6c0c29cc9fefcbdcf4a4ea3bd6dd20a7b62757b07ae2ccdfb3acff9e6a429a23

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2024, 19:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-09_25b755431f7be05298fcac9abbbc1f16_avoslocker.exe
Size

1.3MB
MD5

25b755431f7be05298fcac9abbbc1f16
SHA1

2612541f006ce877356bba52bab7c7985b487391
SHA256

6c0c29cc9fefcbdcf4a4ea3bd6dd20a7b62757b07ae2ccdfb3acff9e6a429a23
SHA512

1ed476ec9e2a85ca2cd9fbcac9fcb853a89774ba69481e9d28ca25d96e870803983a7a6980c5bedb551a46cb4e10434ce8aad63c32e1dc716188751b57361167
SSDEEP

24576:h2zEYytjjqNSlhvpfQiIhKPtehfQ7r9qySkbged+aHsK+fM2jEaNZBqoeW7V6tGW:hPtjtQiIhUyQd1SkFd+ksDM2jh3BqS7z

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3012	alg.exe
4232	DiagnosticsHub.StandardCollector.Service.exe
4296	elevation_service.exe
456	elevation_service.exe
3196	maintenanceservice.exe
5112	OSE.EXE
3832	fxssvc.exe
2172	msdtc.exe
4940	PerceptionSimulationService.exe
1476	perfhost.exe
2252	locator.exe
1464	SensorDataService.exe
2460	snmptrap.exe
1328	spectrum.exe
2520	ssh-agent.exe
4648	TieringEngineService.exe
2572	AgentService.exe
2612	vds.exe
1552	vssvc.exe
1660	wbengine.exe
4752	WmiApSrv.exe
4440	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 28 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\abd290c979ad35.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-07-09_25b755431f7be05298fcac9abbbc1f16_avoslocker.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-09_25b755431f7be05298fcac9abbbc1f16_avoslocker.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-07-09_25b755431f7be05298fcac9abbbc1f16_avoslocker.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-09_25b755431f7be05298fcac9abbbc1f16_avoslocker.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	elevation_service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003b3bec7839d2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a8af017939d2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000014ba287839d2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b8a9d77739d2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a9f2617839d2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000074cd3b7839d2da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f7e4d27739d2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007418247839d2da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
4232	DiagnosticsHub.StandardCollector.Service.exe
4232	DiagnosticsHub.StandardCollector.Service.exe
4232	DiagnosticsHub.StandardCollector.Service.exe
4232	DiagnosticsHub.StandardCollector.Service.exe
4232	DiagnosticsHub.StandardCollector.Service.exe
4232	DiagnosticsHub.StandardCollector.Service.exe
4296	elevation_service.exe
4296	elevation_service.exe
4296	elevation_service.exe
4296	elevation_service.exe
4296	elevation_service.exe
4296	elevation_service.exe
4296	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2620	2024-07-09_25b755431f7be05298fcac9abbbc1f16_avoslocker.exe
Token: SeDebugPrivilege	4232	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	4296	elevation_service.exe
Token: SeAuditPrivilege	3832	fxssvc.exe
Token: SeRestorePrivilege	4648	TieringEngineService.exe
Token: SeManageVolumePrivilege	4648	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2572	AgentService.exe
Token: SeBackupPrivilege	1552	vssvc.exe
Token: SeRestorePrivilege	1552	vssvc.exe
Token: SeAuditPrivilege	1552	vssvc.exe
Token: SeBackupPrivilege	1660	wbengine.exe
Token: SeRestorePrivilege	1660	wbengine.exe
Token: SeSecurityPrivilege	1660	wbengine.exe
Token: 33	4440	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeDebugPrivilege	4296	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4440 wrote to memory of 3076	4440	SearchIndexer.exe	111
PID 4440 wrote to memory of 3076	4440	SearchIndexer.exe	111
PID 4440 wrote to memory of 1972	4440	SearchIndexer.exe	112
PID 4440 wrote to memory of 1972	4440	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-09_25b755431f7be05298fcac9abbbc1f16_avoslocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-09_25b755431f7be05298fcac9abbbc1f16_avoslocker.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2620

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3012

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4232

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4296

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:456

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3196

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:5112

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3744

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3832

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2172

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4940

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1476

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2252

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1464

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2460

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1328

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2756

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4648

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2572

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2612

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1552

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1660

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4752

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4440
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3076
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 788
  2⤵
  - Modifies data under HKEY_USERS
  PID:1972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
c2ed0d8dfd9f8b768332280788c2c5b7

SHA1
19a7dd8715b115a32d3f22a607fcf8c8fa1ff020

SHA256
10704938af40f6c982bd2ac2fbf6558413ebbd58ebb91e0c77a650f49cc0703c

SHA512
a79e1d2d0711803d638a3ce640a4ff60f35d2f90b548b6e589dcfd79cf58ba8e6f393f5f1778c7e5a354607ca86ac0cfcf00893719da4148546c6eb11f1b43ee

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
df5375373cded5d1111fd900bdc6f745

SHA1
6ab37ed7f056a64030c6b86ddfc6bd7edd485215

SHA256
874063a78cfef97645b9aca277e3ffbd9a29798cafdb8f448f57cfeae0d5f574

SHA512
c26ea0359367608ac274571d1501540e9884b23f7caac52b8325039972bb2da481b6b8d0b3be043d7460f10632f583f2fe20b0dd3dfb18470f95051de91d0165

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
d038adfc2eb76204208950b4a1cff133

SHA1
72d6121a51863f70e6c2f36c61059b6487e5e1d1

SHA256
7fb5e284b994e00739546308cdbcce241b852d0b352d08931abeff80015a8292

SHA512
ce173146da3f9fb39ea535731fd9a7b3d868525520163a4412353a4d0ed6ed91d7703926099c94ce4dd92ed744bdadd057c6b892cd466acde6e0c4e6cc722250

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
ebb14f87ca68c66ee6f2b71d48c351dd

SHA1
51b03f0868b7bda45d57f5a8ddb3f965f234b9d3

SHA256
7b812e5822125e0565c73ae2cce564aa4bcc049cb939ca85f636cb4f9ab88571

SHA512
4cb14d27b30144f47304e44e4f7ac36665a3445af6990e2e1f4b02a1b901b1a4912456f97f1687e9003071af5aeb17aa76c220811a970fa0751b0dafb873deab

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
25296f319c3e8b5b127070f7a0a3ed69

SHA1
06aae78947a63a5ef2c366cf2fdd5e34ada78007

SHA256
fd4cfe8f847d2cfcfbf96da71db87075694fd4fa9ee6a6b7865be0970d0eeb14

SHA512
cc5d2a65cbdb6d04e984e9078acb22b4582118808e5ac62d7784e30ced69ed66e6c6358e6d7edc9e5c1a735e1ec7652c126c6fa70a4cfaebbf861912d8dc56e8

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
192d7963321ea3654fd157665caa940c

SHA1
856fd43fb49b42d148f0b5266a1ee412b62429f3

SHA256
b405cf4b642089ad22838e49d03e2ba81fafbd0c7129db351df01251c76d4d06

SHA512
b3f4dfcf2f37c258800b6ddfc96cc0b38622caaef62a685dabdfa94f136b6bb0f9e681e52204e09cdbcfeea72d3672c11250c38c3509215a38670408da60c8d9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
c9dc151d1557d89398d20fc5ccdb7cad

SHA1
e709d26afbef20520310f737ff3b82902c9544d2

SHA256
942c478d0cc57903f4e788a0c7a5130c9de6a99aa62cded008966a398f86398c

SHA512
07502af0710a2a085a619e86db87cb6f0d744bf87d973e803fb735602f8efd4b386f4a51cd60e1a9d80a9e7ce5fd913d8acdbcf0884d5743d2bf66e03c1b8439

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
031e7ccbdc4cf472871697da7df6ade6

SHA1
c0d3d2364ca6b386d94a3516798d02e7c499915c

SHA256
a05226ce6c0352d9549f18f4d0669107d4bb26713a0c004a09d704ef02f4ef6c

SHA512
bfa9da456f3e48ae45fcc0b297fbcfc396e772f652614196518712072f4bf969e635be2451f56d1dd04bd6cd8ce7f8a83291f4d4577eb275738fa5aab936e6f8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
a44387cf1c3e5e7cbbfa70b59c548e9e

SHA1
65bde8cb47142a6ce43aead1f18c77b74ccd9006

SHA256
cba6cd9df9445d6238e29fb37959c04f0fec5c0ea0e1a978b71ceee85fa5039f

SHA512
361b849441627d0e6fe6fa368b88f21f88a33589a9298c686ff94940fef9af8bd455c00f2f53b1f7100fa7e7051b85128735521f676c981c0d86e62628d240c0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
735eff686eca4215f1bc29ccb6feeef4

SHA1
02d88b655b54406a9729982177f129ab5070d2f7

SHA256
aad59177deecf899c8b854806a9a79e7d4b975771ba4bd82b71f92e5c224d2e5

SHA512
8298364f9e7dad164ce48df43bfce0e719ed557d50dbb860d06c03cd6b2fc021a0567b1a910cda4a7cf2c0f81d4ef50ad6f29c77609b4812ba86090aede35b90

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
d906b19b127d12ba1f372ada22504d8a

SHA1
232cc7c9fb87a3203b1428b353a19f82ee6447c2

SHA256
640206bf96ea52c4a6929529dda1866c392abe60fa444a75504918c6fc2e79c6

SHA512
5bc6bada327dd0716daf30efd5e68b62fd2dfa53bb5b8a9bc54125063a146c52caae6aeb0240ef1f8a7d7c8204bd588e596d02fb44971a0f66f9f0da100446f6

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
f6cd11e9963f4ab6177e0a81976b8a3b

SHA1
bff1e4717a1d97a83e119c066bdad6a8c2963699

SHA256
6ec0fd0fc210e800e6d209a18b0b49cb8fee9129fa60a27b42b44231a04efc0c

SHA512
e2235249221c1f0f043b6883ace6591e0941089ec14b6d5eec08dca70a5c1670b06e4ec46bfa665d7512a839026a8ec7132f46fe713bc0d0a4367647cf3f5fd4

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
aca78f330f48fed03e53931d774e1c67

SHA1
58097769eae188bda5d3c4660df599342698680f

SHA256
995255d92b523ab97db7d20294423e932171a8ccfe3b95c75c925b7bad2c2d60

SHA512
aad286d1c7dacfa117e173e36f6efad5c002ed205db4de102b8698f6106dab4db3ada66c3d3df324f7e3a8d032165e44371183e4a991369f55dae53881646988

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
2fc44289741cbdbf0a2d14135844f31a

SHA1
5f1c6feeeb34a62786a59bdb9ea1e237dda7cb9b

SHA256
21cae203d304ee012a39c7d842733ae84882bda18ba56a35400801870bc7bb94

SHA512
a41e3b9d50a4bdc66da88b5bd52445e64116a08cbdb86af55b6d57a2568209e70aca7e999661e73a9b7ccd9d6ef3f4e8acb050f889abaa2f1f78abe95e41ac6d

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
76e465b9aa41ab7457a6de624cf775bd

SHA1
8b0b4be4409bbf8f24bc66de63145d4c539f54bc

SHA256
6d1c08ff9571ded89f1d821ade913a4b419fe073051110126a0b46f9f700c159

SHA512
182cf9128e7e29be399bf303a7e230e2bfc7d94e24f51dae1aef68c8f10e8ecea9753b2063415ea9e1f8ee9400781ca5b56bbc18ebb5d9dc72ea90cf9e09a036

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
c1969499c1d4338563bbac7d09329807

SHA1
201916a6520f0fd0b909303a94ba784c3c42f03b

SHA256
f7836f33ddfde28be1ec9662274e620ea91a295a595a52e80aca698a6d077026

SHA512
80ba4a7325272a09744a6576386b8188df7ffc8f4db91ba3c8f61c1f476627f8fec4fb143eb7a89a31258aab9f42117a42b09ece37f0e7fcf9255d2a7b350b02

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
5b2889547dac84809eeb725f93945748

SHA1
65e0cb3c1e56612ec64d3fd6e1f1773fbe3b7aab

SHA256
2424bf336a30f13a63b4cc047968331fd65535e2f4ca026e582ba74226a9a387

SHA512
96ebdf6ee7e9ef0570adb7547453c4d49e220cadfd3fcdeecc9f37458839d286aaf42093def3c1a786cbf7c2fa721c6cffde8a370e04b508b74bb2eed05de2ec

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
ac39cd45e23001bb5f77e71f19aecec9

SHA1
21e3401386e22dba488b6e09ad992b45246c32c0

SHA256
7d6fce013bf2cff9c4c48b13abe34ad9ef634c5e0e8bcc3d1e75ca51586d2115

SHA512
802493dbb9ab10018db1fd18dc6f00cb6c78463a10a0e71fa6584894244a8fc6566af5836be1982a3f0af5ce123d578fb96bafc8d64f0b58c1a1ac1b5d29f76b

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
8ddacc2af5e07dc8ab0ebcfc95946a27

SHA1
59e80ceb124b4a3825a909453a4d19b86e6e77b9

SHA256
72470ebd0d0c0882af45308eba261c0aa4bbdcc69575a533efd1db728c273fbe

SHA512
839d8cdb36b9d049c5ebccfe060c6867cd2f513bb4ce523eaa5eb7f28ad9e39458b529f12ea10ca1a1138e1d708a3d1819dd4386ea550cd38f1191d88ba00168

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
278ade90b0fdfb836623e44cb9636a08

SHA1
750dd5dd183888d6a4392b97ddd752cb86290062

SHA256
71fdb0eef0fa181b4ee92ec06d5c8693da4417eaf11fac3220773fc632fb2cfc

SHA512
f5e0328f97a7c353942aa5f0b86529fe18a13fa5008c5c11a687a4847ea3595be8d8ae6939780a07d99810039b640db0c69310889ffacfda89b816e69c160139

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
b20d37c2326cc3c6915c1005285dcdc0

SHA1
eb0820c68eda8a4a616f1e5f223fadf6bdd41a89

SHA256
4abdfaa60429aa9db2a3d13bc1b1e0c45149e9510e3f323a12dc4b42efb2ddfb

SHA512
1428f7df8b827b76641f1e516909f36c14e171a3db5301c98c678676990ebff98126418434fd4c461c176110273bc15308ddb79478cd54aaeea0bf8fa61fef67

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
16472e61477dffb9d9a87abeba75c6dc

SHA1
df8c9168b24f551f1b24309b6b7ba509d48ff89a

SHA256
da3adcff4fc07eef62cd3325d1e6f5f78cb46e1e160f67d7e92b33d8fe193284

SHA512
0aa5714e0a5b10122f1bddd33c1893ab4e7042118acda7db6afe8388bd8a0213f3fd9147f43acc8d2e8e6929963e6d8046e3cd5995ab89190faa2c9fb660b996

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
0553af12df8683238adfd692e227be28

SHA1
4628f7107dcdd0aacadb4c8ae8924e37738b2409

SHA256
c02b4decaa2e067d43fc8ef68f036e78f508abd3b5fdab2587c8abb4e605fd6b

SHA512
d455504c0b16877a4de1d608a4e4c4aaaadf826c36b9191dbc364e54ac607aa04b38a905652487d0b445b399a3e9c1f951d9f353afcf227be08de033e8a322f2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
30cd216cdf5b5608f6dcbde25cb2b420

SHA1
f5767f231700c0b75197226ddd4b2ed0f8b3e9d0

SHA256
e1994e90ff90d5727eaa76feac6554985ab646fd129459c3ba2c23efb5a6a20e

SHA512
09062e209293db1bee2a5c64a33ff4ccfeb52e93d6a187bd7cad370618026d42496af4f855cb6b668bd3a6ff707f66981e701f1689566c3908877287f9966f7d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
7dfca8e6b2de7a0ef91e44d928bd7a8a

SHA1
db8d071169eecbee12d2c3b5f2c52b32d60327d8

SHA256
366d97c5f4cbbe993cfa8c81c026f0fd1851f73d7b83f1e2646a3895b567ecf2

SHA512
144ce50658502cd60ae268dc7791c943d759af9987ea0de8dddd73b634a26fb77f401fb28cb0e198d5b7d19a1237c63aded4df53f0d190be825b40ef9d599ef4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
c34cdfeb11ab0193f1e4eefd11289317

SHA1
b3a60c6ea2c0d84092c52deae19c24411d41f685

SHA256
dae2f401fc3581866eadf3eeab4c6182bc632e0837a4e52828bb95d24373605e

SHA512
9c3adc942b7a29079ef780927fdc132a0a0ca5e0937a85cea729ab0ed8f92b679632179375fb3b94e76f7a926a8e4f6a4895554d638f34612bc03a46397686c5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
59242c4bb6af4c34d5e4494539d1ee61

SHA1
97bcacd2f1c4bb46a7966fedd197829b16130f01

SHA256
d1e9c48bbcffd39b078d1e34b78d7b563bd254d709c1b8267c408f5ebce2e68a

SHA512
45b328326f76206078de1aff5695521425e596b9c5c51a1f80de2d372f35ded3f5c77f62bf0d08fe5cc8872ff0f9e33bbf6dd208f5061367525be879e25514fa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
0d7c55d936e86b15ada7b5f65100a1f6

SHA1
9daab10217ef162fcd330198b2018273c538d49a

SHA256
4a78c347d69a0d32b6c803f85b5de2a36bee582d41920367227cc4c6d54e4311

SHA512
1958133aaf08d164651a9539f07d07c478dd07c2a3a6b5b31ee4e7accadedfcca6a4c9283c9fbd0457b035b632b72c3b58a4c807900a3021d5e86731586b612e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
70a5ee499eac975bcdd792a7c8415226

SHA1
f356a0e2f6d3f3c354e6c50921f9fa7b67e97d6c

SHA256
b4e3740ab8138176edcbc5c403732d8b13fd86b0df0742cdf2e314ea22908129

SHA512
bc085e968b590ed73816a8dbeb6ff604e76d89f2bda9535ee4eb23b569feced876857e1ff9521c815302c71345025d9b0319668d3b9ddeef8e31f7b1bf93df6b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
8a072e538d13b9059bc9f04b04174d33

SHA1
34c59d722dfdd0f48b99ced60d3c679608dfdf26

SHA256
8665a4b7dbcd2b7f4e59196f2d32dc985d374554ddce32066b762690151d702c

SHA512
2a6d0ae9e3687e4d4d9b4793d3e103395c2a9259f99b5c9658724ae645c392860689c680af7d941927c637290ae837e08bb1f958280debe147207d1359a86dfa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
ffc473d4347eb6a250b6a2767816174a

SHA1
e3a7a531f53d6af64b9f550ef33a88835f47255b

SHA256
8ff8ef4ffce0390b39008f2b3b9da8599f9c84a3272f68357e200bb729be6299

SHA512
b36001a7df5dae9a5de02b0a22814b13e61c989aeaaade52ea73145a2de3583e717021ba91c43f84375b8ebaf89ec2c0ad30a9d943b87d61d2eb47a638fbf134

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
d914d4a81c903cc0325fe46a1122a654

SHA1
f9cf27bbb55c305a099dc4e9e1e35d240b3acb72

SHA256
4e2e66d7a7fce3662b8a8a21ca2943fc633f20daf26f584023f4f70b80d8aee4

SHA512
619b76cb3a79d82fc765485bb2af9996ff5c0f50c8d7beb4ce389ea09bc840b068030a5997168ef385e615be287e47653ce5e476878c4d4a0e78bfcb1c01f2d8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
37eedcb56e8582e067418ec71d74cacf

SHA1
39c6b40acff721955dfb010ef2c5a05ef3a577f0

SHA256
16f7d728cee15eedd15f88abe045fca33f3dc2ad502d102c2c82607e9e4f7388

SHA512
431b9d81355d700e5db36f202f8fa2b8a91551ecdbb4a692a86a48247b1c80cc327cd4895c68c0cd6d0a735bf4b749f65c58bcb9b636c45a5f060a35df99c822

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
4aa48b426716f4dcf693671c9391bad0

SHA1
93328ed23811381222df06cb9afc1912b5c42827

SHA256
065c95e01ea89d3936ccbea43afe64ad5b30fb790b11db03a205da75b60e6d33

SHA512
9bde3ab9173b1eaf4279a99d26ec4fb8e67ec6a99fbe80ff7cbf6199602b03e881dc014fe5dcf6b908a53251ae6ed4dea25f083e126b12bc1e0e92c536a973d1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
4795803b7bddbbc2b2d0abb108f74b50

SHA1
6d19b8b5c1657641e9c97a2febcf8f0a45f08b88

SHA256
276f9cc109d5c0740ec12e9babf2c3c93fc2363e4cc44dc13240ed758c2afa24

SHA512
4f0e7402cd877abb3e8a5e8af30230499651cada18cfd68f2f481530578ae9e553823f98dd8054fcb58448d4cbd2ceace1a580647d476d389413b837998908ac

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
bbe34fb684498254388b1635d44b0b07

SHA1
f84244bcf150095a09fd01d288749c212933972f

SHA256
81b97b4b0f141246c823799e2a5bb16d295d6e0faf845d365d6a72fcae8d9c77

SHA512
1e3a091f8f3621c0be01967d232a04fc3279b50488b73f81d3ef2561778fd8d707ed9652dc99264022344e452445b79af2579401c90b42c56a6d4eb5f66fedb9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
434fcf8058de52fafc7033bb4d6e3cdc

SHA1
de0a0a49ca0d801aee2d5395339f3e2f8dce76c4

SHA256
694636522d5c8aff134e3a3ded8b0ef4453e9530d26b03e9b847e85c205fb862

SHA512
b3eb9c59c5845e43a5b12979e127e5c4145951f6dabacd94f576dcdfd12308965fa0f5013de2f3cf2c898d4a4b7df34af35cfb23b04875ef3cd1b2dfb94d4d7c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
32e4458fae1a85b97899406af9379029

SHA1
d62aa29430f38da44f7f806757cd28f1a4ac6512

SHA256
38c0d3a610008b280fd05d089e3d9d2077187269d51266b597a50edeedc507ab

SHA512
883295e7fe6f6327ee8e8fd83fc0b37e412d50a9748e802fba9735671fa7fdc818a6b7926504bcf3a33dfdc34ee09c47b93961ca4a4876a09c0e83f192d998c0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
3e4364e6b4c223b567f1483e74994b12

SHA1
b3fe810094cbf602ad64467cfca84ecccf9c4777

SHA256
6e2ce0077edc1af6b07f97fa581451fbc223befd39f6928f11d5d26225490e8f

SHA512
ec7aeec56ad3eff515d6c3fff8ed2dbe8902d04f965b97bbbb961f71d1d03104d3410fc5692387c9f4e51f6fc82dee650ccf330d016121010ad90762e3d8c5e4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
5e533afbf7833840c571fd84e874de26

SHA1
45e045d446c10a10656f7240154a96df74e93ed1

SHA256
027419756ff2c28a85cc5c45fc45b1e67c1bac3cc8a14828af54de3164709137

SHA512
e6ef80644d36fb23dc70adafd76610ecee1a8b6dde554793e04d68633d68676c757f2367cfb5247fe4edde55c37e3d4ce7dd0884dcc1001af20441b90917b919

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
e282d594823992be5d8320f982086b68

SHA1
efe531e77e5b52992be796338aaeddec56de28d8

SHA256
3d6824da4b51c90856f3d1b4647abea06f379eeaa1032a56d9d30c2c1479aa84

SHA512
87123dad122603e4c011afdbbea07fdc327fe55df4f5eaca8f08e4ed954702951d600ac26f744e1cda861834f02a0f5c864cbf8d68cedf460265e7700ddd04da

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
e74f6ab336226519eb10ad507292de5d

SHA1
908defd364f100c396fe6a92e8b42a97db2509d1

SHA256
49703a9ca01ed91f653f30d094d0d12035c2441773ebe9cc3fc41999ca5cdace

SHA512
caf132a6e61f63cf85acda35e2cea69a3ec16ac16a759a77ee7136c759a8df87f0fb9694d73b79388b3482602756467e29edb80d74942b8166ca7dbba8512b02

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
097e1c4219eb6a9947b45136158c4a57

SHA1
7e8ef2bfbf88b851fe21bbc2717c9a9af543e275

SHA256
d21fee45e95354882805d7c1909eceed3d5ee5f012f80fe3940c50611aba842a

SHA512
4f0acaaffcdb5128f348ab83e9e99a64faca522ee0a2672ef78de66707d2888a10fd2a39447cc28fb1b1f1113272a0aad6eec4f6932e90340e115ccdd7971221

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
e2f42d6dcdce3da6fcfca2907bd8d33c

SHA1
0b180b5814290234ef0a5cbfd1eea67899c00673

SHA256
2a46e314c1636422f3229a57b69d639796efce7dc89f38f2500e1cd5137c4319

SHA512
dc79b934034085d39038155fc0f03e0d8c356ae5334ebfb18a3abe2ad68744d5dbf7b170e60b3172eefc1135426697675b63227aa7fa819133e9fb6a4b057344

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
79a12dc2e123e157d703c225b0da1e0c

SHA1
f011710ba27ca8ad23d86f7b9844e9c6f45fe19c

SHA256
daa3db2fd4041a3da607a6a30e66f6b27126cd32103fe5fae72d358b970a59c5

SHA512
f1076225215e6000e75e78fad428df3e53839b42d21eeb8b5e92228f47680af573c95c16f70fab91bcc88f9448088a9fb5802621334f5dc9d20c5b9f5599d714

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
bf5c4282048d4aa480ea35c8d299843b

SHA1
43688d0ae80f0889bc95ed3d075894de5d881114

SHA256
b36af289a0a2dfc6ce11a8a84ff33e68845a5d9c5c4eaa6e817466d4c7c85015

SHA512
3ecd035fa03a06e718c9b85131122b4ff238a2307f7d8b0ec9ba69a003e21833d04842572214b510abfbf05663b2bc2fc932c4badb6b645c12c106eefc7ab142

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
034aabc21ba03167c5f42da3ec97f590

SHA1
e6fa2cb6ffc4895ad872f995b235409496e68b00

SHA256
2ac08f9bf86cb0da44ba9a7b5d3348d54f8ee4514858c09a8d1c92b63b7834e7

SHA512
f883d85c9b0e24d4af955b6dddb2acea01dc6a644e07f772c4f5aeb7ab0bbb8623840a33455a3b56127993fd34114d257e92879e8e612c80f3ed3d910b8b9756

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
d1c9d6365971cafbe2cfeba1630a294b

SHA1
556d703be1c531ec6c179916210fce786eab89f8

SHA256
8902dd5a3131dc16c4ab972a7674d24fbe95894d185613aa8181b88f227401cc

SHA512
27dca82205afd54c8d1621cc0afc61d42adf0ba61c3cda6dd9e199ddd162f4f57dfb3ed117961bfafab64eaaacb12b460c4120ca4b301653dc22f91e8a1f1a21

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
57749f32af7e5c2baeeca5ca3ca23162

SHA1
cb91d2f0cf90a67211058fd450f3e7b92990d745

SHA256
eb6cbe38cbe92a8992dd62f7221daff790ae57c0c088a4f9c9325825cdf8c586

SHA512
1745d6c154b41dd6261ab1a8288027f62c115d4650c7a79bfab79ad5f9ecb455a0825406c1d8d3dc91bbd0cd8ed70180edde1a01e6e0cf9a07c07c382b81248b

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
76f0ae31a535d9e2eba6c7a00fc7708e

SHA1
8b37374158e764ddda3e2f9d5605c98fb87ef48d

SHA256
8014ea173de963eac9fc4b455ac6705803e829fdf0cf33f8ebc97de15e064114

SHA512
e15a9fb6714e59858915605a331ffead59c86d8ca7fa3058f805752856d45fa3eb8f4da46e82da285b859a99747f3ee0d161a6c529143331b49c663755d58be0

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
ddb0becf5ba8f3e03672e6797b662bcf

SHA1
43f79fd0ba69341093d875339318a9012804f3c8

SHA256
338608417965f01cb0e36f2b976220214d004e4db7471de6754155f805c377d2

SHA512
47f80886d90ec936d439e44692f359f4effb8ec6a57c9a85abeb13aba4c1ef863d30f5668fba50916a1ac52d605de930c09134423aef9f40aa75680b873c64cc

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
1c04b7753beb7fc0744453c0ec0eac76

SHA1
e89f484ee620d61514bad782b2fd7fb6ebfb0c3a

SHA256
21682f1e061b88993670a1f784a3678189bc7ce52a63eb99f43164bf9c111cbc

SHA512
93a9156aa483afd983557d201a43872b034d30263dbf88307131173882691948ae52a5f4fbbc76a285bda5f1c19424e077a7b0b421f684faee4021ec324d80b8

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
7b79c5ff10252d79a9665e925b147c1c

SHA1
6eb7e747f29698c62d9cb26cc65db62ea7539ba9

SHA256
96abc31e485736aa05efb38f0702beead94eeafdf7b9ac6fe65f1e2f61e31360

SHA512
6f1206d5b756d828e5b532383ad0aae74137cff428c36a3271846e5572f76aff743ed974ef5809ac505d2b0b49ae2110b546cc1c987901dc285474da28aa05de

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
72d6b42ea214f134abcf3a5f57ec9ef4

SHA1
3b95b553c2d789e906a630d132f85076b32b2459

SHA256
3b0bd02a3249bc4288dbf82f9a37555d57b0269971278ca6461d4a21835ef7db

SHA512
384fdda0c7e15537a87345a2a0a86d233da62e48c4f1c062a951e7b426dac5d494223a7e540e33571f4459751b013b55882ee538a3083f98d711ca6fab3f3cc3

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
6cd8eaeac5b0d4170c9053fd6e4eb4f1

SHA1
d6a5bfab03c751e29f844c98b426ec5aec12116b

SHA256
548c79cb4a9febadeef35b6296301b80d060651e33ebafc8118fdeaf298dcdee

SHA512
d005a139dd6098778e071a7292e4341352b42dd3ffcdd0dccf817772f906fce9b1183892d136ace6a62677619a1e605d3e503d94ae5415a3b835c11d06edcafb

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
6f853fd63055f3c5ceed03ef64a186b4

SHA1
abdcedc3bf60c02b81dbc40044d8fa395068504b

SHA256
80e77a79e85c86dc4d626e33fa7f34431c17623b3488679b46cae40b77c638fb

SHA512
0b3f74f204a67ccd53f0d4d9b1fba4f6378ef9a9fca6097e2ba40d93800e14b0a93b2e8cb495fb1cfb7597141fb24c37b519d394b3b4786bae7a07b3c4594b36

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
3cded4f68ca6deb6aa99cba509239e48

SHA1
a0ef53989b50c1b8d386425180a3f377830ee9fd

SHA256
14d4760b6bbc9c6fe5c24bb530a1b875596ac73a384a141ddedf7eab367b63e3

SHA512
eed50ddc7b8fa56b2d6459b05e8ea85cb52b8f660d94d445593c9e36337c5397d4adebc1e8802596e97b8415daed0b343695c3062eb0db61704fac9be5b64b0e

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
58c86426354cd385a0b03ada2b0715dc

SHA1
7cf0e15a0bbfbd63e294c6a837818f7cbe5aa9b2

SHA256
c995ad54bd6ac102763179acbea1542b3fa486e96011e826146a839823d9c928

SHA512
9d939b3dcadcdaedd27adc7c357d4c1c7ef8362e5f632acaaccf2969dedc496380e30282da1090e2eb68f17fe1ca8048a2a56351513446a1ba2124c006e869bb

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
26a2456ec1cbacb292cde122a4da321f

SHA1
907cc999d3dc7ebefe0cb5781d3b178b5b47030d

SHA256
255aa01a9b12d8204957f01aec98e03cf44bfa24330a5efea37f454bde4ffb6e

SHA512
fd677d0a69e1f29d5ce311b688ea460aa1dd96f17ae25abc7de79e518c587136dcdfb31146ae346cb1be2d6f74fccecba133a386d0f50e669a19187b9b635c8b

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
722b7a1ad83ce39bc67b07b78acdeda8

SHA1
0db310171c59573f1a72c67187c8cca2c2aafeca

SHA256
83e37fc44ac1d84aabb40874510752028405b2bfa9abd0f2c9f532439312bcb9

SHA512
2138dfa7afe64699cb112b4f4d3a3acadfab6dc06daaebaf041b810f412c308ce35e905ee3eb73cb395dd04be892d1e101937ee6bda34584d9453a665b37dd7e

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
7d44c3c8d81302b5da68a3cdd6055e67

SHA1
1e5ba070198c7720c5c2f1d2224723f4ed4605ae

SHA256
a6fa1b90242b7fb175538e0c6b7e061d1640a39a0830f7120acd66587a2cdb0d

SHA512
dccf2a6af3752210743712b9acfd84c02795680fa6db7bd31123f489ca9aafba34c9abf827ccc3f0da8c3aeebe9aea0c24eeb7ceafc8cc18b08ffa57d1860035

Download Submit
memory/456-48-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/456-57-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/456-54-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/456-242-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1328-515-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1328-301-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1464-340-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1464-516-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1464-286-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1476-274-0x0000000000620000-0x0000000000687000-memory.dmp

Filesize
412KB

Download
memory/1476-270-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1476-331-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1552-328-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1552-522-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1660-332-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1660-523-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2172-323-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2172-255-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2252-335-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2252-283-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2460-514-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2460-290-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2520-305-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2520-517-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2572-321-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2572-319-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2612-324-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2612-521-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2620-30-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2620-0-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2620-7-0x00000000023F0000-0x0000000002457000-memory.dmp

Filesize
412KB

Download
memory/2620-1-0x00000000023F0000-0x0000000002457000-memory.dmp

Filesize
412KB

Download
memory/3012-239-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3012-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3196-67-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/3196-60-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/3196-71-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/3196-63-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3196-73-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3832-250-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3832-253-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4232-22-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4232-31-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4232-15-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4232-240-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4296-241-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4296-44-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4296-36-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/4296-45-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/4440-525-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4440-341-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4648-518-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4648-316-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4752-337-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4752-524-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4940-265-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/4940-268-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4940-259-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/4940-327-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/5112-245-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5112-83-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5112-81-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/5112-75-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download