d194b4c9ebbfb6e4e600edc88f4e83def64a606c8a0587e2337c9e29f73bc444

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
08/06/2024, 04:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-08_d49d834c2f6be90b953f5ad604969d32_avoslocker.exe
Size

1.3MB
MD5

d49d834c2f6be90b953f5ad604969d32
SHA1

dd9678187f2e7af7d492b3e09ccc4ec3a617cf43
SHA256

d194b4c9ebbfb6e4e600edc88f4e83def64a606c8a0587e2337c9e29f73bc444
SHA512

d209c700ac6555538a148b92b37b1906d44482218e7f961db54a75116246a6880129abeeef77988755f34d6c456a94a28a66a029de2045cbb137fe0ca3c17f77
SSDEEP

24576:r2zEYytjjqNSlhvpfQiIhKPtehfQwM9qySkbgedSmaouGSPGM9ZQ8GYelhwOXGEI:rPtjtQiIhUyQj1SkFdSdPGM7nmoOl

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2368	alg.exe
684	elevation_service.exe
3880	elevation_service.exe
4076	maintenanceservice.exe
3228	OSE.EXE
2712	DiagnosticsHub.StandardCollector.Service.exe
1928	fxssvc.exe
4368	msdtc.exe
4184	PerceptionSimulationService.exe
460	perfhost.exe
2148	locator.exe
2400	SensorDataService.exe
1632	snmptrap.exe
3832	spectrum.exe
2940	ssh-agent.exe
4404	TieringEngineService.exe
2036	AgentService.exe
3544	vds.exe
4476	vssvc.exe
2560	wbengine.exe
1824	WmiApSrv.exe
5084	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\cec00ac392be0f3e.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-08_d49d834c2f6be90b953f5ad604969d32_avoslocker.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-08_d49d834c2f6be90b953f5ad604969d32_avoslocker.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{4B7946F8-973F-4AF9-AEA7-D50B80611631}\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\caps\hdpim.db	2024-06-08_d49d834c2f6be90b953f5ad604969d32_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000097da00a158b9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000da6eb8a158b9da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fa911ca258b9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ac6934a258b9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001f141ba158b9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ee727aa158b9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ee0ad5a158b9da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000600108a158b9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000359e24a158b9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000996048a158b9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b17a66a258b9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
684	elevation_service.exe
684	elevation_service.exe
684	elevation_service.exe
684	elevation_service.exe
684	elevation_service.exe
684	elevation_service.exe
684	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	5036	2024-06-08_d49d834c2f6be90b953f5ad604969d32_avoslocker.exe
Token: SeDebugPrivilege	2368	alg.exe
Token: SeDebugPrivilege	2368	alg.exe
Token: SeDebugPrivilege	2368	alg.exe
Token: SeTakeOwnershipPrivilege	684	elevation_service.exe
Token: SeAuditPrivilege	1928	fxssvc.exe
Token: SeRestorePrivilege	4404	TieringEngineService.exe
Token: SeManageVolumePrivilege	4404	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2036	AgentService.exe
Token: SeBackupPrivilege	4476	vssvc.exe
Token: SeRestorePrivilege	4476	vssvc.exe
Token: SeAuditPrivilege	4476	vssvc.exe
Token: SeBackupPrivilege	2560	wbengine.exe
Token: SeRestorePrivilege	2560	wbengine.exe
Token: SeSecurityPrivilege	2560	wbengine.exe
Token: 33	5084	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeDebugPrivilege	684	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 5084 wrote to memory of 3308	5084	SearchIndexer.exe	119
PID 5084 wrote to memory of 3308	5084	SearchIndexer.exe	119
PID 5084 wrote to memory of 212	5084	SearchIndexer.exe	120
PID 5084 wrote to memory of 212	5084	SearchIndexer.exe	120

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-08_d49d834c2f6be90b953f5ad604969d32_avoslocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_d49d834c2f6be90b953f5ad604969d32_avoslocker.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:5036

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2368

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:684

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3880

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4076

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3228

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2712

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3756

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1928

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4368

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4184

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:460

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2148

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2400

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1632

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3832

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5020

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4404

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2036

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3544

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4476

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2560

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1824

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5084
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3308
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
12402c72812f7e613e47ac676e790428

SHA1
70afb4d34552d6d1726006c5208e6a8493217e8b

SHA256
c14ec84aad89b5a5eccf09a4d08fb15e8174e006e350fb71a5771bc06d9b11c2

SHA512
467f41d987afcd58ffcf5ddb9ab337ecf9394b5ca9990ea059c30ad89c1f75196088c40f69319f4a8e8136a3eee5b432ae3157533ac37d72d0f954a9ce91c326

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
54f27b60935dd356dc0833bc3aa2bafb

SHA1
75072f67cd0dde61886a5327cc89c2a3c533fcdd

SHA256
5448e636516a16ebf2b7a94a540ebfe575aea262fc19163d6309b76e42f57d70

SHA512
6b1f1bd2b67308833a6071d1d216cd84ccbabedf68e0c8028c430a30f259969bc692d8d83e424e49c0df6f16a78edc29ebc989b154fd873490fe10d4e3547682

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
6f2b8dc5f7d683258d807ac68d657bb3

SHA1
9168f8eda3f9273e528ddaa4dd881b585bcc2f76

SHA256
826c300e294dbe1dcac0b1435651b5ee20858aaf90a4ca9a194e51286e9a6e7e

SHA512
280646d9b0dd471d7dd0d714f00f7f3976711bef651cd2757eaf257dcafdce02ebc3c703ce1e53bdb4cb3565d7214fc78b09b61688f880de6454652c0aa13fcd

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
86da6035ca4fb4c455b054890ec1ca30

SHA1
19246f7e702cc6f1caafe074eb7f925e09340b64

SHA256
d0c91adfe3c1137d530d6c6bc72340283bdfba65f2a612151a1e6fdbfe92e211

SHA512
e34c459b915fdd355c0f819330c2bd685ef68f6fe7121c1d445bb34a525887c490c3b48b25ef8c884c97d67a6712f23d4675cd86d576fb3b12a2ce9cf8c2ee40

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
2de7924348e66c4ceb2365b12ea50418

SHA1
8069f9f30005a234da4406d06d06290d26087ba5

SHA256
7a341f82cd15943fda20a13d7e194804321dac7f48e46e5360f56c7d2aad8af6

SHA512
88c7d44421cbe6db0320080efa6d64ecb25687ef0309b5f53d04d0e43733da139d160aaca49eb750afe4f68662de45741feed779e5281090421ac4d0180c832c

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
a3ef8ef04dc1721226a7350f0c271d03

SHA1
68d2f21acab21f981183391070a2ab3a029c512a

SHA256
d044a28751761de9978f474295c1994d6e4f07578330a831e4b586cec3c4f15b

SHA512
a7e9234c648ab01d9f5eb31d95b792b7ae40127f8f3acbea2adff5faa8e5fa43883d0f3878da3123d9cbb537b56c4797d4c2b2be4693bbc6eb3ab1cceda9dedb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
41b94466dfec5611dae61c04d4571845

SHA1
1d2e56cb92a04f21783341141887f11fbe110ce7

SHA256
aec7f71d44808be36912d4b96a3687142c07b90ec87546e5210d053ab6dec1a6

SHA512
a1bf6b7446d84c65d32dd568947bb6119bf1b11bc69b0e6228b7e82db77b15c83020768edf1a1a11e07d701eaec23c163de40ccb6425f642647da39fea500079

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
8b40400f8334057872f9095dffe7dede

SHA1
2ba7460746a67f8d92381881060eb1d78332c0b1

SHA256
c3af89e127fb54e114a88d7933d3a10c371975e328cea980e19e826e926dc560

SHA512
85e246fbeab3443d4ac9b08a9418986252b4864e41292e892e4c8aae1e65588103c9f6ebc52e4b309bf534c547b72e6293f695fe8c263e9aa558c2cc49605ecf

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
ecd124cbceb28ee7c6c1a4c96b60bc24

SHA1
d1c04b9a8980a0915d15e8fff8640e48d2b24f07

SHA256
abcce88deed7442754b4c811c2eb7707e4695d50e4dacce4c156a921d9e2d322

SHA512
bf1f3ea76926cf8ca98637529d4d8cb3d56d5def8c5c1383915a043e847d79098e1cc698bfb96cc4cc3ac4f2daf819ec6e861f3ee599f339a8359d7e0fe4e55d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
67b313748063ed69b629c94aa79c5c4b

SHA1
359d8c8048f098d7d8f8e6a83ecebde713d7ddcd

SHA256
6fb402b62e59688dd8808f78a12c997aefb70e4b098003aa83b29fce804c495d

SHA512
7b5cdf20e02d9bbb7de8cddbdda10d0e5f75b79a3f2cc41d2824819c62778d9f50bd5b517ecbcd2eca25ba37b3e1e4fcfbcb2bcadb42f49192accf9c70fb1e81

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
f50f83b50ef2f92b0b259d519e37f43f

SHA1
9c356d74d0f7947094a396708f5eca1a8f1048d6

SHA256
4d0579cdb04a3a3f36097da86294b76b58c8fcdae8fa01fe51c7be9ac4d889b6

SHA512
f264fdd461b7d112cb79fda1a8aedd526ec596b2a4751577d6d10bbede71be5763cb3360881f16db621339857c6be3d47696988462d471a0a9d5fdcda78ef0ac

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
884897e91ffb2477c5f2f6aa52ea90d6

SHA1
946cdb427701e40c048539b32d8fff2838690868

SHA256
e8b54695bf710284a5e946b3fc8b9be9c6e725d28b9a1c582df38e064df9e93d

SHA512
b1525c8aa45f18a797ef358a7e07a55a30349e4cfbb7a441dfd6f71091249daa27a795b6eb4228a1d090c1c0c0a3024a030ad27bfb8538b234eef4662cca1f1d

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
dd75e069c59931f32b274c132f2fe9c4

SHA1
5d109a75d24c7e27d5fecd52276cbe3f618bdc77

SHA256
4182ff8ceab982071c8a250b968b31e7787ccb3b06c1fc9f48e38da27bca06a8

SHA512
98a5c581de049d79b2005c6410f87a2ed912c2bebcd3e9700f247bec5d0afc877785b1563131913ddd3cefda1c2d5673ef00aea8ec284f07990afad65d4fa954

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
ea08764f409ea5ae2658ec81e48242a2

SHA1
3548099f82eb5bf1f038cffaec8cb13ef004ae92

SHA256
58366e464e4dbc835217c47e194fca70421461664724dbc3d296a60201aedced

SHA512
0fe00c4bc513f799a4ca8d0ae1fbc9a22385e52d961424bb428e787d8e6bbee3e3d3560357152b6362f10471141f2a4aaa831113e83f41e810697eeaca44064f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
ad18163c30e08d993fb69f9e19346a78

SHA1
a7e78918445a7ae037cc40cc6c58b07e17665795

SHA256
79d6e0995f7084b9e155d82a16a063906909266ad25c4a497512f71218f4fdb5

SHA512
6443b980a5b9a002df1114773da9f403b4fe4c644c0943b400ed32840091ca35b40679cd7d1deee8ec266157a727b9256fdad4553f62f1f61d1c75f37c55f0a3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
7f07c8e1265c1725520b46632c7ec2c0

SHA1
87d5cf2c3c1a7b95dcb633e0ff767f73832f9650

SHA256
0d32693c113964a92981fb15f6c09c99ce6c58e627a2a2e8b06d13c66305e63a

SHA512
218c7a7d4e3734135ca46f3452f6388832f628d49e487398cb9bfa2fc1309d30c6c588947d288bf04dc4210bb8888e246c38eed34f4468b438461a7265d0e309

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
7049f699e5b6e70701841f684481d57f

SHA1
9d5d2514f0016330564504e6dcbcffa66580ac14

SHA256
a026cb02403411eaf8786bea1bab929ae99e6e164f6837472a2b84ed058503e7

SHA512
34f800fc677c9aeeb2f67e74a3daea91bfd4e8be197b2dcb1a678229c05a2c46ee1099df7c7123c5ce8f349cb4f516f3f4197c387f8bef4f350fb662e1264063

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
7d9d5a7d88518180f07c86b49589ecff

SHA1
d9f2ec5fd0a0b907879396c858312410bd08c075

SHA256
d11c28d7b5aac0ae6c44896b8dadf227e89f0a422be8d5ad072d1176c530cae8

SHA512
967b988976d9b3c20131e7db2bff680d5d9c10f76a4de9caccd94fc62121e7cfac2951dba9e754046f9ad05abf603c81c327598922a12f640b52e0279cfd19af

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
139d78653ea4bf2a02629899509f3756

SHA1
efce1c0fdcb6e38118438fc05f2ccdaec6e59d18

SHA256
ecb81b53eea286ef18bcd33c68d6e11b112596189d44b2c67b1568c2f16739d6

SHA512
f60ebd75a5fa7b9242b8afec8afd9c16400f4453f5f4e55cf2ac029c5cefaa3b38f1cd29629c66de16db2f0718c80e45146ca72db1e2e9b4b880ff0adc74dee9

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
d00feb4e31db57b1be8802b649a75c3d

SHA1
cda13d116c3271a654e13c92fbc01725ffd0c4bd

SHA256
1f62aa7620db95dda351e7fd1fabcb73739e7143256fd18782bc473670d2d710

SHA512
2e34611e641202cb8815bc3537ce6be8ec8421604e865309687e8ca02f064ff499a8dad54954f7d488319a7946a30ac2db1b3eec22ccba44f14c19471ce0e1d4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
8d006ccb56bbc1d28a2b5579965f218f

SHA1
647eb3033d78251852c206f3da349e8bc3025bab

SHA256
1bd8413f1d661302086b37c66f71ab41461df850efc01095c357ada62b62d18a

SHA512
e76e6ce326770e63e595e805c21421e520f8389145d475b6d27f6037021e43042893e1320108f83974317c7929107ed98a639e3721e328e0494dc90b2ab45620

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
1584422eba1b5f211a604bd56851106b

SHA1
876ef6ad8040901243174448a18045409ffb478b

SHA256
bf7ccea6bb726e46f73b7841f96619f890721e1f18586334309ac318e47fea82

SHA512
63aa4f9a41431192bce72d7119b96c6d1619fbf265b45f4aad3e55cb2f25fe10f7ca929df9f47d05a6aa4fccc2463dc3d25eb5555e4a814afd2779a5ba9db6a8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
623f827299665f21a5c95ac819a08c35

SHA1
06d61f123d2c54324f29386e5d23c5169f497e0e

SHA256
fa241bf0c89701b1d01c5da80be0a1c4c2b3f1f448cf176189e52fa58ae83288

SHA512
12296f2274a5c05b5e749b318397ee172963e401bb6a51a9dfbc34c37eff6154ce7a5c50b02629b26565ac93a19e8ada42d0d2b68c770445a1d50b87b313d278

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
914e0c4d50135a8363932860e575570a

SHA1
377a35931613886fcf3859fcf687765b3708803d

SHA256
57a0fe37ab621fbc2f6f23c84252540a5fdd35f19473d9d6c68d38033f144c38

SHA512
99dbd80f094862be1d7718f747c02b52f5a746a2458b61ce554c3d1615bae02c6d422982e793eb4654cb0544283941a7eb5c60188b945305ae8619e2bfa17780

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
f89449d48b82b52e1bb39075e1117ebf

SHA1
86505743d173715f55e60d7eef26f14f57708bed

SHA256
84e2e0952b11f8268c8ded5e06e466f3f35f281232cdb4c80c20ef02a511f0da

SHA512
6c840f1f5bf010b49e9272c81dfdc099d2c9484b019799396283650784449de91977513be4ed499d61d5aef6ca5dae52634315b7e7d71ad3f521f75291d86b11

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
fc6d013df4689fc9488e03769ce40308

SHA1
0de7a2071436c7011aa944588ff660c261af93a6

SHA256
db6682111eca13f586551f50a732534e53b4f12d60825e0a6ba429d9bba2fa6b

SHA512
1fee1ec4314aa79befc4f7abaf74aed939778e90a999d58dccd4af1190a81cf8a2f2f2f660e3ef5e0e93f88cda2a28ed6bdc3260fa35cbec222584c2489495ac

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
42b1f05cbd83b3b183836dfede7fffd9

SHA1
9b7c51f2ec76af768e44b7958b421f8af8d10378

SHA256
11c5e033d51da559a5457f3573f4548e8f74412e86c7660d2a7e52f4005ae0a7

SHA512
3ff1d44d948e671805b37822d2912c7699c0c83a46998a7dc5557e0d5d7fafec22b546c3c4deb6409a3fed698cfef63c0a03e226e71d0af9f95bb15684e9753e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
b70efbf892343c9e6c66ff9d01509ba5

SHA1
4e8d64aa802e6b0c88175ee122d01476e05cb870

SHA256
e1edf4b93760b61d0ad0f6f85f35150d068e8e673663031327d15074e42b0c7e

SHA512
820eb94297ef42feda4bc2ffeacb0a751c972cebd3f10f9c7953467ee69be03752dc019d8984f4beb05bc7d573076c82e11db648e039fcb20d902a270506607e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
b2a48b80267205c668bf77a57993058e

SHA1
d6110de609fbffc6bd28fe3ca269fcde037f1bf9

SHA256
54f260f8e7a7a8c51fbdc9de55e5a64300d71b33790dc2b570b933d5143d1748

SHA512
09fd195aa01ce9c09f79f572be9d2269c9ac39c64540e6260bdb8edf6f44cf1ff81d99f76cac1278a82b999a6e8598fcb552710de90b31c7440f9cbb7e758e49

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
f4761f3987d517cd1b341bb54204181e

SHA1
b1c35daa8bcdc0ad98d26937b72310e5de4e0828

SHA256
3efd10bc9e68399648eb3b2e3c917ee724f3abebb856b625f285c27126d1dd0f

SHA512
4bd6c6585d0b589814bb2da0d34c78055a6d9559a39757bc8217a16f400081f8aadbb72014d6249b98ba176a79137c3c900a37faa15e6cc95d402c3c71f347b1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
b717287e6bae98b2291619a9e03835a3

SHA1
2cccc87e9062d1c4db18a13cc2bfea0999498199

SHA256
a3a6cfade8b4cb3fe4ce2a891c261faf0ea1d3ff64f5cbd9026f43379c7bcd6d

SHA512
c22ab6fa213cd89a4527811847ff228bb3dc94bca66325ac2ef687ae3da2ef13df8ea1b6ccc291dff856c1c626e7ebc1ad88b610105327bbe9a0934cb821ee47

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
25099772c0ddb78755e1d9fcf5fd50fd

SHA1
0d9f6d2dc83c0a66fbd549b10a2501e49f4b1bae

SHA256
77ccd20b0a0308d714cb3a84e7447cc6dbc04118b5103d2f8533181555aac0e0

SHA512
e0b29f992d122ce1dc250de26a094379a96fa16ff832452c7579d7f5f05fe96faf8eae34a2dcb65fef5cd4e1d046f9eceab09e9cea5daa12f87b027fb5555b3e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
5d06870267e2d83ffa6a9f883e6d367f

SHA1
917d3d8fa53c9f113b27c2ef53c34bc4c22fd2d7

SHA256
d271d477f0ba4377d2727bae02fb0e3ec0027f15b1e34e7eb968d17b9fdd1052

SHA512
601b313f02582c2f090c5074921a2b63249f6796b5128caa310186145a187afb67516de3fc0e4b4b9680aa6a5cf365f455368e18ed97e193228d9009d69cd21a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
28dacc78ec7b14d5679e1fd7b7155735

SHA1
dcdfb11910bc111660f5bf921947bbf810b11a59

SHA256
0c19b02b77890a7e41f97af629e2ba655073e16c8cb9969d10df7b5c139edec5

SHA512
197861b3459e011518cec364d3d996a3b463c6978ca2f09bec6af650c334a8966dd0236301509b42314dc6d0c7fc1e2913067af4eabb307a23b2be53c741c46f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
355cd8e9b363ab07c4066609e084cace

SHA1
3e39862f2ab0390553bdd970842b8007b158fff4

SHA256
a29aeb74fb1d4852a50a9d48bb0ad1a79fbc9128fee35afae8f0351056b5da31

SHA512
0f0aa58d34b8117c15db671a08e4e39e54eb8234138aa0431599bac84fe096210b44be9975e279adb7e5d595274a07b52b7f88a2e9f41cbd8d60d51930623897

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
d43a694ae2018c7a459d92a325ea8570

SHA1
2500be44e7c58d4b38440a446e54cc3711fc5e09

SHA256
a106dbe893dfd6d88955170f86251208a6950d50e2647603e7a5512dc2d8a756

SHA512
c599562296f52b84b21d2137f5d32ee692bf044f73dc6da149033054cc1dad30360ed8bf03b13f7e095abb0b869bd0e523317b01ccae7262707c39822c82f92c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
524667f4b2a77674759a8edba845934f

SHA1
1dcfc30c454b7aaa2c4bd77f784aefeb09ceeadb

SHA256
9a1e843ca77775ffeba64eb428d9c2eca3a7c5997322330ca1acfc493cb9e909

SHA512
13e96f7ca13eebe6f459e29fc2a391b9e8b25e2ee6290ac350171e8d3068ae379c3f849ad8743ef00e653321c90f25e1eed31449b4b6aaecd9f655c030e66cbe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
0ff6e51449bc3548efcf3e6dee60414a

SHA1
95e2324c32e4b274c2ec8690ddd9f129e7149a5d

SHA256
4c72e1128cb193157afe69f25a20988b73f09e6695ff3b4617ac27344492e3e4

SHA512
6e48b165c875f374d9a52d484c1f0234802eba9b04b0cba84c2cc36981ff33360570ca9bbbef647f467b88c8e1167618e0e4a44e46a5377670df36e1021f1e9f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
97c968ec32f2cb1e0bc6311c7ffd88ef

SHA1
af2787e32919b46b7fbf15de912b7a9d5a8bb94e

SHA256
3061eb6dfe2b45a3453bb8bea217038492752b94e7eefabc03336fecd5f68dee

SHA512
528c17e3cfbcd313c8fbcfd63a0793c8cd487744ec2bee4ae60d9a00ab5871e502f30e2fa6d2a488ebcbc6afa453a7a77c8b59f10506ac118abecd20fea71260

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
4034e40126fece624690065bc6e43bc9

SHA1
6ceaa283473c798a1a803043d7d66228160df5b8

SHA256
d73a7f339a3d103d4deb7d792f31f2fceec88f94dcf1b21453915a4fc071816f

SHA512
c2c2a5a07f33fb6889597dc6b6a06c4d2ad2d89df65ff6cbc5c68131beb613355c9029eb74330f85fab4ee37d93d10422492e23658f61ab77112b72120caa459

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
0fdafaba8123ffea76d622fd510a5307

SHA1
602a671b2b2d92f10b76434c3ab2de2f2b7f6123

SHA256
6e29b639a263611eb63422af4118c1d424eff80b78cbb789af9dead39150bb91

SHA512
5a8ab3eb2ba1c2491ba5a29bd7e9cdaa1fe93080474da8dde64657dda6719ccd39b59802ab759f7c676aeac1f89c8da57fb419f1638d24e296f82316946fe0d9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
489c69994b77e50199ad314e2dbed14e

SHA1
c0d955374fdf95ddc3e212bf7f36a7a8e7385d8f

SHA256
fc522f88bc12ad82d50163db29aa27607499c870d9bac9baaac0f6258d858a06

SHA512
9417d7f85f6fa14e94e48cc613da139738af75be5cc174dfc8f8d6e35b92015e6cb0740bb73f226a9b8836468fd7ea727c00fa95416e8271fb2524f20840d14a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
581KB

MD5
5aabda5be13818025996d8df1da14fc4

SHA1
a4711e7a40073b3377ebf79286caef2b73092b1b

SHA256
7fd476997af82fc9bec4b421308e433112e987e5174950e878b4ebfffbab9308

SHA512
a9da2083c188cca0e7a8373049644aa847cd127f31414e44ca6737bade2827d86bb3b102a610aba6e8311982e854751b902c0fedb652bf8437076a8f408314d9

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
0b372224d3ca938db8da23c415d5feaf

SHA1
e5858204a3f5a686b42bb0ef3ca903484d286b80

SHA256
0fab8b4160a180e2fb4482f09fb919ac401a1f179284754910bb3d930161391c

SHA512
1556f0634c121e85668533cd2866d5df57d76643258f309b2d96768ccda459a74094a44fc6387581e90dccae0cd0d609f0264ca88e8060ccb76530a0c72a1e35

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
d6b0ad632df4b3ad32f67ddb16a096df

SHA1
3bd935c98c350f353de569d720e3481c453e947d

SHA256
d0cf4a275e183707e7719154478b0f0944414c549a13e30aea9c9d94cae88d26

SHA512
0df354d0a2850b18697e81f76ae4a789b6c009cc2e91370214d9f7fe9b0dc6183ddab1c7a027bba838bf8fecbe6773c1567ea734e37464f4a0a20fdc0b511a58

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
96aa35c2d99725987985d9809c5ad7b8

SHA1
b7c4891348e8632b72906b311345f9cd4379749c

SHA256
cfd9570d5f5ab300167ad578df5ba8d8e5018e4246c362dd1d539aa47e37852d

SHA512
e4484a29fe7080d67e204ab099747a689f74e549cdf7f87624be9178df3d52b15b7ef7c6b20ad848bab2f5674013b0f2b679dfc6e361e63fd2bf0f56e66fd7fa

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
d424f174fa3ab7eece5d3fd53ffeb668

SHA1
3a4c08ba39fb6a60d6d338ac5a77baadeebecab6

SHA256
f0bc9f51443ec2df0db0cdae2fbba9ef83d1873081abdb920c93966cc590a5b8

SHA512
19dc5eb41a26c3e1f465b3bbf9457e17d20804a61c20fa77e828b34d3343800dd4e9d524a1fce9102614acfb97d361ff7aed92d234985e10f37ee62ad0515c1e

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
55f5229074bf2d7cc52c5b7bff451c13

SHA1
77f0d8b388f189360ace268c79b0e7baa94c29e5

SHA256
85e09097f1e24ed130e62742b98acfbdc29c01d65902e2d5ae6bc47b8f0d69dc

SHA512
7dc5811d075123e7f836baa88981785ef1aa790b37db781868dddcbd95f6b68901a4dfb4de0433fd7c64a9e9b8f80ee165ba4b83448cb12744f0e6fe8bf1e7d3

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
999b700573843f6bb2695f4a5061ad5f

SHA1
abdba156c7460bfe8acfce3ba1150b0fd6bf7d17

SHA256
a4d8f8f4ef2f5283c281e62766ca5fd90dbffd074ab8adc1857020f50ffcdb7f

SHA512
3bedb81079e7392c383ecd0467549efe31503b388d2d7eda87c25116644edbd1cb26b734670317e34c2fecdc149802587c6bc44db1a2c67ae1f31472398cf62f

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
eead70f25a608f859dc098bfcaa5956b

SHA1
108cea232113fba6724e87c0b79b655f3129c16d

SHA256
bd46d7b5893a02f91c2fb08c2dedea1297ba11de5d94832535dc8391c08fec81

SHA512
4522d3f12112155f7d6f6c7e6a7832efee604a9b90f3d78853641fdf4905dfaee77327cefec32824165a03cd620d0831973908be422755f2ca77ad5a5bcd2c64

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
12be5dcb147a283a03d115a0412d4bdb

SHA1
867894e8e5219984e117462f305447d10d1c23aa

SHA256
618d6044720b5c8f84154792df2d21063dbe0d58327b4604b56500fb96c66a6e

SHA512
4dc7c7ad2f180b3f98cf9d3b666ed2a68e4e73741e106ac1a23b25eeb30acb6628dcea5338827e6b9c2c4710dc2ac209597733b5b0b724924c9915631a23bcd7

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
162efa8ed569351a6c104609d4704232

SHA1
503e1ef0cff9a44bf7ee76646884145a376dca9c

SHA256
867d365010dcb3fed103c93aa78d58007907876db4fabf8993d03e5cbe449224

SHA512
d84e49c762aa6892b0bf07085a8d4137039df7decb1b85218e58667272b4bf261f669d79570bcecfe697c3cb7410fb6cab61779bd914e7c5a1716b3125a4bc5a

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
f9ef2474cbb2715b5b8cc5121813644e

SHA1
3e74af0e9dee37597ce786aae4256a5335ac3e95

SHA256
3d30fedc9e28c6b3f22a3487e48fea44e26073e5b6b820e95a803affed71d6ad

SHA512
7aba5a61b0b0ddba4e63298a077483d1b191050745ba1f37469614012fa518f016ddd7106b7a562c201c109bb5e62d9a7d84750144b86beaad70417bd410d15e

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
9e205c91c662c9151d1afafd5801a33c

SHA1
3f91225623ed94a22a4aafed1ca8f7352fa65cb1

SHA256
9fb6a78738b936d1626befb82476ca0edda107d5b619815493323fc23b1923f4

SHA512
ad31b9bca889c71b5fa908f2840a943d5d062539c00df775b88868150540c5319f2cf59c311ab365ef757b7fd90d0431553e7826d94bbbdb68ff1302af33a0be

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
1d682cb5e91cdb1dbcac27654041a8ca

SHA1
5e04b0203e58d4729bcd1828d4f91bcbb427c7f0

SHA256
c94b5ca8ec437d4939e9772f8ed91aabdb736480683c656029214b02053d6c0d

SHA512
1b0cf8b0b1abfd5cfd42b11f83a07bf710760ae980a133508d7e2a5dfe21e33fecada1c9fb5d11c79dc5784e6333c1c414a215875c6b295c9ce258cb1eda6f6d

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
8c38cfede2d3dbd818a6f14bc6d2be4f

SHA1
cbb030ac065d298a3450709b51b7d2fa7ac4b80b

SHA256
dce5a4ea287e5ddd291220460870a0afb5fbf00b7cb1b021194be3012c9f12e0

SHA512
73c79c6c2022dcf5098891912e115ae212c7d30400f5d7b83e9f5492aed77a8d84bf3405bfd1048d593dfa94a4d2f2738c62626a9e6c4f8bda7a0db1b0bbbb57

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
ef93eb5e03ed18e7a8e0d544ad4d03f6

SHA1
598e13acfa005e7c7b23d606b6b8a4bd6202a060

SHA256
e0dfbb4c2b7400f202b4d5a9bdbaa6f20bbe2111c4e7b6a400125cfa42cbc0d6

SHA512
c7cd33c9d2475310340de84aa5b5dda7654223f1eb974a0954fabec9179760bb56453db51c96ec689a534be5287014ecf0383f940ec21c6e8c91c722e2b3e336

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
0c50088d5206cb37bfa4a848f7e5256c

SHA1
e3cd4e70b8f305fe4b967bee0cf39aba6a8ab275

SHA256
70ff440855bca49c45e2927e0a0e15c7db5f2dd8a771d3c6fd056f25b61d6c24

SHA512
95e50facf54cb539b6d92daa25cc11fe8fd42765b242b44bff04301a9ea0a6fd519e8cd8089cd692ad8a55ed0923af38d589ff05b8be6760c19ed75d56cb112a

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
10168310d4d43e7dd292981fe956ecf3

SHA1
9b4ffdc687fab05c7b84946353041e77ef003abc

SHA256
8c0466ff59a13dea96ab19edd5a5205e7fd1bdda7fbcf22b62d465852cc83096

SHA512
dd3f5627ebf5c2eeb739225c34e59b756ab54b79c45683c11b80ec0ddca6fc9f5a27858a891d079b27146a9a3cdb1e04efdfceaf34b8ab7641ce35e8751ee051

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
c7a280abfb447a379b87118f0b9f3819

SHA1
b4086357a3b2c3c7fe6cc93a5c8cdcabb022f156

SHA256
91bc2b261477913e1b0b82223c3fbb0d9f2939a46159d02c2386f062c75f23fc

SHA512
44522beb1e3f19bc8f831e931f58d99bd246f009bc41a59388116d9c2e1d22c4ec44e4df6ca0dacf51b4f31a9660b19c6858e7779292879b638c0ee024197ac0

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
b1c291ada4e52f4fe139e1b67a3e6026

SHA1
efceadf6d765cb6dfcef24d767996438b87e8218

SHA256
9e0f9d03889a325c990715e15632974f2dc9399b8983d53ca68d840eaf005899

SHA512
0a73fd4692cc31430414e88453643d05f375d47261f4ea890180d9a66fb6182588146ae149f9761a742040d68f6a3fd43850f29a9252754894cdaf25ccdd071f

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
6fefc5768fa756eb4b014a927a4c643b

SHA1
c70482b30de1e3cacc796b4987574bd4a36646be

SHA256
687f7ce5e57c14219ba4f25bf026a848a8eae7ba404227c3ea72b03548c3dfc3

SHA512
08fe0447393c8582888580f52935959192a43d2e1ddaf40a1773027d99837435bafcac4f67d0e365054d19097a1d0fe85b7b05beb028851e3c823118483a2554

Download Submit
memory/460-410-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/460-301-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/684-40-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/684-32-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/684-41-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/684-239-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1632-526-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1632-334-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1824-423-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1824-633-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1928-282-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1928-260-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/1928-259-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2036-372-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2036-384-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2148-422-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2148-303-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2368-21-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/2368-238-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2368-13-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/2368-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2400-623-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2400-322-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2400-435-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2560-411-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2560-632-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2712-254-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2712-248-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2712-360-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2712-255-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2940-626-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2940-349-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3228-71-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3228-78-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/3228-72-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/3228-243-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3544-630-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3544-387-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3832-620-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3832-337-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3880-53-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3880-44-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3880-240-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3880-52-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4076-56-0x0000000001690000-0x00000000016F0000-memory.dmp

Filesize
384KB

Download
memory/4076-63-0x0000000001690000-0x00000000016F0000-memory.dmp

Filesize
384KB

Download
memory/4076-62-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4076-67-0x0000000001690000-0x00000000016F0000-memory.dmp

Filesize
384KB

Download
memory/4076-69-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4184-398-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4184-286-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4368-271-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4368-386-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4404-361-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4404-627-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4476-399-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4476-631-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5036-31-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/5036-0-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/5036-8-0x00000000006C0000-0x0000000000727000-memory.dmp

Filesize
412KB

Download
memory/5036-1-0x00000000006C0000-0x0000000000727000-memory.dmp

Filesize
412KB

Download
memory/5084-436-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5084-634-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download