383a4c6546725f2a865475a56ebc87a83c76021acba356e46217872fb431daa8

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
11-06-2024 08:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-11_b5c315e18a1ee2f187522b649f19e96f_avoslocker_revil.exe
Size

4.5MB
MD5

b5c315e18a1ee2f187522b649f19e96f
SHA1

c284bdf2f6d0d97a521d49b7120692e8a0edc066
SHA256

383a4c6546725f2a865475a56ebc87a83c76021acba356e46217872fb431daa8
SHA512

782ab86e93529097aa652ce45d72e87c7b3b93db5b68936d4da1691b33bd6cb7d5168ba0da58336a6cd4aa3ad7ffe9a68bb88b5645a815a2de535de2f8ee75af
SSDEEP

49152:pwpZHcs1c7tbkFoi5SAa2sr/dxZxS3SCybXPvIzMTUhDddpokCsqZWXS+hf+6T4I:I1cyy6Sz2c/dhSwvIzMwh9o9b2husrb

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3228	alg.exe
2776	DiagnosticsHub.StandardCollector.Service.exe
3612	fxssvc.exe
4692	elevation_service.exe
4628	elevation_service.exe
1944	maintenanceservice.exe
856	OSE.EXE
4952	msdtc.exe
3316	PerceptionSimulationService.exe
4532	perfhost.exe
3408	locator.exe
3328	SensorDataService.exe
2708	snmptrap.exe
2440	spectrum.exe
2884	ssh-agent.exe
3532	TieringEngineService.exe
1116	AgentService.exe
4612	vds.exe
1720	vssvc.exe
2108	wbengine.exe
3140	WmiApSrv.exe
5100	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-11_b5c315e18a1ee2f187522b649f19e96f_avoslocker_revil.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-11_b5c315e18a1ee2f187522b649f19e96f_avoslocker_revil.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-11_b5c315e18a1ee2f187522b649f19e96f_avoslocker_revil.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-11_b5c315e18a1ee2f187522b649f19e96f_avoslocker_revil.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\9346be044a48edc7.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-11_b5c315e18a1ee2f187522b649f19e96f_avoslocker_revil.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-06-11_b5c315e18a1ee2f187522b649f19e96f_avoslocker_revil.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-06-11_b5c315e18a1ee2f187522b649f19e96f_avoslocker_revil.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	elevation_service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-11_b5c315e18a1ee2f187522b649f19e96f_avoslocker_revil.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003ded875edbbbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000077009b5edbbbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c2d3f05edbbbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f574b05edbbbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009a68c75fdbbbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e398f55edbbbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000925c195fdbbbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002649065fdbbbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007be6225fdbbbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2776	DiagnosticsHub.StandardCollector.Service.exe
2776	DiagnosticsHub.StandardCollector.Service.exe
2776	DiagnosticsHub.StandardCollector.Service.exe
2776	DiagnosticsHub.StandardCollector.Service.exe
2776	DiagnosticsHub.StandardCollector.Service.exe
2776	DiagnosticsHub.StandardCollector.Service.exe
4692	elevation_service.exe
4692	elevation_service.exe
4692	elevation_service.exe
4692	elevation_service.exe
4692	elevation_service.exe
4692	elevation_service.exe
4692	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3320	2024-06-11_b5c315e18a1ee2f187522b649f19e96f_avoslocker_revil.exe
Token: SeAuditPrivilege	3612	fxssvc.exe
Token: SeDebugPrivilege	2776	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	4692	elevation_service.exe
Token: SeRestorePrivilege	3532	TieringEngineService.exe
Token: SeManageVolumePrivilege	3532	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1116	AgentService.exe
Token: SeBackupPrivilege	1720	vssvc.exe
Token: SeRestorePrivilege	1720	vssvc.exe
Token: SeAuditPrivilege	1720	vssvc.exe
Token: SeBackupPrivilege	2108	wbengine.exe
Token: SeRestorePrivilege	2108	wbengine.exe
Token: SeSecurityPrivilege	2108	wbengine.exe
Token: 33	5100	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5100	SearchIndexer.exe
Token: SeDebugPrivilege	4692	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 5100 wrote to memory of 4180	5100	SearchIndexer.exe	115
PID 5100 wrote to memory of 4180	5100	SearchIndexer.exe	115
PID 5100 wrote to memory of 2972	5100	SearchIndexer.exe	116
PID 5100 wrote to memory of 2972	5100	SearchIndexer.exe	116

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-11_b5c315e18a1ee2f187522b649f19e96f_avoslocker_revil.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_b5c315e18a1ee2f187522b649f19e96f_avoslocker_revil.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3320

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3228

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2776

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3180

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3612

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4692

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4628

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1944

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:856

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4952

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3316

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4532

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3408

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3328

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2708

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2440

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2884

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3668

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3532

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1116

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4612

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1720

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2108

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3140

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5100
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4180
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:2972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
b0d61641356fceab9d6f79316944d191

SHA1
c9be3a7aa35e26e3ad407cda7f66d69c84866f15

SHA256
0c2eab99ceefccf863f8f8003f1eec971405a3acdb06847865d56bc066dd60c5

SHA512
2c42021350205c7a54bf838c92766d398c4d8f4f8870e208e6055ae8550b783951542832d3dbc62062aa6349bc7e42d9d3ff27da185711e1086231971ddb0fef

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
fbea7547474f70bd9d6f6a16ce880f90

SHA1
8672804cc126b51809aec759dc0a2e0db214983d

SHA256
d71f6aa427f482449c4d6e371327965cdb579573e1317c66a217eaab8b5c6905

SHA512
2a55f54827b05f2a1561472f6d7b359a5e1a8773ecbc357ceeefa6c855efdc00df5658d959d6388f120ac1cfc24b05e2d7b31343ad7f383165bf2cbd48c9ddac

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
8ab0f27905943c9a8d46c48ecf0b0dba

SHA1
013dbc5ee67275ea94a18f6396fe7df73f95bca8

SHA256
a82265c959b2f49af15b05126d7c3d5f336ba7127d04cc537d10f62932b59afd

SHA512
9052613aa5683bf21daa593fedfed72ce4a7672e745e3bb694e575c246288704617c81a219a5c37f04ec005bff58c2cd7100c8c2fb873b167ab2be908278db3c

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
5602dbea0cb7aba3456b25c6de98257b

SHA1
4966508e998fa044a93bab99d624887b83b201eb

SHA256
a58cad48167bf7b7f6a9c99fdfb8f8674fed9a4d619390d21de89617cb381f8b

SHA512
f87225e760a7216aa96b5fbf2e44bd0b57a97b97a9713d7a51d4a5a4b78dab983d2e44a5206637eaeb5a0421b1eec8ab2b2c3445ecafe66366cff1f2c5a0f524

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
330c61cfe05bc1d04193a81f7f2d1687

SHA1
6315dbb7bacbf9e891f8b516b4656e92475d7a7f

SHA256
2b31f0bf1df5676262cafef493085acde9d83c0098b0364bd495b96563bbd34c

SHA512
ce6ba340e3fcefb81806a6dfa99a22291fc3d114367da46cd83f5b01b5ce18e20154c376479d42066b929bb1929412cfad4e62fc67a2972602715ea25b70ea85

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
fabf1c031fcaf43e48b918e91f4acff8

SHA1
0681cc4c9b49d44037918109ca2cf53211c7722a

SHA256
a6a1f2e53d292ba30ee74da2f5c09d8e33e301f9a07328176448a6e6de45a854

SHA512
bfa9ac03067153ef687bd5410020aa6fadde3c58b15555b9b5b92014f5cd0d1e7a6731952fdd4a97061583c09c45023aa751967e19bc624575bcd365c3f30a40

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
6dc87ca822d24d8bc8413513ab9f27a8

SHA1
ad31474c302b043ab197d525242b7f9fd8b094ec

SHA256
fd123b1b0965607b7b9c1bf5be97d4a110ee9e5570647742f710bc26bbed30d2

SHA512
a4afa77d9c9b5596b257cadbd06785e573695b9df69457aaa29c5f4fac2ff7e101e2f52c233e1da434e4b3b30b6efcb25dda7f292cb5531e39d41cd28081b80c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
151424939c9eb9fca68c47ef59d69f86

SHA1
3281cdef11b30dffe929217e5f4071e9bf4f7dfe

SHA256
8247af68b7d1b8f0a6590e86e840673bebc7c9ac5162b6342d520f751ce21245

SHA512
49fda45976bb93f0dc606adff946dfb49e6ea5d3ce133e59725ff79a42679667fc850b8bf3c0054471b1bcc364085a52226066e11a4e1dfdf647e873e8d219b8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
8ea08da9e92636ec1ab4d18b6e068c38

SHA1
85531e63484e264d99ab82c37c2fcf8ee3900652

SHA256
54345aa50b6e8b0ddfc14d28a8f43b8868be651ae8b79fe37e45bf184f2b32e5

SHA512
867900d182d3e20980cdfad9cbf3af2c8c4cae019685b3bdf849f8dc771cb87972bdd995135e3000e672c340206028f64b0a55f3493142d4091907ab3b7007ae

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
b5d5527aac9e926db305e34e2a0b24d2

SHA1
207f671851d4bdde500db4d3452e5fb35502ebd0

SHA256
f1c663817d99096f622176cc07c6a2fa3996303528df315d5f72813914d01b96

SHA512
449c2926d067e00cff7c1451bbc591f0f9ad85826442aa67485a0b3986da087bc27e91eb9f6df7465d995270af60885bdbb0f5764fe143b725eaccaafffc7f5e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
21e9dc734b347da00e1311f2e50a7218

SHA1
c3998d9dc8dd62666293a6b563f63624fb9d98c6

SHA256
99db0432768cdfdfaf7dc4755e9ef9258dd8a70715f8d228b1c0dc5130bb8778

SHA512
f0c17bdf78c68cc9c84e735ee24a2ea361a44437964c46d2c2aa4d4ed17479fd5670eacaf329fafe9aba7a88c79ff85e788866a810b41bf33532f1f08ac6d072

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
8bbbfb8258947cef5e0d71611564c831

SHA1
a6c8bd041430d5af1c6d0b497f49b517232c699b

SHA256
3af04ec2f98674643a67c190a4fb11b4828f4b823d88c888d4f6263a3355ce59

SHA512
ad56143a827f0858506b6761334ddd9fd6abdc611b51b57400687012eb0f31e7bacaecaf1d9b2ad74be986cbb3416fe84d39031543e5cf17062044d6f888127d

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
4da7e643c6cdc67a34efeba001e6be8e

SHA1
5cf21cbec094e880f9cf502b1d5158f297f9824b

SHA256
9a68a42f8aa72381c3782e5a911ed15ce43c70d99c516130fbab4686c52e5b1e

SHA512
7bafb5bebf8de6bef87137b1ed47cc8e838d0d5954955718fcdcc978301a04169e2e7e15c95f9da9c3f38aa9947795f1af091d98ea2eab184db71b5ebfb08345

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
4dcc22306e23f9a049ab23a5a5dcc40d

SHA1
5b36e9d809424399969b393312fd9c2ea4886008

SHA256
41e8e03009b5357d9d52c534e5891f77b690e0c79770399f3b0ea5c9994864a4

SHA512
2a96b3fbe74d9367e857e9e08c77f6c3292b1b1f2f9aad0cc3e8bd723301dbffc5bd6b73b3ac418616aef96670845990619bb50dea79d267946fd8bb74f605cb

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
afefddad9f48866fb654df5a1d4847ed

SHA1
593d1cad4c38a9127871eae4fe4c8bfa4ff096d3

SHA256
6b1d24e83b2f6eef5c52a704993717f4efb4a9098c94c25f3d1d0058eb399ccb

SHA512
e2643d48abc6ad5622b35ef68975c7396be9e8969504f024f166d7c69fb0a45d0887a8b2337a08f789db45671b01a2b483df512eae6c88cfc47ee142e590c2e2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
5aac1f50e91c9fa63552d0c362c366ac

SHA1
211c363383a679bab967b90f8af3ac89a2591589

SHA256
e07011e5c29691d22cc88bcedb16be13c89db626bba99b9a22cb4e09b327a249

SHA512
0f50a78b15b32f1dd01bae20e7c6e030487a6a0869085d5f189e24310a9dc09a0c381ab0505d68c23fcd54b82946fc44df8de174d4f4d06401414fb615f7f5ef

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
45eb8f19b549de8a631e3c933efc9c4d

SHA1
ad7ffd99f3fddc80cad0674f202cda4e7b8e08fc

SHA256
4808745a1345c62d7d6fc953f01656c94ad8fac796c0fa25eb8ff4689c059b61

SHA512
becaec0084da57c27f073894fda09aa16842c8524bd79341064b5e85947a8e6a3235459549409eea81f89f8d97c4dcaa2a8e782547b0ce25783910cc03be3fa1

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
d58c5817850b73673981a793e520769f

SHA1
2e655d369023c43df56695116de2ffb153211f5c

SHA256
7cfcc0ea3927ae76fac28b413a223798e1dd87b03a2049c22dcd27ab9848b98d

SHA512
34171f1fd65b8efc3763515caf1bd00b0a4e6e69636fe55501c13fe1d966e17d1aac86d6507110e8def15c152687adb8b5d6a8a99f693292c677f6ef24e7f4d9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
e0300a7bf68e1847d3ade78681aa275d

SHA1
e12308bfc73b57e685ce35e7ae8b63b5046dcee2

SHA256
88ad206cfe078b42c35e3bcd8329cdd4e3895938992e90985e0539ec0552389c

SHA512
72f45b64edeec0f0aa450a85533dd95382f3320a100c2aa0d060f0993dd5836497419e4c80d38aa24c22bc6fcadc8417ed1313b88f1ca2ad9bc7a0d729870268

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
7a443a49245f77ba8c8470b25222a597

SHA1
f9436b0aead2f59edbb50d6d8b446e9fe9bbd76d

SHA256
4130d9f247b5279657a2ffebaa1deea866d38593049ffd0e764e2936b92f8a87

SHA512
cb3de48b6a84615c7fe7e34efe04ac97489136dd572cb1e4d0e3d825c6b76c24bec73853f7a62eadf925e40dd9aa816b6d69a8290b0c0f845bf68773ff87fca6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
663933d1ae43aa2a6840997a78fc144a

SHA1
fd3ec8125dbd1178253e430d1ea14ffb965ede45

SHA256
3a2affe8631b7d1749d17bd873e3ed732a45b29fdd3d0f8ac7150711d3219491

SHA512
b171261f455a2981576be867491e0660bbe63c501cfc4bbc889d1c2b3e11cf9c56e454810da1f536ad5ad862c18cfbd1373894d64e65adc9536a3e43416a3113

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
d5ac3c7b9a14704ce490aad6d9513c81

SHA1
5fe382c9c931a9e71a5bc5609ac96837e10d4dcb

SHA256
e2727185425449bd4cafd0558a9135abbfae0d7d54d60c82da8a20f0a96853b7

SHA512
cdd61c0a05e53a8f8aa1a12650f3f9abac9ac59252015fd3cab1d697d31e3ff17213614a48fa73ef0f0f93e6acb112d31bbf1c3e72467b2680535cfcefe21635

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
95d44acabeaa54e68e0d76770a1de8f6

SHA1
a56badc5fa4e4ddc1057b68af0c281b14ef14634

SHA256
00e86e8a8d4a20d931b1c32870e4508537e1d298dc01f4f0bb24755dd3036763

SHA512
c0e520b5540a5ab6df489bb0cd3fd429c0350d7f300190b400398bc941599c2f8b372601d7e353d75e91381c099f95e3f0c5346f07cecf764c8ca2149b63140d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
6378f7a7de9075c7249e0f8fac132561

SHA1
73b3a190ae66d0f2d8b786c7560825f50af4992f

SHA256
d051211c0473f14018f4d8caccbe65caf4ddd6365b280bd70ca2d88be45ab6b0

SHA512
2c8514e3e70ebbc33fc49ce76174bb1ad77b98c8f3639fe8fdb3b9199d3e68078dc5ee88f5ec337091bfff8266ec925b471b6f16f94cb803cf622821775f9bcc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
ef2b7e6ef0be4caf1df7938881713863

SHA1
d3d549351133953128b746cc6e25ab3231d6bbe5

SHA256
1fe6166382fdda5ac48b2088b64b0322bc6eb1f33da7edd450897b3edf3bdf5c

SHA512
a925d46a5f1d794e965b54c6904bd82cc36a85166b8c95106a40ecce62b7bfa5dc0e82d8fd99fc5a21a69f1111e0f4de78f782826e08b3033b47b098b6430358

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
01727324885ba93c25aaaccf47dae7e5

SHA1
2ea154ef51a806ec7b811e758cf15e668cde4d8b

SHA256
c5c43b92c425ad8bdf276a4fc209a99a9734835db85993eddf0853b471222fb1

SHA512
75b9ac2f067538469b393ff1b8d2ccfdcb2a543a9012d701f7b5d479607f8918c09a04c9359e2aea381e92f765490b7f3779559f960e48820e8e9efe9b4072d1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
5c85aa0a2eabf00b925e757de68caf3b

SHA1
e4cc44910bd4754817b170489084febdfec55fd2

SHA256
ce21adffd79c8db8b87948bc66c50e234b3c27d24c862e697b340852da5cf16b

SHA512
eb4715b4be1c808a6e7dcf116608a8845d481daf66f85e38d82f9e23c949d34618deda71d80a6f1314821f256b73ff5e7ab62e4198fbabd0878b6b4d6abcb7a6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
0978b7bbdc5bd5eaa67de95da5e2bf33

SHA1
b220351865b73dcf911d8bc170f8566937c7f120

SHA256
52b3fbcb34594fb7082a819a67879e7457f79c4e0cc3c8c5b87c20c865f33c48

SHA512
411359272980cb470ed531556fa6d66dca6d6a866cfd3572c4c802a8aa756cff7c35ee235daaa2ff5b2aef72408d04e16b6a585b7177f6a0134ca24d17609a68

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
3c3ccc0be6c0e54e3e995337930fe1e2

SHA1
d4321767bee404d81e29a1238f40f8b920d5adb5

SHA256
28c7b60fad8345c04382b908505a09b49d1f94e0adb64d9252751cec7ae80e05

SHA512
c567e9610237712726dff2dd484b3bf1eda4a2823f68eafbbc6b190ab2acbcd52af47cc02c9b069cde5d94ed6999563a734357b0b86968721aa9b23009f952b5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
d28ec32ac9ab6a55f203dde5365aaa14

SHA1
b663cc20afafd0d9c1fd7683d8cface4716d53d2

SHA256
ac320d066e974530f11df0d3c4b4930a0b748483daba0cc1c2a57438d564f9a9

SHA512
1dacb02ff2acb2c0dccffdd594bfb72a0762b2f33a8a0a341e86d02acd097eda03b9384cf8297c6144a42d6d1f5f12a168ac7cd30ecdc2b03ea64da9a63cf18e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
52058732c60bd972704930e9b827feb9

SHA1
42e0389f5c371e1f05318334092b9705160e0f79

SHA256
e43e87646c474d397db45d8f2bd1fd906bcfaf1e73416d4d6da41590be264cd6

SHA512
1b907a8af821600fe25c076ff8c0439e5b604670848e578ddeb35d64bbb4b912c3cf34b02e1bb5fb63e1eb31b4c1fee3af660490bb003c5ce0005b4171156e5b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
391c329c0bd3398e22f59906724e5ed0

SHA1
67e9e0b8708cc846ade2da1eadc569aa85693e6b

SHA256
a2966cb6dd4fca1e94a8ad6b28f0bd0253bb54ecd205980b7b3f0d12b2fb5d82

SHA512
230ece9d081d38ae8170b27bb533e2b85c432834181a2aa6a8c89443080635f9497cd005bc3c418d1d9ac7f6afdf4972b384f460c6dace8d9fad2e6ed64579b1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
076263ff826a542fa26c6232a4db6a4f

SHA1
0f9e0875a4e5937eb327c304fa7cfff9fa1641f6

SHA256
e0401925522b58670b2395be9c46704161742b0abbe09e5c3b53c3a7a85cd231

SHA512
dc125e1912f43165a9bc59dc1388dc210179ae2b00008b3ae050ab7876b3fcf7272bc02dcdcc1f7cc1df1ae0c1b4be4070a0480f4f8240331b93f0d91dbaf461

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
d9e0a2f1384dae1a7cb207d7c57eeb5a

SHA1
12b1f3bdb8731379b1f1da5b8139a7c8b01f9ee6

SHA256
e0c6301a48360ada040cece4369a6fc7dfc919b0baa0c6400ca22c84ba39e927

SHA512
55a424a11fcdf2fcb5bcfde80bf01b589e2179d78fa9c4f056027d1d9b2f9560e76e1272a59152b112dce37ec1d5e1a754f4652ab4a85ea8d6b7701c7acd5102

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
1ee8c498b22ae797fb6d1cb24231eb88

SHA1
80acf3d647acdf6dc949c19935d76b0bca3c1c73

SHA256
dfd4c56e2051b23db9cee659289ebcd78f3805ff28aec63ac1f749294771342b

SHA512
7d7a1e304cd2694a850976227c3795d37702751419416d0f4260e90ec644c837cb671ea0f72a5c1ed2536f708c7300c6c6ecb9349e5099c842e8ee97f69b099e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
3ce613afcc5f958c8d6f2224d3cf931e

SHA1
af866037ea404d26f7d66bb6387c48c04ab9502f

SHA256
2c3cb459fca3f6e319380e857a001d68b9e943007e57db2ae1be81d3bc90696a

SHA512
1752f68b61a6383bc13f02588d036c93774a179529bd9f8572d7cf4c5f3af7c8e19c38df9567f87bfba6cbdea6a5e74cd99e21a7ccd43a65d3c3a08897821faa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
f8d84c47704554e8eb98ca360069ba27

SHA1
f089594e3b920ea6d633a33ef8655e036727e864

SHA256
53461add93a4489977b349d0a4c0da78f2fe3feb1e57ca25f98c13293ef65aea

SHA512
9175fc3bfd26dbe1e6451f22d90ccaae146aa72620e5006a757edd4e11b998fafe962cdff053bb288290efb2935a6148bc6831e4c5d4f2b815fc0f0714959b29

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
29eecaebf77d6f9d2748186676560799

SHA1
70f5461c23be2441f868078387db7d068b5e6de1

SHA256
e70313d383380a7542c21e68426c2369feb5ca582b3cdaaadfcb8791c3cdc07f

SHA512
e8e6f20e203dd0f2ef8fe74b4b1a54334dbc5f1ec39c0eb224a3d074d7148e7d8578377d7ad0496ce0590fad2ac1b239751aa89dc399edeffad37b9eaa47a721

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
79fee7e4aca8c0b122f16e9b6e657a35

SHA1
cbc033d5c5fde0e0c72b954a1df058b6b3d80ae1

SHA256
7502906f53415cc3b1110200213d103c1be09aecf2f493b95178fa7f1c38e8a1

SHA512
07d982592687f2bdff5d8fc14ca4ac65fcb0f97ccba4dd81b0a82b9fdab79635e57edc44f96f73dd110ed472949a4799ef959a76cbb2bbfda3053d2157861d2c

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
8454b5edb18c367a9db87e6a6e999c4e

SHA1
551605409b7ca22de66de7fcc5930e746230851e

SHA256
cd5b08e4b55b625244a470c85b09ec0e00c38e624b879f04c2342a0a6fcac5d9

SHA512
173f11252952503a42de5345e9ebe556ea31f44fb0d9de578fa6bdd7e6c740d5721ae0f41f0bed16f10fae070f8b37d1b87e465a780869151e4def9b006c304d

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
1ae8f41555b4114057480a01564e36fc

SHA1
690b338e731231d2202ed3d860df31ce5aa7722e

SHA256
0727ac385e3467dfbca600499a97446a4e8a2b40f3f3a9d6788961f08f04bee5

SHA512
6eff2d379c95c1a9b5205dcebb37722d5ace18d03da9389e7e6c12acd9a6c2877d52fdddb6b2ec2aec04d436d02d61797ca93d31256e47d743e980518b910909

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
621c3fb212911b2eb259d6124d39cceb

SHA1
6e076a6dc12040ad6a1b044a01b05b6666fbea78

SHA256
d1454b3bfdcd905ef0baaa48944416f71c11dd1507674f7d6d06ae082facaad2

SHA512
44a2aaa009b6290fafe2e40f2e09406419dad520a19f83f559f905549a7d18cf6662062d4141c32915c5af88b7babc25f243ec06fd8a890b372eecfe5e8d257e

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
cfaa63a367572c82153be531ed0ef2ea

SHA1
5019043279a865dc00537b8beddc09c9ac38efb6

SHA256
f9bdfbf03f09f4c57d34d0321951a7eef2146191e420280302e352f014908ba1

SHA512
a0534f41d2e35d0d5b47b76ef58b9e7762837c584d8ebf496d026512e6c1cddecb8a80ad107b99eb4faa94b02fa835ad415f1802f2ec0411d0c2b4e350edc236

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
658ba57ff9368ec84700d6e6018ece92

SHA1
ae9e12b172840ffd55a65d4763f14794a598a10d

SHA256
b2555dd851a8945fa0e5a481adc73b4e9100ef9bd3d2e445000d65fd7a4fe50f

SHA512
416c03756fb8ca77847930d6bfe38761576290bee79ac49d358eeb83392c7041abfc4d8572525dfcdcbcea91ec2a730b1fb3b95467d9c6d76f9e7f22049e8053

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
22cdca0a9c199ccb3c9b678d51afb747

SHA1
9eadeb9f4e1bab92aad9f3217059e13f22a7ac6c

SHA256
e74e3dff29812f2ca3ff0fdbf02d3089a61589f081ddca99e7dc78dade76aadb

SHA512
d3d10c5374636fb01a04b952236dfb7cae1b680b020b3d73535b400e9d8b4e0def090bfdc3187d44ffc4adaa46e9326d0bff7aa2fb663adc042fcb6069ccb1db

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
8eaa516e010fa7139123368cf5b8a492

SHA1
5a1ba772fe43f39a4d6acffa3e2b9b83ef6084f0

SHA256
8df9159339575ef71df8b1a51bbc60d227f51ccde44c7386b6c4b7ecf603c9a1

SHA512
5ec53246f467a174221cb67e0d30f4eae9d29eaaa6845397187e2ab97fe3b118f0f1654e3dd994e8d8b119149c1ef550eeb5bfc4b9c39039ac0b94136badb77a

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
3c9839378f6668064b5f476fef6676b7

SHA1
83accc162748e708aacdbd434726c589a0d0f99a

SHA256
ba94b7b2b64797e3ca7bedc05a566032707a2e13c7d7e792bec776ab72ecaaa8

SHA512
19c869eddbe6c5a62769b37298cdcbe404c626655b0b1ff767175d7e1272c7eef32ea4b3b4f33932082c6c838b641b10675c722af52e78713485f93e956543e8

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
8ec9560f5497fcaa77233317f7c4c58f

SHA1
1975c6f656f7054894dd93a9727e8c6514f225aa

SHA256
420ae051ecad8d2113dd1f30166376dccf9d2da7cb5f233e3ae80e443e277dd3

SHA512
51e78b46cf1c5062bffbfd11b8b2bd077d0b351efd1fc1a70c84e19467a5e0adfac7842d41ca74c0a951d341c0744e32d348a4ec4b7488114307e8869493816d

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
e621b7af353113b265353c9627d41421

SHA1
8088ea56339521d2cc520b2c04cb1d9f5381290c

SHA256
f2c0cb7d8e8d961ac5e3955f001b4bcb12af87daa90e5c941d9b7134400ad29c

SHA512
ee50bb0c91bc64cb32a60fcaa84dff2b1fcd7e13e76fa11a8e9bff47833b5132ce6086eacc8cecd7b58bc6bc619ea56dd9042b02cc357d06777077d5eefd8111

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
713e3df1354d10d7842cbb2e55ae2c18

SHA1
7a1c5302ba75d8bbaf4b691ab66e52617e7e8c0a

SHA256
e87e28eaaf93cc2de4dcb914df5b65f9d309cdeb3bc0bdf5ab96d818631e5c63

SHA512
94908418cbdfec12443c3608251d89e66ca5c333894d4640232bf56795270b9dced8547193708e2d309daf838361d847c054f6604a03d51a93d3561783a51490

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
349fdf962b68567faa95f165a130c9a6

SHA1
da1d293e634be68aabb50be1e42fe97ee485a381

SHA256
c0693633a0fb1e24b95e30581d5ed4d140e2d43f1cb7d1beea73cb4da61eef95

SHA512
640ec164ce39157c327efc13380189f02e1793154fb0db89d7b44b595b268d2f4af19818866b9e589acdff0cd51849e50264cb5ae8c60cdd541735b444a541f2

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
ec7e32a469745a955200162fbe5bca74

SHA1
12f600a5be089547302cc4dd1bc10ffa4f569842

SHA256
b23dbb8a4245e715a7016f9d594322d344b93aa4de8e4b4d315eb4a151153b3e

SHA512
1ded882b0a9d8b93f9bdf79319df73f38bf8f462a7553ac875afe71a0eeb4d1f6a691970ce2ca0fc60874892843c120738ee1cf299c6130eb82ebc0b712ef826

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
bec3fc81a74f0b048839ead0fba6056d

SHA1
cfcf25e45fdb32a939f6b39df4f395a39f4b981e

SHA256
417b42372a4e6945fd6a5ab34311bef657dfae11ea0209d172491ed0d2d99919

SHA512
ede91672bb3e9654834567c191a59b38a586eb773393e5b4003f31280f85311d921295deff7bd80d9265cec0fdf08215edb225de26eb2a386439d6474a8efa52

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
a4b9a21147cc13c7604555b4557b6902

SHA1
3b5816e4dc198c95c52a9fc770d171419cc249b5

SHA256
ea66314182153bf14a3f42a6c75bdc930ec0a744cf8ea76c48fbb27db1aff3ac

SHA512
1f1e461148e24a492b67bc43c45b20f3e295fc5afd822ea7a8b0c0e9990e8bf121c8ed30b21a3b693465435bba6113d3992bc0f2d616348259747f4358e01e92

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
184cb832fa1f04321b7f06c59851ffaa

SHA1
249276835fcd7d962d7a2ad6fe6fbae4b625b033

SHA256
10fb70fdf78715071fe5e079b8f866e554186c286941067c7ef94a4b1535b090

SHA512
78046a20792f8c3c9c4c6e4dacfb86ed3e90e05d3cb8f28eb1cafc27511ce6912572e560e00163fcfd9d2298dec405ee4708fdabfe19522effd3fe57a0458c37

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
391d6558716deb1c861fcdfe398a2e2c

SHA1
760c3c616359108ba8450e79c33274d34593b242

SHA256
fd291651dab5a3a8948f127ac93d46df42d0c269dd378e9664c08472a37fd774

SHA512
11856971fc0527df1b876b66f6fbfa16e0b7361de8748bbd69392424f00b367d277d246d3714ba65c7b5fb7404f84fc28153b7c253dfd136804128988b6b2bac

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
0c09b3d0017f95011548d3b87d7f8d3b

SHA1
51ce6a0e1be835bd81f90d1522bb98a49af24581

SHA256
bd1c023a3d260b2486296e7f46065a481f8d3f4c9205c47375bbd666800c6352

SHA512
1986e9ef6c1513594d25a6b84c3850981d76dd1936d09c7a4fb08802d47ea8c24910b6b230ebff809dc9b4b89d2120dd3ec00dff40096bfb31804c457729184d

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
d3d4d19b8484817132f853a1ad885834

SHA1
ef7177a4a91e39eb4113f7b08d3d3c0b6044c54e

SHA256
617e4b10fce209d57a6788175e6621f1f05c423254c8caf3a10a957b33292537

SHA512
be025580e05ebb77759a2760eca9e327dca3b6bd3398d3df497d06126749db0c1ea0aacfa26067ff293f17101a15e2ba3f5cc12468fd8a5018dfe35a4db8c019

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
11792d8e8b26e356544938647e54421f

SHA1
b21bc6f261bd8a344a37031dc73bc08aded3d426

SHA256
4707731577e355223c0916a5c1f862118ad3d5c55f1a9ea9ea025c0fd687181e

SHA512
1ad5c49de2c2328d707c0fd722da244c8ff04d0d236e5a14f40c69075aa2b33b329e5514331c426c47bf79c6ea1cf65e8f9cb9ea83e962aea009957c5886db00

Download Submit
memory/856-81-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/856-83-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/856-75-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/856-252-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1116-322-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1720-474-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1720-329-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1944-59-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1944-86-0x0000000002230000-0x0000000002290000-memory.dmp

Filesize
384KB

Download
memory/1944-88-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1944-66-0x0000000002230000-0x0000000002290000-memory.dmp

Filesize
384KB

Download
memory/1944-72-0x0000000002230000-0x0000000002290000-memory.dmp

Filesize
384KB

Download
memory/2108-475-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2108-333-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2440-295-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2440-467-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2708-293-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2708-416-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2776-247-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2776-20-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2776-21-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/2776-29-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/2884-469-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2884-307-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3140-337-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3140-476-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3228-16-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3228-246-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3316-269-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/3316-271-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3316-263-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/3316-328-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3320-0-0x00000000026C0000-0x0000000002727000-memory.dmp

Filesize
412KB

Download
memory/3320-65-0x0000000000400000-0x000000000087B000-memory.dmp

Filesize
4.5MB

Download
memory/3320-11-0x0000000000400000-0x000000000087B000-memory.dmp

Filesize
4.5MB

Download
memory/3320-12-0x00000000026C0000-0x0000000002727000-memory.dmp

Filesize
412KB

Download
memory/3328-341-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3328-288-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3328-468-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3408-336-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3408-285-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3532-318-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3532-470-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3612-33-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3612-34-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4532-332-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4532-276-0x0000000000550000-0x00000000005B7000-memory.dmp

Filesize
412KB

Download
memory/4532-275-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4612-473-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4612-325-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4628-251-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4628-54-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4628-48-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4628-56-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4692-43-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/4692-37-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/4692-45-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4692-250-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4952-324-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4952-257-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/5100-342-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5100-477-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download