793b929cbea93dea3d7bab93a0e8c9d19c6975315edacece7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
e0f6a9b88d7ba0c78b6357e502dcfb0f

SHA1
504cb635b859b4b7f2fd08710e03d650c6a8a585

SHA256
b9b985c92919d082de5c60e0d614c2a7b64be952ae6155f55c4dd9e060d9e844

SHA512
767349d933dcb5ed49f0ed2d735050783aee08c57807be5f6b66f7a21d765cbe9fe5df73bae592f66a92c6c1d9ee17a65e10cd69f4fe29c9f3ca9c1e0da35ad2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
69dccc72118726cacf7e136666e71be2

SHA1
504d3a5b4795e2e0efd8df26849f7ad38141979d

SHA256
0315c0cfc4c40d3a1b52da7d76d2e0eef923a730501f7666cc94ec02b2765e13

SHA512
520ee62afcd1676504351bf7978ce63d8956adc3d9a54aa5731213802061fe78d4c94282197a756fa7e9f277cc43791b581e18dab88a75a6db922953935f46a3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
1a8fd264b5c24236dfaaebf010a56c48

SHA1
af8f84a34c1053ddfd8eb505dbeeda41fadad02b

SHA256
48444a771f5577c2ef0307f57e66e8868165514b7184010980d3a328d0a0e6a4

SHA512
2f31e906e0e4f224224a248249c716bc1bacb10d66886f07a87d6e519471046fdef8ff1093bd8fb6101dd52ab22f57f08e5ca458a47c3f51a8aa89b6879d48f1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
4065d99ef8d1f38bdd702dcb55c07664

SHA1
b0a9bbd5a7f37c353697b705fe7f31ac2211ad1e

SHA256
d614e43655fd12548ab86eab098597bc59a2dd6e169d592ef4196f8290e9665c

SHA512
756939e132a9a4652b25b95a8e7742154371477813b1978073fe7890a3f89cd67dbc98daa39c4790a8a5db367ccab620111688ce87ab37fe3e92a4b35ee9682b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
c23338dee9f62221ef3e0c5af6d3c1e2

SHA1
e91cadca62c2123563a4e681b768fcf7a8b03eaf

SHA256
34b0a7ef5ade8274032fca6cb3f5d46ed46176d8af8dfc6cc331f7c4ff6d35be

SHA512
ca0641d5baad71d7f310462814b52272d91d09f36ac1afce90a261f5c85010686c7002e813182c5bc05f01c26d89fd772e8f08a0fc61d832ba9c19277ed44a10

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
1ed5f351a6c3fec152bd0047e52ddf22

SHA1
c78384b2240b5c88d2896fc4f7e8b628cdf9c7e3

SHA256
38c962fa22ecd77bd6939f8dc704f8556bc631b3b148326675306771b12436bd

SHA512
706efab37dd4b41bbb36883c3342da914475b3fee32a3e6fa61d231276669ca7233bb578b99414bd36009995a50e4c19ca44b3459846c72edc82b9bba9311975

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
ec0772bf7ea00179c106810c5fa6d872

SHA1
6fba3311a80dac105e9cfa722d276abd01031dec

SHA256
d9312f6d39295d847e4b9d1790759fc9b8bcf19f1db249a248feb188113d27f6

SHA512
7de25f6533172d1c0e4611fe351752da06940a1fda54a48ec0f5ede175503e5f88c8326ab81a51356a92a33d7cdc7a3adac8ddb57a7fc119ae74335d7e64d9be

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
c3d3a524f226198605232e7d91c185d2

SHA1
e106deada46e1c5e1c37a7c8f2c4c7afd0065f65

SHA256
b85bdfdef31d640333a850dd1b132edcc6601ec21eab0e917e0fff27b90cfc86

SHA512
6d31bdc50be4c7e24eb09ecaa27103421912d4895767bac000d7523785da68c8c97b3c08f1ced5cefc329fe5058808727c1d6c1d9fd76fc2a5e6e31ad150b676

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
d96fb3b1023ac9c29217a95d5c547be4

SHA1
1957084653a1c9a57d371bcd7054fd252dffd14b

SHA256
1861ae9b0561f5d4b1e8f9693964c0dbf58c8320d772f454760d49b2d61c9a59

SHA512
f8316afff774ea7f5aeb1afbedfa159bf91b7258e3d642626508cfe0dc147dc507f76e0bba01d6d901d36526728024c68754250486137456fe6f075377ea5c65

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
c158780f24af2d3fc526220343140c57

SHA1
e95fa789da7ffbce565474d69720ec0bbaaa15ef

SHA256
1463b9e3dfaedcc842dca5e29cdef4e125e081bcb18d7a005fb160990a3a2c88

SHA512
554a6fa70c844a4ed1c273a4dab93dd9b02d97e122755cbdcc7e9dfb551aa49bd3222471eaaa17a8fb55d42270979465cfcb3cd44dd9236858177a5eaa5e5068

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
4a93bf499eafc873ac4758b03391b9dc

SHA1
6e66e816c654946152288a83e90f15ff3a1a0ce2

SHA256
575e4603aaa108e33d9a4bdf0bb99893306165f08d237fea9403cc2bdfb37384

SHA512
686bbcbf72303a3e544bf6a594a3a0791fd9a3442324a09cbf0dee6d24d3e0f5b5a5346e566c062f17b200cc2d4b52a1ab6a61ee02fa37593049780e3fdc549d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
acf4c9c3c11dda910a71697869410ab4

SHA1
8b09b58b353f22289f530f0c676129ef1ecee214

SHA256
21fc1228483a87ab282c8d0d5320f06a358e8b732b44629233a8ea856e837629

SHA512
4fb3547a8bafc4370a2cc4f09edff87bdf330f8112cbcf6d52dbe2fe62071a8ff0861b8b770e2b39822228719057c6c3e988fa9caa5ee1d9f46f290976586b4e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
ac9f8206c5773f42a6ede450e3b3ab94

SHA1
01101e728e0f7a501ecda2f3708371f04ded1ee1

SHA256
aea1ce307cf92c908c3e1e3dcb3946dafaa442dd32407271016c9bc0c71c98f3

SHA512
ad205fb2c9318eaab7b5d9fdf0d2c3d1d7d6339506a070fcdd4c45be6c52f783b6eabb02ee3545e00f628c7d1655c6c0db2d787bdcc891203658b01112fdb12a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
11b2f1efc4b04fc8aafc1ae193e0ba54

SHA1
46290833ee6dae51f2bc868d79268b70c773ffc0

SHA256
c80d956ef14119f43d22089b4c69997158011248a293523b253ce5122a6d6ef8

SHA512
046d677194d609249278a12e07f84910a58e7fae3473266e8185287450b32eaa2ed90bf6960f66bf0cf2182cba1a051bcdb9bb38a96a32d99e70a4c856097b0f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
01eabb6492836c78c4efd8c4b1577b9b

SHA1
91cc64fe07eaf001a2b03b4ac14d4f9540bc1c6d

SHA256
b81c6cdbb423c0b67ebc14cd56c6c3e14a7467027c2635603a2e5c06a5fad2e0

SHA512
c776f255362fa31e199861ffb86bfacbb99c302ad1e4bea166434079200e606bcadd704adcdd651fa48a7b38868a55ffe380484ae5c8058d18a5baf20616f2a7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
f941b5e47090e7985c0a79c4938769f4

SHA1
abd461a6cf778dcc7f56f47d6e3e7efd90090383

SHA256
fb172165c97aaf8da94956a4761d03e47609bd67555f0dd0ad556d83844c35f1

SHA512
21c5e052ddbd38c3d45bb5f849fd54a7f07e6aaa012d4ff1edbf8160737bc8e08938f7c93a850411e656b5cc1ad277a7ca8c5c96db54be19024fabec58903b0b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
c128edf294d98d0d5e000c79222ce2d7

SHA1
8f402f50cf396415a57bf2ed5bda0dbbe49b003f

SHA256
2b5e8e84386790d37fa8c5fccd2e65f94143f910c4672e7cab9ab76f74c1686f

SHA512
5afd218834a1141d32126ffd44d63f5ebbc08f0e64ed1f093f868ceac95a4879d41a6cb6dac0845fd3d4ce40293193e9bc75aab5b78020b4786cbe817bdf2b1f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
581KB

MD5
de8798c78fbb9eccb825f521c963f7d4

SHA1
1577c8c35e19966bd11b499f324300090cbef3ca

SHA256
d05eae323d091b0f3fa2f1e52993974387a488ee43272b0b68bdae6e45ffcdc8

SHA512
dead2f5494f3daac3269d90337f0f5313509672cb15ecc89141e2df5b08ac1aa8f01155c31d3cae0396ca7c53c725c52dc596ef77b422165802fb95ddb4739fc

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
3288a786c486c84aef5f0e167383bb8b

SHA1
631d659925379cdf0e3e7e95ba272aec0e559a5f

SHA256
8afc5629e1639ff6b0ac2d8ee9d8e8d88da974bc79281081ad70ff5c1e6ac325

SHA512
040bbbde1ecca39d587f5cee1171d3cf2b82f15d4dc6db7fd5c09fe176a84a7a83d95481ca1b44051a60870bf748ac8c572b9b5dee6574aa85ccff31b3ed96bf

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
981c1871bd4c61e2909043e9f663cafd

SHA1
82b5adfdd430c85872172a6c296125d62e2c8a2f

SHA256
d6f543263dab3c68c96e90c5bab6d6c70b1e256a4e171289e9d069a3b5c8c82c

SHA512
6d0d70a0ad4e6e92c03fa5b95a59a084b3970b109e69be7cdc7cd51258304942507923800cae29b5a02e75f1276eb5a8a91dc88c3ada762088486dbfd46d6327

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
8a093a0320421ddfe399050afeb9e704

SHA1
808f8aec10fd9d2f772a80daed09c7f874867719

SHA256
e4cac8a7d2c3bfa6185b348a0ec9dbe80d68ac5514124895aeb6e2d0c421aa6c

SHA512
4ec3f769eb857e2f25d85a997bd9739da3781fc661d40725b7cf7a1ddf9e9b0261c945c5399152e1d1da2e1ce41f910df7a31e7d8bd4c3ec4b146369b8ef570e

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
f44192a69c995eef23086e151578389c

SHA1
85c3001068249f7d4cd58737eba0dfbb52090a2c

SHA256
2cfa6cfc478319c8e8f9247bc0e0c353d459da318beeb473e2421c0743418ccf

SHA512
9e4bc626f671c22b855192412429e830e5a2d199f7491c608bce8bbbe049aa8f46dc8bcf840c053178530716d69a7bd0912697a3163808dbe6b108c05efe0b9b

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
90b865518ddae516882799b209a5d9e4

SHA1
88ba3a50f730788c67d9f9d4d02aed8d039a6239

SHA256
4c3f45175c5c12b4187114bd7cbd27e47e5fe3f874f0f3536e03785a9d198a48

SHA512
fd44b64ff3ebc42b1097380ef084fa1ce6caec8dca72ddd003c2337186e118a89fe605a821239cb11358ab2796b5c23f81e3b8a038f1a48056795e03139082b5

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
4943b33ed35d4fb3be44d3c028b5c27d

SHA1
13176138f92ecdc669ac089ad32985ae6a4c6a84

SHA256
60ca4e77c0134267d0b509a132953e1e0cc39918c18bcb9fe0357a26ccda346e

SHA512
67d7249db087fbc14f86bd5a000d724c2344b7da3a57f228a1458f680b214ec38733152954a36bb239cc20865c0f8b7cb35c5d8e80e4b7c76f98494de8410a04

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
8102cfa4d3cee4e320e60e9aef139bc5

SHA1
2dff8cbf5cc6c9259b11db9d8459f4d37c791963

SHA256
30684c10aa201e6f5683ee7969f86b8abe5e4d480b0c4abe4a2d600161613c2f

SHA512
a65d6048e2890234d8aef0ae2482c7ecfe38b44b1a27919f7f149aea5ed2cd8d8fa7ef9955310f957b952736dd01876980104bee4faaac296814d68ea339c71d

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
96989531df6cc2d6171e235be20452d6

SHA1
0f38cb42f2f501adc820b4391f99416dd35c5f89

SHA256
4bca7cab8f6e5dd738aa6552a137f706f49284bfb27c3992ab1ebd59a3bf8d74

SHA512
d0cd3e05e5b7a5f083aff56b86ddb8ed5a4d792d18a6a57c8edf0c7505819d6343cc3189ebe9a9f1c27bd56de821685aa9debb7f1de80e9c4750ef6bf0c8e60f

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
55949ffcdc27a87e5462621d3deeb5a1

SHA1
8525b764728fc06bd18d9f6237d79a2d20a8ed77

SHA256
e46ee20fb882543c8e4346b10b31fcff5a990bb86881c4e78c21565133614475

SHA512
b0c1ab2eed33511a95faa689396cc4f879fd989af51bab6938dbceb40d631046356c17e10b8319977f0ed5c18c885f89f5103ab8e2785e9283016af0a4cb479e

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
da564ea7c734dc4707e11820f2fced05

SHA1
83d7ff62244b2738e33ae4183ef381d80e125ecf

SHA256
4f566585e916417386892dd5f3cc2fc24d185a2049531eb0bd4711b47f82305b

SHA512
966440a185c5db7d00a7fcd37306667de8484b37f918222bd06bfab860f27541905dd89686e56d658126232b4c0dda8b08a3184c87b1ba6f8ddceb74a52a9ad4

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
7165134d1343169a1ac9496572d71508

SHA1
0718372ed20771e8cb5ffe6f017242b672f18839

SHA256
d4b2573d17e0f5f658d7cd9e3554d68785443f4714d5ac533a301f15265cdccb

SHA512
6eb2c5c5abcc473cc515075bb32fdd9dcb316aea7fe2d79db2996ffffb4b6fef7010e31052eaded81cd70692e2cdec421ca3054ff00e6b4eb6e28538e0a97d94

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
c5e3b5f062b0beb66d71e77249364bdc

SHA1
e12baba17af36318e8a9c7233c676ae76a619ec4

SHA256
e2de3fecf436116e31c5c3f79eae2d77dcc5f669caafaa09e0674463056c6329

SHA512
36ef9b5ed16c8e18bcb615bbd7c8ca95fcc2fa4deccad83b23f7ed3e19c7802f7d18b57ff65c8a648c04bbbd697cdf147958ba17570d8082ee5dc3f7d47c94c6

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
89e74990b05374438628d503f3b87aa8

SHA1
2163f4aae1f61c3389289a0dafeb4d13cf11f388

SHA256
8a648cf5aadd132649fdec0beea49c9315a743e2035cdb707d4561bd9a01e0bb

SHA512
2b19fa438f7201a64f6a6c87c17c78b88485ecbc4f7f439c6d4299861afb866a545f44dca86c34fe0c99bd381708512247e8ec4214fdb0b39a85537ecabe8f63

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
d8ff8f9f71afab0aa51dce114947d020

SHA1
df3acb9c5eea55db0816e047fdf3518c89eda90c

SHA256
728821cc8c1ac336a0d799b2edac4e28d1841670238ece892b6bcef54b9c3ac3

SHA512
607770d51cb064a76c71819461738f48dbb934a55df126fc6474bb26fb09654ab11b3f26c80173fd914d4a0afde30c2bfd30bf00a368514ef0aa4139203e0d86

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
cb4d3226308028804ddff9f3201b304a

SHA1
95e4c5be51708b9e3dd3d2bb69d226512c20a08d

SHA256
2d4f883fe7ec58e6090a2067809ca35530b495f635d50ed967eef738984085c6

SHA512
56b5ac58cb718888a362e99ff72f313ca377eae09d0cb1057254276c44c8d4b416103d09c19fe3798665c439bfdd1b04ded7e27915882ab11cca46c5463945c3

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
b7e09b54b45f9783af4446aa08066557

SHA1
2907cf32c6c0e4dda824e558b10bef3f0ac10283

SHA256
64183fc1e4afc99f7a11a8f6e0443aa88c900225a316731ef6ae186154e59717

SHA512
254dc58ccc230eaa481098556e1b48d4cc2bc87609386934a265939bad789c129dd1efde5863bd20ad3b1cd60b6e6352b97cde55dde1f41ec68a7af20cb438e6

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
e0719784f341083d600b0741668a0046

SHA1
430334d6d20abb4c400edaa963bcace30bfbacbf

SHA256
69416d27f4589d5282131f663f2a06d7e63803dd7eaa6faf93966f8ca3ebd3be

SHA512
c6fdaa8b288e8506b636089c389f3edfdd1ad89233d6407b053a3e684e11ebb6e2cc602ca3d4b5101fc71c18b87fb6c423b5f0cd4d48d5dc24f3265ad4fa954e

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
7c7a277b84a6acadeeba359ca7444443

SHA1
e7f91eec5bd98c9424260de8a8d4e45d9eda95c0

SHA256
fcbabc100bcc0ebfdf9de9d1266164d8b7b8ffc9d45fa958051ef9f0d9dca41d

SHA512
ce5e4bafd6c2fb77205d70eafb88438fe3eff695d54300f6a8573484053d66b169d60d2a6baedc62bdb1730bc7242bba3ae07e674c389c0fc3f6babbd850ab20

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
678e7a94a6d7ea1fe4dd4339ff6ba30b

SHA1
47b5fa07e2ceb3c88c7b0ba8297def07b3a2a876

SHA256
51d1191a385dac2d7d0164786fa5d6bf46855cd661e5a1676edba8844d545c1f

SHA512
9dc0ac96b5d77f5b9cef28fff2ba60c692deaf37f948f0804d9ae2cbabd6b7c2cd18acc16a7e3f84623aa3b808ae4e8d172aab9b7ef5e307307b92ab0206783f

Download Submit
memory/704-343-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/704-592-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/800-309-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/800-428-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/808-605-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/808-429-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1172-39-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1172-40-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/1172-238-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1172-31-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/1180-18-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/1180-25-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/1180-27-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1180-24-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/1180-237-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1656-272-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1656-259-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/1656-258-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1928-604-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1928-421-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1996-416-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1996-299-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2128-297-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2128-404-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2504-1-0x00000000006E0000-0x0000000000746000-memory.dmp

Filesize
408KB

Download
memory/2504-6-0x00000000006E0000-0x0000000000746000-memory.dmp

Filesize
408KB

Download
memory/2504-17-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2504-0-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2624-340-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2624-527-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2772-596-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2772-355-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2900-53-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2900-51-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2900-239-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2900-43-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3600-405-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3600-603-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3612-367-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3612-599-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3664-392-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3664-273-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4016-441-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4016-595-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4016-328-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4044-366-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4044-247-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4044-254-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/4044-248-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/4456-390-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4456-378-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4832-63-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4832-55-0x00000000016D0000-0x0000000001730000-memory.dmp

Filesize
384KB

Download
memory/4832-68-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4832-66-0x00000000016D0000-0x0000000001730000-memory.dmp

Filesize
384KB

Download
memory/4832-61-0x00000000016D0000-0x0000000001730000-memory.dmp

Filesize
384KB

Download
memory/4936-442-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4936-607-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5000-242-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5000-70-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/5000-76-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/5000-78-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5004-393-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5004-602-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download