67be81181a68a203df710402e01b2068bc1a95a8f4fb4c58926d264f2774b998

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
04-07-2024 15:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-04_3f3e5909b2c10a28f7a09ea50343e208_avoslocker.exe
Size

1.3MB
MD5

3f3e5909b2c10a28f7a09ea50343e208
SHA1

2aa70a549246e983df30f944b13e5ab8109c98c3
SHA256

67be81181a68a203df710402e01b2068bc1a95a8f4fb4c58926d264f2774b998
SHA512

1fc72320c0bf0166fd860b9d4e877708de94fb301eaf3afebb50ebfebfcdaeaf7189b9d9b6892339b913f4483ec6d234497a8d074a9f2319eed9732db61cfea5
SSDEEP

24576:j2zEYytjjqNSlhvpfQiIhKPtehfQ7r9qySkbgedJdCN/j2GLl3iFSE33b9:jPtjtQiIhUyQd1SkFdeN/j2U4FH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 21 IoCs

pid	Process
3428	alg.exe
1204	DiagnosticsHub.StandardCollector.Service.exe
2520	elevation_service.exe
2012	elevation_service.exe
4688	maintenanceservice.exe
4580	OSE.EXE
4356	msdtc.exe
4628	PerceptionSimulationService.exe
4960	perfhost.exe
4912	locator.exe
1144	SensorDataService.exe
1388	snmptrap.exe
3484	spectrum.exe
4208	ssh-agent.exe
4940	TieringEngineService.exe
1984	AgentService.exe
2452	vds.exe
2632	vssvc.exe
4604	wbengine.exe
2504	WmiApSrv.exe
4364	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-04_3f3e5909b2c10a28f7a09ea50343e208_avoslocker.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-07-04_3f3e5909b2c10a28f7a09ea50343e208_avoslocker.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f59f771fb3b9834c.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-07-04_3f3e5909b2c10a28f7a09ea50343e208_avoslocker.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-07-04_3f3e5909b2c10a28f7a09ea50343e208_avoslocker.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-04_3f3e5909b2c10a28f7a09ea50343e208_avoslocker.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\caps\hdpim.db-journal	2024-07-04_3f3e5909b2c10a28f7a09ea50343e208_avoslocker.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_93546\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_93546\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a4d14e082bceda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000746182092bceda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004fc646092bceda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000af874082bceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d8db1b092bceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d140e0082bceda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
1204	DiagnosticsHub.StandardCollector.Service.exe
1204	DiagnosticsHub.StandardCollector.Service.exe
1204	DiagnosticsHub.StandardCollector.Service.exe
1204	DiagnosticsHub.StandardCollector.Service.exe
1204	DiagnosticsHub.StandardCollector.Service.exe
1204	DiagnosticsHub.StandardCollector.Service.exe
2520	elevation_service.exe
2520	elevation_service.exe
2520	elevation_service.exe
2520	elevation_service.exe
2520	elevation_service.exe
2520	elevation_service.exe
2520	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2904	2024-07-04_3f3e5909b2c10a28f7a09ea50343e208_avoslocker.exe
Token: SeDebugPrivilege	1204	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	2520	elevation_service.exe
Token: SeRestorePrivilege	4940	TieringEngineService.exe
Token: SeManageVolumePrivilege	4940	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1984	AgentService.exe
Token: SeBackupPrivilege	2632	vssvc.exe
Token: SeRestorePrivilege	2632	vssvc.exe
Token: SeAuditPrivilege	2632	vssvc.exe
Token: SeBackupPrivilege	4604	wbengine.exe
Token: SeRestorePrivilege	4604	wbengine.exe
Token: SeSecurityPrivilege	4604	wbengine.exe
Token: 33	4364	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4364	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4364	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4364	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4364	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4364	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4364	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4364	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4364	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4364	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4364	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4364	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4364	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4364	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4364	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4364	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4364	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4364	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4364	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4364	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4364	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4364	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4364	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4364	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4364	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4364	SearchIndexer.exe
Token: SeDebugPrivilege	2520	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4364 wrote to memory of 4148	4364	SearchIndexer.exe	120
PID 4364 wrote to memory of 4148	4364	SearchIndexer.exe	120
PID 4364 wrote to memory of 692	4364	SearchIndexer.exe	121
PID 4364 wrote to memory of 692	4364	SearchIndexer.exe	121

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-04_3f3e5909b2c10a28f7a09ea50343e208_avoslocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-04_3f3e5909b2c10a28f7a09ea50343e208_avoslocker.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2904

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3428

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1204

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2520

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2012

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4688

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4580

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4356

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4628

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4960

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4912

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1144

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1388

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3484

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4208

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4884

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4940

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1984

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2452

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2632

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4604

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2504

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4364
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4148
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
930650434f776619827a926a9d5d7583

SHA1
87b244537ba70e0d12b10717142a7b109fd2dab2

SHA256
6fb054901b72e12d524651ed692a984be7a753590b9ac728bd52b58b737350cd

SHA512
eadceb1584a246fe9eee629934007a558a7b9f6afeb17419be5aee06954c7121cbe263ed28e93521903312bfbb30d609f250fab0c8bb3bae8a15dbaa9b20d773

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
334aab13e5e3167a40067acbb3abb8e7

SHA1
3351847d334ad056aff1c28ea0dd4c25bd5a44a3

SHA256
5e25c8a69302d0065b40bb2c7bbf8fc0bb08e6bae7f18e564478038f021f30d2

SHA512
94ad8627bc028483f9ff9586934d4a5681dff84f65c1f05489450b97a609758a9431cb55cc782e7477f4deaf6433adc4f0808d6cb7972d12e2b526a5727dc61d

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
38c1eb522f0eaa47006e9cddcc161260

SHA1
603cb4c3742a0c47eaf8090c9d99fe63eff71ebd

SHA256
96264797737e23f74cfe5c0bb10798abf6429990fa05b640722e037e153c5b35

SHA512
6e4db33638f8e112e9901b81bc87bc871ec15f8498f2dbb2a19409877b438ec128b39e7d1f35bd52298b04d70f5071f18d32cdf133749f14f9e9eff1303c53e3

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
e6b6968821106af03092bfbcd69fc48c

SHA1
98fde439454dec905de6946203058a7f35c939f3

SHA256
73f37c42a2b5805b06110a76405c889f0ff8cf4c6dd7384aafd3b7242dc7d9b0

SHA512
d673292a3ecc45eea3ce03a0d18f6a2d1aeb7b0f046d82a50ce9a0aeebcda9ea58daf4fe6e1da5b61f4b3ec767020ea85afed7792814146dbc10d0a49c97b471

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
4cce2967c26927d0b98bdd446179f4fd

SHA1
67e472ceb0ed6ae7dacd2231edc9077c328eb805

SHA256
6a9b17affcbed555259a8cddda6170ef5fe5b74fadb6c21d3698575f04968181

SHA512
b6567db5806f277dabc4700a384768b01ab08c267580a06538fae717c757cde86e601c2bb5ef3b268d302632587b9954ec175fbe2cf4fd20371e1c89628963b9

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
6ba47faee59c62f03b36c04bf3f1410a

SHA1
249d2c614b7aabcf1526b437ec5ca4c35d83b0d5

SHA256
770d3ff4c537c397eab65cf1a3329e640ac72e7e9445fcb44425e3913050980c

SHA512
acdc8362129e696c26d16d055cc653bdc1eb56dc44881e17e423e1a6f7381e1dec41f0853403423abb57951ea79e310bfa4796edf64006b95a35d56ffaf052a9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
2056685b55695d2a2496b03daf554890

SHA1
3c020e8670f46e511ce8e5c215f09be9f9850147

SHA256
e9717466afb5351c29766647c5e6c175415acfb5e5cbe5c771b027b8bd46e234

SHA512
ea0116fec31b0619990ff2535f8a5dd00f45eb6638e44c7d132da6cd7fbd985b79b8bbb95e01882557f1614d3a1ce1854cfddde1489990107725cb5374670ab0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
81b93ea1840108d8c913495670e4809d

SHA1
715b6806596b7eff582bb1af808dc8f338663d65

SHA256
622c93ac63a5204a67cb574d66f85e1c90efc243cb87b6edf7d69f4b94ad0d82

SHA512
ff87bc1305dddc5b8de14a4346c1352aa4b793b5bc9fdfb93761d11438f7eca5f5ea43d70ba4f04ce7f60dd2b80dbcca5d4e2ac7799cb90ac14475563f5f0b53

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
b23d009d1a58839a7186b8e0c722dc75

SHA1
2ecf9acbb8a161e0a597d63e470b9e004bb63bdb

SHA256
acf3738b42ac38a59c0533e6db7f82cc794a5bbb4f39c90a88493d1fa3bbd133

SHA512
170982b0ea7a5376407d4b4d33edb85d6054d020f1448964a8a6633eab966b38d9076fa8271d6cfa2ce2a00f22a631ad299ab742b5b94a13b6a2786831dc623c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
4647e48fc520e3e7061d6c7ff3fdfd81

SHA1
66ec8653108414f56bf89d0d5e2b2638798f8c6b

SHA256
e5063f78a454d9477953bfc557a91ad5ebde22b6af9a6c20a8c3a78f706d550b

SHA512
444a8670bf46f66d9e4b20184c987b89a1396987b71984990aafd4b4da8b68811e70482c0b988718fcdbc2b5aa8e00ccc591d1c770df57df71ac8dce4d5608c8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
178a2a34a7e4a852d99dd48303877ffa

SHA1
a2bf5833211a0b6665655f7053b164f3946d89b0

SHA256
9c32f796f2ba413f231cc5f38b0d65f7468929402c0b0ba018f943161c6baa46

SHA512
3ce981d16e9329b38d9d1543de93752aa90914abe39c975c03aa4cfe71841d94bc38a340f06121e5cdc276c86236c164e361d22fca1c96f431915d1fcee968ce

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
31926eccbc43a0599e52f4f28d54acae

SHA1
9e61117ddc2a2aba07d3e170828a2a41e6ae5333

SHA256
5ea2b870d2dec5d06bc3ea1211c5f0446eb7d08329b66ffb59ee333ded48fcf5

SHA512
1d76462dfaa4e94d1fc5a66c81bbcf10689f0615a9deeed56c3481467b7e84328a571885095fa2101468fb6754b28e61f97d9f6737eca6407dcd16be603545c8

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
d3ad3db1d2520f48a5e6d9ad4a11137f

SHA1
ac4647cb5b54e7b6a6539593913815dbb099053e

SHA256
b3c7fc4719bc78e086865c72a18c7ba013abf00bd17bf688bccc8a26cf000d08

SHA512
512a241828d689e278b95750fa00b7b4ae1b7015ab8455428447fb5cc91cde38d48b562c142990ea42d07b6e0af4193b1d536f481374efd9e9ee684d9934642e

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
4bd8ae6264d549f761861af31a05d4ef

SHA1
80a3de04ab27796c4b59f85083772b5a9c719e61

SHA256
a32becc751c39835d0da3a2c2c41b21dce98cd1483b390c038c0001373546e0d

SHA512
5bf7f161f0bd73b342002b49f7fe789f3faa706725860a480ca9b401c4db5443edd1816194d1d953d73199cbda9739b8c57a1a9a5862a976a32f334e4cee17f3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
51985e16f52a1c04c4d7291587d95722

SHA1
3c6068c9675130123a6459457ec5cea80de32ad0

SHA256
597d2605d2d3433cab9b5dff95737aa309710e349407eb5f81f7f617491db005

SHA512
11b8976ef0046c0a60fc1f59e21000644a2f751e8348dce25e95879ba5f3eee3130717fad7f0fd88c723b855fc90890401913649406fc9cda488492478aad89e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
c7f4593bcadbcbbe2a6e99aff5659f76

SHA1
6ae31669cf1ada871da66ea510366f0816b7fd2f

SHA256
3d526476599a9bbe7fb5e6b74b85d84c77dc174e556e57a6be286fd5ed6f75d2

SHA512
3252b748dc62ba87b526eb30f95b026a4754991bd9ba5294008d08914c2bec50aa8d64b39fb9175caa55a297da83702a2d80bcc8c861f4d135ec657d1d6741a8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
adf2788bb79db55f10c47d80422d7d52

SHA1
0785788ed17c65b810dccb776f6538d3df3f3cb4

SHA256
d1a74b799049923499b2663ff901dd026de11614ff06def220ec08287eaa604d

SHA512
fdaf7dd0d7b750863b7056eab399aa049017d53935d97bf3948396dcc230558271248a437f140b92e3775fce3d0d4fb028b7600593d558597bd7766a492a00db

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
61ffcc40e750f6294c855755c79e451f

SHA1
82a90d33ff1c3cc03930244eb226c1528cb23d2b

SHA256
4b5f104227a7b2b4d38a1ab767e9b51634da9a2bd6eeb861472fc38a6e0e5687

SHA512
7f75eff888f00e430359fc362204e6bb7d1add3adb7327c6f0d14213386dc26a5bf7739f34f351bd11f0b43cc4ffa69b06ed9c01e883033209e7398ab409b466

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
3e47d39d9c4610956d19039dbd334a42

SHA1
54991884cb76d260606c26a966b4b484d590f283

SHA256
928499e6a92e9a816f81225bad41017215d7472dd9dcf3428f31fb1b00014100

SHA512
3c1a77f4e05d73bf665a9ed3f20b9451ce8e26f6e22bf7e493b5e3fd184033afe62fbe1082669c9fe82494b1cffc9c805cf6e69c1b727efe6f861ed3192ae2a6

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
57b7fb0fe519643a82ab1425c52f14e3

SHA1
c8c8c9c9940df9018322ecd29225046ba1437bb4

SHA256
bb389f60c4247d2c1f6d180cef6d45d4ba4126c11d470be0cabf11e4b84d8e01

SHA512
b045fe45ade62714bb24c263a5eaceba343686c5a7dbffcd6f57a5203e0e7af7d214de061df497b87a085aa9d1bfa57beab42989ec7748108f603842d51bd4de

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
45e616380c3cdd48b2475fc0e1381135

SHA1
4429f47505bee455863a0fa3e101e0a06b1d3996

SHA256
b14bf28acc8fc4ccc57a7db09c7f25969ca0c31d909b083455ef9dd6f94313c3

SHA512
a2ecb6666d4334b912105e01af5f38aeda4337c229e12e217c2958e850270fa4675842fd3137afffe92f82a17b595fa13c419cf46eed8fc1809e8c1de41f164a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
2966f2fa037f2a464b73e735bc3e0d54

SHA1
feab55378b5b1f7a16cc4904d51b848f5c6e9494

SHA256
70165aade7e8584b02d630479a1b1ede7379e87b4abc9d57a79afb7851fda542

SHA512
c92c89bbb8dd3c2f3598ed4178c845264fe660fe3230e62433598fbac6b296450bc47375fa1cd4dac256961c56d4830707a65738cb8fe2a37b3dd642cf3b57e2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
1d25c4d155ed5edb2d1bd058e5ae8a6a

SHA1
bd4f4511a3b09197b905efc7cd8fe04906608ee1

SHA256
16e2a2e95f6b5d6162b0a3efa957491e45df82ea27d5358f39d14dcd5688e6a7

SHA512
f2bd30df875040c643e900946da96578af6930c3981c168bf04141db836ef01b44057cf470be693dcd4b6d049f5d1f4fdb69fa67451e5d8f876989365ca141c9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
edc11afb560e2669a51056ef5002d30b

SHA1
69f516785d20bd9bcfd4c49f31e325e410b7df14

SHA256
f005588106d10a0b66713038b24e9a86aa299fac0c44539cead7f4808333a5aa

SHA512
0b2cd7ba12afea44be60e1f37a9dd32d907ed57a3accf1f2780b6904c4a5abf0f199fd54a3a2970efea1fdc5075a76cd015b03d94ef549d9215ae3e02e9738b4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
e329a795e6983c5852798300c4b083a4

SHA1
bf9cdd9253565e21107d35368a78510c195d01ea

SHA256
2b781d47878dcf97133953a46d54604a1ce3701a6d532c3626d4811bae64fb8c

SHA512
e3252c23df1fe99726383d342a55426db7f8eefcc666275d6379d08be97cf6c6616fd80ee8a523ca0bcc5bc3f667a4ad4f337d4880ef31ec14be62cbbad0894e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
46a4bcd62ca52bf253d5df99a5eea6f8

SHA1
ab09af1fb8b5c4c48b704844b360a6b36fc190ec

SHA256
c1db242a242d3fc5ac5f575c85be679f4020f71a09cc6dcc4d8d1d62d2d755ba

SHA512
17e909cdc0d9042ab0c7ddc5f2f7450d071b77d2ce38eed3074c1b1ef1903c68e9767fdc6d3758057b4ea5ad5bb7029ad6fc6a7f864348686a2fdff1a852219d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
160b56bd48b5e6996347e4d65688c0b9

SHA1
8de577934f3ea675cc4be25dc315587dafdd8a5d

SHA256
dfd70b9cdb983570dece24b4e3abe9be4cda80d795add5219fc8edc37225ad24

SHA512
e57135e12f19a761b1cf4c718bdc31e2b7a32e791526013e0f598c4fdbbcc5f92b272e6422944f51ada9979263856eb1df629bb509da06473de94f53597ee09b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
14b3e42217dd361195d5324d050fa5b4

SHA1
e4e4e296e6bb39a5b220da144d328104964beec7

SHA256
7cf35c2e5a085cb1a742937a9ccd40ef2285549217616b8cae098bf8198fd635

SHA512
8a6216c2b6bee468a612e84cd7ceba6f212f737895b79cf9380d1ed09130be94fae4b1ce4d98f3db8447c2d1a6b7d65fd0147e7083e6ba620493bbeea8035ab4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
262488413c8f149d91242c41d6467cb0

SHA1
ca68cf4eea3ed2f7dff4b599e4f29eb89dff4492

SHA256
bd3c5e9e3dbd00910372b7862c7151e20b1f6ef1a7625379b4dd9d4868db8d81

SHA512
0ad9bfd84b1a68d49d3e311111cd0f47147d20a52f17f8945d0257ed4c50b1d9f41e8b9364b9729d84894d707b6383c8c5f958e8ba715dec102a2286727f6c93

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
e3def33ffa3da477821bc6074c7ded30

SHA1
7802d7ae53d860da146e2d7209c86c2ae221d512

SHA256
88dd1d3ca6d80f971d5476bc70928f14281f6acf6893bce5b2daca77ed66d2fe

SHA512
1ecbfaf7306874c8760426b025a28453866ba77730d3c4220f1cdce55d64b7f87f699f70d2cd538c50f9b991d181a28c750603a2d321f121264ddda1544d841d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
d19420e696a04468dae595125a283bc0

SHA1
9e702ff095fae691b0fcc8efd492a8364d7bfa0b

SHA256
c1ec88f0a1e72646ba45e69069e890610e7e8daff3f5d02381a7ba0cc3716c23

SHA512
a3aa1ac52b09b6a7ae59b8b54254c46908a3596266eddf033692821d4b826c9adb4f49feb2094c1d0524ee1c81d0708928ace008199eb5a2992c5ccaf0d8997b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
39503c360075e1167919adcfbdc7b819

SHA1
89dfa2dd642a1b42cf9f3db8dd74c138317dd5f8

SHA256
a01f4b30d3cd0600e7be58c885172c969db9296306ec9265222614bad1e4315c

SHA512
2f279ccbefac30d0b33fa98c83e1895f801a5c21941b45923fe12ba1c1a3b1b80d7e159032dd3ee0a0f00353efaf408d72ae90084051a2a52a7efaf4dd2f02ad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
49870190d70730bdfb647625d648e4ec

SHA1
820469fbf5f0d3abd3007b180310a86ece724ae6

SHA256
a738f12627a23259510e55fa5043a48ff8358602771f0142348f1222611e98f7

SHA512
9828d8d99d79d03866f99e2be2e6b5b49ee136e092ce658ec0b7a805d8fc225750094d194079230ed7ddb473d86814a5b7496ac0400f1fbf3526d1e021610d67

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
604613fb774dda56863e793e555f9568

SHA1
90ac3e15e13d36c65008b91cd674a18532759093

SHA256
c48cbd9f6ddb9234f33f99458e0471e8fe4d9df8f6c34af2116b25be0e038c59

SHA512
5f14c88d3346ead71f697aace01c20369c3a5effdce705df334f3879bafd8dca570333e7d90503a36e7a821be3525a0b43f8a3069910d29536a8e2c9b4c43599

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
5700bdb4805c36acdda453cdaa766f80

SHA1
cd5e553d268cbef12c4843a7043de4e4ca262675

SHA256
70ad6e9c623bf577b8a551b31536d4aa16e9d22bb2dc2efe6cb9e0f702546cb9

SHA512
07ea5f8b757fc1f26e82a1712f84c074e04db6a620d20863eed8c0bc14b74ed550c7cd13ab34bca9855501177d80c9e0c5bfeb0e1a24420c72b9f83d417db0d5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
ce86d798d236c2ca75e0ebcf74ec01e6

SHA1
49a3e7b1b2356a71c57c645f9e8295dc1b46f2d4

SHA256
5a593bc80a7f7d95331da1338fed0f9bc241bf90af1f2c16d6149c033cab9ea3

SHA512
2d49ecee25e95c66fdd75610847361deac78d4accdc2e04891a1722a40889eadd01c56c567bec9ae566ea579ed4879331fc0c5d7dafd87c443945b187e7ba112

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
6006900db827623bc4745521f8fe35ef

SHA1
ddd9ad8e0df3cc0e8d3c8d02af3b2752cf18590e

SHA256
e783c62f4a8687fb0de43bc1404167aed55eb91ae753ea389c18352dd6f668b8

SHA512
27d999625eb33a604694a4fa619a84a0a34fcafae022a5f29875ead82b62976ce0c6f1fa849367fc7951276b5c0060efc67819f8ac29b6e8be405523e6960d67

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
62ec7ce19bf9ddb0e7b280309a9d6ccf

SHA1
0fcdedad1ab34bb94b20d2ea2ebcc5f43e7e1125

SHA256
67d23f2893be20c2c91e37fea5443ffabee14d1a33bb7591b0af16b46c1871da

SHA512
ecb1d0a7ce35bec7162d7d01355bd2e54d639f432d160db58e981c3e9dd63739fceb60b2a9769165be31576607e789c1be38deadd41427f83466af1a2c0fb424

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
a46b63ca3ceeb1465bd4adfbae715bd7

SHA1
92c2a42874eff1a72bdaf3742e684986cbd7e595

SHA256
9f2a22112c6b9f8f5993cb64394edcafe404ff2105fb546acace1fdc5ff297ea

SHA512
3309fd482a697589304fdfc8e61b1f7179c7d2c5afddf1dd1d3c27eabd64282804303af033b9abde3d6bcbccc637d7873a46956dcc964ddf6bd71f751de296fc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
7cad3926e0b3af1d1a1f9ebfa6fefb71

SHA1
a0a25ce5219e6a93e05e5e7db993a7a0ed10a41a

SHA256
807d6fbb4610ef82af6239b57adaeb99646edfc5766986714175dcf3683318d5

SHA512
6bce003ad92c614259a5f031523849ea6d905111530d524ffee476a272f5da2fe1c3da10c9b82eb61fd78ea28699e09fe1566009458852417cb880ad9f526ee9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
24506e5effaff2432c196ef2b77cc2a9

SHA1
aec940356ebcfa574dd6e00fea1f4550a34a5b77

SHA256
91109c449eb1ae021e10966b500a7e12c7f92c7408dfb9edf26a0ffe0d690a98

SHA512
70d340e93e999d51ee59075a3cbcd391541353ec698e9075b5509a3e6ac14e4d34eaa0de01d1d128932081fb9b08f6f3e48e5b497b75f6f1a5532086b83fd9ad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
f9ff48fe671785d08528a85ce9d9e4b0

SHA1
4dd80c0982a9faf9b6ca2be42fa4ecef50a1c20b

SHA256
2b5b028fe216b43870c89b292351a42f7f3ad236a52e767eba60c3a043529ea7

SHA512
446d65cfa7c6294107fc84256cf80275f79151c171e2afe8e11507ff9414863e94b295dc3b250d84c7fb022d27bc43c7de5e87856351ab29c476bb4cf37d34ca

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
9c8f151cdf3123155c6a84f1cf36b9c7

SHA1
8ae65146ce6e378aad39efc236d56cb2ab53e721

SHA256
5df56960afc1aa765bbc06c9d14e0ff5af46dd9e378431253544ee6406d43245

SHA512
cb62198bbb6795c2bfe544a8d9b4432c35c35e5f9a8421377df980d2e213f34a0ef4245f47f86aec33aaf09deced7f5604c4ba66b8fe29d5ccd41eb7cba63e51

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
8568198c8153606b4095fd752fd3fc2b

SHA1
ed77efb92e222786a229b26c14bdc77d253ea63a

SHA256
7ce194f3d97c76be16a5457714bfc5ba789fabeb04e2f7f7610b0bfe8e220b3e

SHA512
ffbdb7cf27f17ad8bc6c692495eb6d96f2b6ed6022a1b632ee964013439f3e8229248fe0affa17330b6cc5ae51a71a0203462518a2107e2f92b6fa8df83dac98

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
9ab2247f0ab4bdb6bc2be3904a13200a

SHA1
f1db0be829b9a06eb72cc4b140ce9847b3072d87

SHA256
11b521f49947ed29903691d9fa26557fc0ffed7e1f7c6a38e7d7ecfe060766a6

SHA512
734130ba5cd444404e06e96e31a6d8bdc2ae91d432ef98ef729ed86f60a77ef368dec6646fd4c1d57251b251dfc9384d28d140d767b2c5c063cb72b189ca0e3c

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
cbf289b825b3d278b0b93112680d627d

SHA1
1885383bb3b5463ad804449ffce0b8cd0f3a86bd

SHA256
e96be1af7bba6ec5ccd7cb94dc51038c04eebd301281dfe95df9e20fc978ca02

SHA512
603374a4d09dc2fe66117df8a8b5895d679ed5d3f8b88db20a534017a860178a5d48efa37b5883e58b87a00a60d2331b3aaf736e63eefabe3af4e0eddbbdb189

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
16177ebe63bb68e181cddf190d863835

SHA1
e33a364a8f5ed29fbf0a7d5136b2896073eb97d5

SHA256
257afaa4128efc1e3daea48ea68c7397f9bb9f8e1f78c7089e9033b37afe02d3

SHA512
dc5132223efdd1deed8062285840b7826a9ed8c362de93a2a45ea829028d6b7d5071669ab0af52db295da7c636f70c4391e3d68cf52ece4464dd28df035f5c2d

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
83202a46795518bc1ffec137e6d1012d

SHA1
f05dfaa3f7f8fe561c61fa17b526de0925595332

SHA256
3be1b48bee9bfaa008a3bfedf388549206a4365ca4197f093ebae2905085e9e8

SHA512
92cc946a0daad58139a51cc3c9b158ba1d2e686f73076e705e573d6b9747672c9dce6c0ee3dd0f771592d272a10aa73f4f0b132bfd17b2ff024dbc92fad1a486

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
8e0dbb337c0c4e4f2d69f4f17bef689f

SHA1
5f527005089bfa5b237107fe195b18b9aacbf0d8

SHA256
edbc82e1e597e07e73da155e23ee585d4b666f92dd78cd342a9852af5cf2944a

SHA512
10f64ba5258566fc78415c824cc736c3ea3f043746f428c90739ca7910726a40f33ce567fc6dafde8842ed6bc39e4b3c4f60ee5416a9a047e93dc3a2fc03a740

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
34c3071172b8a4eab55af741531d841b

SHA1
ec8f16c1911f693c0b29ebd2cad48e57b08d1b2d

SHA256
42df9beece66c64d0a20b6603ac51636c491aafb3e7382b9129899350ea1c7c1

SHA512
d56f96eddeb8c8e369ff9949837644b1869aeceae20c4684c20be8ab2f24075fa95eb99595ae0cd17eeb271767f3a871137de2c0b4353f7bf6588d4786902b0d

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
cadbf46b57cd5d0ea250f182a0d9f90b

SHA1
623946e0cebd5758bec452866c12b69c911c9876

SHA256
322778205db9417ceceb82cb39078b1e1c3bf4a01eb6c10c1635093fe415957c

SHA512
cd78bb0f95896c0c1f50bd22a8be2871176ef0fcf9bf27b5ca9d62c7c2e74d435372c7fdacd3cf4e33160d290e35851c861526c3ba9074d85746eccaca8265e6

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
ddbe8f4d5315176e72cf43f0a1d72c04

SHA1
d20e1df8c78fa4c3878f485d7086fbede1f2b361

SHA256
abca488b7582156d1ed954ae00ec0ed1042459493329b54c6361b4c5e49d83b0

SHA512
fb5ae2fd524b76ce7d913d6d11f0a04bc52465b9dd986012038c8a164bb68e2ba5ae8928d3039a676b3f648c0d2a0847ddb509960fa058b10fea3c62bad889cc

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
60df3a4f0fb64297a3a51c92d6196243

SHA1
04626c28d2b2d2cc75795362797792e16934e7fe

SHA256
803e7990018d55c056f063149a2327394a115b79fb3fce391489756c745655b5

SHA512
0335479c975a95804deb84a7d71ce79461fd9ccf6cee95b41d2d162fcc8cb7fd30c5524fcac9a0c8256c771019da2cb9d4b3d2d033f95991c561fba2c4d6ecb9

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
fe9cfb19c1b663b0ff7656fe8f506222

SHA1
24906bfcfaa8d07104c0f5146919e26644612202

SHA256
0ecefaf2e3079ed3c8c4c9365f3feffb548a17f31784b5b87a67e2e08d9f06ba

SHA512
f54128332f3b623fed120d24c38fd0da5dd46674bfad9475dbe92578b5e66d3ebdfaa08eba2788b2b1e3bfb44a6e5a8237cea599bfd8299e838971387a8f97aa

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
4559c80ecc45c931eb727252b4dcd4e1

SHA1
d7ab51839b2e4a26beb91ee2b7d1585fe901a164

SHA256
0f991c8e06403b853bbacb2a7c9a038e05a868f5330eb94e8ce524d39e2e3ff7

SHA512
97a945f1fc74d9eaec70d4a90936219971f7736e359439debb69b6559383f3920b14f3111cb81cc85cd5451ff024495e451d9e6728822fbf92ffc205f9e52f9b

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
0192011d3292bc6d7b7721ce78de2b0f

SHA1
c45b1069c4adc6fda675dc6720e2d37c0daa7bc8

SHA256
4f7a04bdbec467cb4ba1c422c0cf8f7a3f4beb783e1429fab42b5bd7345e418d

SHA512
666291584680a9957273a8ca4fb3f563b1935f27df59f6a63359bbe719908cbebdc889dd26aef6b01015beb4b8c2c45625a45fae34f7be32d05ed652149a6d07

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
0ac2c32aee2934f1768886b5cb60b2b3

SHA1
aa20ef9f374e2b9cdf75cc22ffe20f280e026b37

SHA256
0a0fac96414fb6981be8af332d4e4b522b853ac0b867cbe86e693c402afb039f

SHA512
76f80dd1d7fdedf2facf30a8a91ea225038a6f2ee292eba6b25790d5880ab692da1723eebc2368295499d52f37eea77a7e34db8a62c270a08b99c7b3f63d50ab

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
263ebedf7a55db085b568853044da949

SHA1
b816ffdd3df36756d8cb9cb12b2eff6a8c59bc68

SHA256
115e5d57611d3e642abda11973e999c77acde3e577ba2ba884434f1e63622b81

SHA512
9adeeb8c0eec06aa6c4864e6d31023639044a36d02faffdf9ffe8412bc2d85bfbdf77d9077cf941b347f30aa0b95c2c1a9599b33dc795f8174b742aaa314cbf6

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
bcef28dd77352415508e57feb3b056e5

SHA1
339a9d3a0507e79e285c16667ba56d8b14ffea8d

SHA256
70f55de51b55851021be03a41026ffd54e439a4ff7d7e53d22db48b6d86a802f

SHA512
62ab573124ecc0ca934aa58c66e403fd5e06fcf202b512bcfadd898897fecc2614c09a7fedf18f2ee19a803085e675bf0b10fdf5b4a48491a593ac4d0efffda3

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
2e5d160b2d981f59bec518e95b52fc6f

SHA1
c2d2e3786751e124be633e6276e362a4a435bfaf

SHA256
14defad8843a4a32f2f898f7e4523a9d169b0270c452776109aa7fc5aa148c71

SHA512
7aba11f76e893dc289a9b0b5b4d1912498eb9c43cb82e58e8a5e78ad05526d121c2e356b2152eee5d76ed0c0ea1081bbc049dc3b688715bb75ef33b3412b3c6d

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
1cf8de7de0be931be6877c0dbf48861f

SHA1
f6338546f12848f44cafa3f4a35cf236d5ca9005

SHA256
90e997235395abd5ab83647a4d55632e33e733cf1f98415e4be8eb1fe3bb4595

SHA512
ec5ad7e63d585c71144c2807d8c8099a69b3f70f3e2080c9504bf6550c36715aa9d626ba2580fc0df6bf9504ca93f98548ae4e669a64a0a94df9a73cb3cfebf3

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
3495c44829aff36060feb43aed98cb58

SHA1
961f2cd90719b92224047efd04bc001bbeb635c8

SHA256
09a3e1da4a4264439c0005546cdf27915383c6b99249bb47e20f63bc84bd4144

SHA512
c04d297a28ad6a51bc099a0da51ca623888e1392ab901fc11d8c481733da6db7815c2696f445eb57063c02c32c106a67be6aeb058967e9b1507837d5328f96c2

Download Submit
memory/1144-482-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1144-283-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1144-337-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1204-242-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1204-16-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1204-17-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1204-23-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1388-287-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1388-416-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1984-316-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1984-317-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2012-81-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2012-246-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2012-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2012-55-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2452-321-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2452-488-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2504-492-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2504-333-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2520-37-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/2520-245-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2520-45-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2520-46-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/2632-489-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2632-325-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2904-1-0x00000000022D0000-0x0000000002337000-memory.dmp

Filesize
412KB

Download
memory/2904-34-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2904-8-0x00000000022D0000-0x0000000002337000-memory.dmp

Filesize
412KB

Download
memory/2904-0-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/3428-241-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3428-14-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3484-290-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3484-449-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4208-483-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4208-302-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4356-320-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4356-252-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4364-494-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4364-338-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4580-79-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4580-73-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4580-82-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4604-329-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4604-490-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4628-324-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4628-256-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4628-263-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/4628-257-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/4688-59-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/4688-71-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4688-69-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/4688-65-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/4912-280-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4912-332-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4940-313-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4940-484-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4960-328-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4960-270-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/4960-277-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download