1f053b550c6e930fc8eca953e93d3434ae6786b18aae44f91c098b5a56e56d53

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 10:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_44936638e583bdfec2660ff6e99fe6e7_avoslocker.exe
Size

1.3MB
MD5

44936638e583bdfec2660ff6e99fe6e7
SHA1

38314b0ff5305c3d8b71856b95bc8ddf2a7b6a48
SHA256

1f053b550c6e930fc8eca953e93d3434ae6786b18aae44f91c098b5a56e56d53
SHA512

662bd6bb6bbb8e751d20f08a8df64b7dc6afaeff5c302e11e51dc425123194ce52e6b8d018d70db59d04caf6350ca4d3d2e4444b35373ea810d6fe1e6c2b9c74
SSDEEP

24576:K2zEYytjjqNSlhvpfQiIhKPtehfQ7r9qySkbgedQRVldlnXfH9gPwCn7vOb7HHcg:KPtjtQiIhUyQd1SkFdQRVlbnXf9gPTTg

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEDiagnosticsHub.StandardCollector.Service.exefxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
3436	alg.exe
916	elevation_service.exe
4256	elevation_service.exe
3956	maintenanceservice.exe
2172	OSE.EXE
3192	DiagnosticsHub.StandardCollector.Service.exe
2096	fxssvc.exe
3088	msdtc.exe
5104	PerceptionSimulationService.exe
4388	perfhost.exe
4000	locator.exe
1960	SensorDataService.exe
668	snmptrap.exe
988	spectrum.exe
4180	ssh-agent.exe
628	TieringEngineService.exe
2376	AgentService.exe
4932	vds.exe
2988	vssvc.exe
2712	wbengine.exe
1892	WmiApSrv.exe
4960	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

Processes:

msdtc.exeelevation_service.exe2024-04-28_44936638e583bdfec2660ff6e99fe6e7_avoslocker.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-28_44936638e583bdfec2660ff6e99fe6e7_avoslocker.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\341b4ba6234f82a5.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exeelevation_service.exe2024-04-28_44936638e583bdfec2660ff6e99fe6e7_avoslocker.exe

description	ioc	process
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\caps\hdpim.db	2024-04-28_44936638e583bdfec2660ff6e99fe6e7_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.106\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\caps\hdpim.db-journal	2024-04-28_44936638e583bdfec2660ff6e99fe6e7_avoslocker.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe

Drops file in Windows directory 2 IoCs

Processes:

msdtc.exeelevation_service.exe

description	ioc	process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exefxssvc.exeSearchFilterHost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d1f8c6345b99da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000688592345b99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000042727f345b99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003fa615355b99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000052c430345b99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000152471345b99da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004fc08d345b99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000089d0de345b99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000df8754345b99da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

elevation_service.exe

pid	process
916	elevation_service.exe
916	elevation_service.exe
916	elevation_service.exe
916	elevation_service.exe
916	elevation_service.exe
916	elevation_service.exe
916	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

2024-04-28_44936638e583bdfec2660ff6e99fe6e7_avoslocker.exealg.exeelevation_service.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4664	2024-04-28_44936638e583bdfec2660ff6e99fe6e7_avoslocker.exe
Token: SeDebugPrivilege	3436	alg.exe
Token: SeDebugPrivilege	3436	alg.exe
Token: SeDebugPrivilege	3436	alg.exe
Token: SeTakeOwnershipPrivilege	916	elevation_service.exe
Token: SeAuditPrivilege	2096	fxssvc.exe
Token: SeRestorePrivilege	628	TieringEngineService.exe
Token: SeManageVolumePrivilege	628	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2376	AgentService.exe
Token: SeBackupPrivilege	2988	vssvc.exe
Token: SeRestorePrivilege	2988	vssvc.exe
Token: SeAuditPrivilege	2988	vssvc.exe
Token: SeBackupPrivilege	2712	wbengine.exe
Token: SeRestorePrivilege	2712	wbengine.exe
Token: SeSecurityPrivilege	2712	wbengine.exe
Token: 33	4960	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4960	SearchIndexer.exe
Token: SeDebugPrivilege	916	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 4960 wrote to memory of 1992	4960	SearchIndexer.exe	SearchProtocolHost.exe
PID 4960 wrote to memory of 1992	4960	SearchIndexer.exe	SearchProtocolHost.exe
PID 4960 wrote to memory of 3808	4960	SearchIndexer.exe	SearchFilterHost.exe
PID 4960 wrote to memory of 3808	4960	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-28_44936638e583bdfec2660ff6e99fe6e7_avoslocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_44936638e583bdfec2660ff6e99fe6e7_avoslocker.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4664

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3436

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:916

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4256

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3956

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2172

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3192

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3588

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2096

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3088

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:5104

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4388

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4000

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1960

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:668

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:988

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4180

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1664

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:628

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2376

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4932

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2988

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2712

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1892

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4960

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:1992

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:3808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
a64789f212533eb5dc0157315a49f3bc

SHA1
0cdff994db4071e63e2fe35ce2978899df11a4dd

SHA256
17927fa8d39056cb4f38a21b372704d11fdb87623a4337e0e3674fe0923fa23e

SHA512
c48b4b7ab94d4682b4362357896ba852c480c2169cc5e179ee7e736dcb230db579b87eb69969e74f642685547beb912eeb704684eda6579afdd0e5cbf8d34f82

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
92a8c0893a06d57662ec5c6598e7c425

SHA1
4a1a0280359facfaf928486d6412256fb2f1b833

SHA256
a8aa81e9b1ace52335ca16ce96aef62a0cbe9c2babcc1a2e7568232790383112

SHA512
a064cb8f95883d32be2663daaa2cb7757ea4f2544a57751dd1ffb994e34c2156b49434d25ebf8bde89deb23990d1d52fa15feec6f30a781e9f1b0ffa7cf116ca

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.9MB

MD5
b00a143cf8a46bf9cb6b29828e5e3cdb

SHA1
0e3a74d407909b2b5cec725e2806ca371cbb9097

SHA256
0cf68cfb3424ee48f9b5408d9ee16295e579c6b44f0d6cf4a8853d4929df854f

SHA512
d58b58c4d557eb13e687d2a4b15126e979f92b412500cec71dcce0cbdaba7d9074c36e04ee1b8ea5d238c4bd311ac13be6a3ec6b0ebec41f54177f0173d9d26c

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
7e7a4b7d14ee71b5346c44b0c5fc14ea

SHA1
4f12957560102d21989ae2625923858cd2cb32b4

SHA256
725eed2684f0de63a43fa931b248fff950fff2226c8c9028c7b285bda8cda5c2

SHA512
4e35f3d79e4d5d8a0dedb50a0cac1eeedac84df6068de662e22171bc4958ce00a78cbf858652be5475eb99849c2a1210e9ac6ff52dfdf79d581a917825a66c6d

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
f300c7abe6ec729be6cd05982b3e6b8c

SHA1
8baec448877631a2a5323157e31d3be5f5251912

SHA256
13ecb5101ffb4c8d8a634850b0f2322154a9e3306332645a23097a81416a137a

SHA512
b9af54a97cbfb777b5afe41dbac0e00fc9007543f7e98663fad81689cf4ea43f555b7b70c9ce1aed9c054bb45103b14fad5eaa6446c4b0e1d8aba42b99e32bc2

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
0b010d432902549f001a28214bfc8aa3

SHA1
e91ace9ba695b7ff73a6c691ccef115299b76fbe

SHA256
fdc683de4c44b5233f5fe1de98d8cabdf0fe83627c3039309cedb0318115a7c7

SHA512
5b150c9dd53a873dff25bd33b7b66aa6507c7cc4ab4387478f4db05949d13afbb59dc8c93ab6c6780fc329aa260e0658e10f6a47f4283c67632ba26f73b72a4e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.6MB

MD5
15ed2e54297fae887fea7c0c61ce9af9

SHA1
7b11c0fab7d071d2d0ee1df49a07fea4928fff5f

SHA256
83210a0f4e975deb01ddfb62af57dad9e366cf89cd866e358feddea4dcfe40f4

SHA512
6fc6316d8f40e6b9eb17a5e657ad6b1466985d98211598c0eef2936a28641b4ee1f06ae13225411b155a6ecaac8fefbff4f15c5596b9e2a404599be6e0a1a300

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
94ecc458a58be3059c4205c42a41622d

SHA1
1e0e62eb1e1d3f5fc33d7151d561479094296f84

SHA256
844e43541b004a54e16d34de5158cacb9d19c4c2be9c5f459969be2a7eeae017

SHA512
be5ec19134f84027e8a00da6be0d7e1199a91269998d3210f024c02ec09b2eb3f530211a4c54b5eb93402862fcf41f6c3de40ee59f47ccc31445dc80279e99d4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.7MB

MD5
065474987cfa2c135b856cfc52a4e87b

SHA1
6b4839752a69c4e9a342eb9186f43278aad7a710

SHA256
4a6010b8a086a42c6891440a66da2271542738a640536eb0b8395aec8cc29a65

SHA512
708f214c7452733d9ef2179bd16f3f093a77be5a0b8bf620c0ec63e18eca92c720113b7caadb814804477a88d5bfc0257b20c413f13ce6c92d34579c0e198dcf

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
542db3ca994a1645e620952052dfed69

SHA1
332c1380df0a972e340d2045948e103dbccd3e0a

SHA256
dbe5789c3ae71351f182ad5b294d55d98388b8fdacb09bf83e8fb1d3cc9e5588

SHA512
989f41ef05fd4518f6eef72bb7b18994e835620512e0796180a5cead6fa5acec36166587eadddf5f9cc77a8e446637e3811227d950089d6f7f3499015fbc5b3a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
f173225484bf5ced32d86cab0c0c745a

SHA1
56195358f48e274d548a1e49dfa8dfc68225c4d5

SHA256
2d2eecbc2f71d1c3d88b72ed1bd3c804786191497a19da634037545ab625b410

SHA512
79022194d3a24dd79e646797528752b73019f9bfbf220266428dff9ed5d4e0996b55d8c11f6bf1628370d7fa40cd550bb55f4fe4f149a06b439452dd18c28ce3

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
f2a9f030f86f923b11d35dd0117a9f6e

SHA1
81f1c6d7965f7d515b18c8a07dc3bfa1fbc5035e

SHA256
5c3abfa36ea517079eef36aa4ca6343584f0b53c52b5c5c2348640f1b75541ba

SHA512
d30c3d0bfe193dc42e15279b4b9d1ad18064ca9a260ab66d403b07da6c96a16d6e2eaab879bfc1d94675897c997ca538241b1a071d601f5692f00b8e0936331a

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.6MB

MD5
792a3f540994e6a83731918639da0dae

SHA1
a95a4f43255bcc9400a7fc18cc9ca19378c8cc23

SHA256
96168babe14b3db0225f053b9ab97dc3677554ae211698e17c233fedb5c1fc9b

SHA512
ba82b1892d97f0c3e918d16ab7095e36ea7c754cd5c89f7679d321244e8fd4d054c68c6447f0bc04ad97e2694b5c3b929ec3e7d1ff8fe36b84b2168ca248f759

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
0a4d3d7aa8bb64ba7ddec4c68ab49fee

SHA1
86beaddf1f4b1f4e8a5a02eb04b69b8ffcea3504

SHA256
e1f9a78689a1c7d2bc84655891cfa6867b64c4dd8d9a84be7f44767271d71df8

SHA512
57b95e019fb25595ffdba96f23cd2ba91dca8dbfb2c6742abfe129cad6ea83da87d38e8f2b8bd1fe7e0efba2831500b165d5f32466abc2060af673f6147c43d3

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
2ad6be5f2d94c3591dc52022419ac15b

SHA1
861ccbe2636345c9f6854c0b17ebc6dcfe78cbf5

SHA256
d03875902016e1f86d7fb915ebe2362dbb6c4c8d707c0355e2a959d0d19e0849

SHA512
6cbb6c89f488e41b0e44cf293c494d32b4593225b4483f8fe7cc1637e6c4658b06bed3fcd732d767a1d1e23b8d078e4a8a01c81ed01ed193d96534e4be55d197

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
b2962d10e960f5b546de156133b7fb99

SHA1
b8f84182a225d23208d6f65e31e1249995f442de

SHA256
6af6ffce813a7e7a8306fb442a2a0fdbcb6d256fe82633a0b4832d8aa4caf61e

SHA512
be00249307e8e87e255ede86a19ea6974b64bf6c5a31a0652b32b564080411bee3829e477ace39bd7fb102414f714ae2802df5202880d111f6391876e85a0a24

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
1d2862c31f802243df361b636d69a8e1

SHA1
858425ecf0038618f466549ece46c297e1e7c1a0

SHA256
9a102704b9a9d5266cfab80c8a4487f1eb7645659d09782477ce796e3910bbc8

SHA512
0210291c0bed69af70f3ae324339cf0267acd2e27d9033951e44a78cb2c7f98bfb6d10b48a2f7b18b1e01f5f3ccd0a9bc98c856e169a19dfc1cc81928b0772e4

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
bd30cd0a6eb4a6ee14d2f6b63fdc28da

SHA1
2f20aaa64a259c853e5318a4b1be81c55b65707c

SHA256
4dcff85c28028f0af2dedda0bef529174dacfca16ec5590a48aa4d03319f4015

SHA512
1a4bd31228a576be7ae21c565a7922f437c4cad871faf5238e0ab4bd30510ce8ab37c561ecbfd8122d5297c02766c64e24483b0cbfdc408dadaf514f10f31010

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
0a772d549cf3012cb377804d0836708f

SHA1
881c4fc06d976e8cf785f6dc3dd262014037f987

SHA256
b0c3d60f5aa90ec0f5892a24191bf3a09bd61754ad84d85d656a14f71cbf061c

SHA512
3b8b771e012bc84e68508801871279ff90bf23cad07565595f9cfe9b957a17cd3a8e816c82d62d47688a8b7e3c128e5ec4f05c6672acde490a1606f70d757385

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
e19da4d2557a52675e2b8f0ade3cb4f5

SHA1
47870cbd234ccd463174b75d17eb324def297f90

SHA256
c0b8aad1cb881bd7e40aedd0895c1228f5fe88ebdd4ef91f8cf0f3d3609f1261

SHA512
89e69c1b7b639eb846e31bba70bd3b24c4b2d7c1fdeaab5821622aa4ec8906e30bd460a1affbe4aead63710862d8bdaa1022d6bfdb51fc89e857e5181449f53d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
94f432618792f7a219edc8fc8e0fdb45

SHA1
d0d420a90e49740343a05c880dd534aa81d32c3e

SHA256
d4139e9822aaa4007ac613c09480e9d3c9c11ad0fbbff3e4c51ce8ffc8f63dfb

SHA512
8df5509eeefc44811e45c56562f70808da2452e521f7f379ea1291e178aa9fa3aefbd56329f0990856fa82b24ff3353adbcfacc0b6676b92549d18c9abb52be0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
01d40621ae682c3104138c1b27bc496b

SHA1
7e577737512cb3152e91629159f9639d2bca87b1

SHA256
e32ea6ee54591beaf776cc69a4f20d9a6395ec9cd3d8d819c5314c1270dd276e

SHA512
67453e29c50bc29b30899db3ec3ff9bcb11ea2751fdb26e1abd68b76c82fa57885a250ea903594e4a104eec6fc6d9ca4aaae65d6a6fcf72d177587db797e53dc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
7b22a007918ad57cbdb4804407d0e13f

SHA1
df0dad6ed20386b19cd502949f9a9814799834b5

SHA256
5fb872363776aab4577d30f4e971261877bac57cbd361406b7ec380125d3e247

SHA512
62dedfe5e3cdb8fc9631138983dfea276ac7d2fcfaf0e7c37cd4247acd04b57dd7cbc1362a52e7322ef0014e16a6bf0f615408c901fabe0655debabb625c97b2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.4MB

MD5
864a28c3a97bd5e4ea4c0a044bce3a19

SHA1
4a15c3137d6b312491675219766d081574fe7fde

SHA256
9fb50ba6c2ba83b299a6fe1f40b3cf9ffd8fc3b5d7bc2a7f05be3681972a67da

SHA512
1d81eb43e5a13561dd368c8876f043e77800b03dcf91df6f564af65530b4e919020ef3b1140ec3588431f4eca61bd137fec0bcee5402e627359703d6ccfbed0b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
554cabaa96c8c47ca2884a635fd77bea

SHA1
ae6fbb1b646aed07aef54a74bb8ab82c478de45e

SHA256
27f2fc76bb1d460e3dd356709d06f95cdb9aca34595b88bd2b3670da488774fc

SHA512
86217bddab72fa0fbcd0b5f369e1da93b583a16487337624e752caee4bc4f28256825765711e641ec2328eb2e681752fc092be5b03e24cf77f1e0070eb0d3851

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
d2b6f5b4f980f9ddcdbaac3a6d37aff8

SHA1
22ada5a3c295bfc580c822b4ab7aaf827d9608cb

SHA256
51c01d8c74805e69e17ff6e3c4cc38a3ae79890b0a03773dd7618d5581437518

SHA512
5fd33428e543ef89a12b76b083c9bd91847a45af425547009f3a1e571783dc61bd636a3ce6174bbbcfc86afae36501c1f74f15de9f9e7519e41203aadf542e68

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
a5b624f9e4417786e9203e9a82b3a42a

SHA1
0ce048f66817472b90e4000532dfe9575e25935c

SHA256
0c011c631797e660f051d2c2776557d792a3a94a16f39cf23911de890508c507

SHA512
bb4980b33b8f0d033b5ab36cf03f23e02280f5981b7657c2aea2546eded690aed4c0dd623e020e9e0ec9c1bbd62c5cf4fd61ae455e758e7f3d6212ad64ef21fd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.6MB

MD5
a27f169fcd695039fa1db2ef6ccf120a

SHA1
17c4ad30b3760640fdced7d6fbde4f1a6d6595cb

SHA256
5fb070778ab61c734a6c63078413acaaf0ec5150cdf93a355fa24d2a9d433688

SHA512
4976e29dc76efd37d0d09612196354eb637fa97bc47ee12d86d554a24734535bb14de3403f792bdb1759b3022c7a854dc53f89c533d9ecdb3c8ded9e832bd701

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
28268f27cd25d30bffe3e5c49843c18c

SHA1
4e906a4f231acf7685afd0bbe98a0241b64edad3

SHA256
8a48a8de08cb06b7bb1c7dd145935ea3e541bdfda88856b47d7ad3f3c8216f05

SHA512
52e45abd387b324112a938b84dc13bf8b6efc7ca339e2b9e491a217a7f30e0f52b5fd0005d870444d808893f0f02c775298d733856dee9db8d769da387365a61

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
cc41446ec49dea0d3b49ed41c82075cc

SHA1
36c517802f9bf1bc721f19fc2d40c146e975b56f

SHA256
462246f5af030b370fd4b7dfe0e8fca8160d2c0b000f83bf3220c0a8ae9938e9

SHA512
6483fcf8058b370ea146ecf67072d9fc1a112476243da7ca8b0e7b2f7f02da2433000191c55b57b1144eda4aec6c24355c6900d5b1336ad4c79e527ea4c1eb72

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.5MB

MD5
a35947e12998f85a0821cc9e74ddd233

SHA1
423cc18d2907fc861964d50c6ebe12504d777868

SHA256
e875aac02576ec0e0431c19817dd073d594195352a96919bede1e1afdc5d764c

SHA512
f32c3352b8c265b7fde8698ba19de902c7b959adc1662a7e68bfd18532325bf848b1304904ddec4000632252bc3e5940907294b072a8142a9aca15527ab2f661

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
39f39d51e33194bd4c03dbf91639e773

SHA1
b733b989e15355195b8209c1bfcffbce717cf2de

SHA256
a6bfaa124627a94461b01fd73572ddad12ba458a5f09ab2a072b05234495aa70

SHA512
a863d9fa3c0d0413ac233e67abb9c193648d0b70e6c37c5b37b2661d45a70fe309f0921a7d6241785d4d642f907a2191010c826f7b8035ca46f7b0ea743a8844

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
67504a3a24d553bf191a5013f3b80a0e

SHA1
1556833cb1a9c3384231ce30e5b7a5eccd3ca243

SHA256
ac2c037567b6f118a69151ddd18ccffe7a378aa3ab676040fdf7c016a855a1bb

SHA512
a26da504abd63282481f8097a5f5209dfca67f4efb949b1410d67b33105a651d5fcad54c14240961fce202003037904179d404c463fcaee2543be08eb6bb782b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.5MB

MD5
df44d2d44bd0f14e173bbf162e95ebea

SHA1
024e111d0093db100f03b94964f50327190ddf50

SHA256
8a443cdb0f83d883e6b9ecf142eb270d33b0992df5e78efa2b07cd35b106e464

SHA512
4c1cdd3c40dbbac98edbb5f7e26387931aca3e00b2085f62ef06d19a0a7ca5729975a71a6940ef59ff85e195514b3be318e5415f0d091f41ec3798590e9d52f7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.6MB

MD5
963921e32c8f0e1ffd6a14913b0727d8

SHA1
215d68926cb49e3b6d8bb7cfb0039203c845b972

SHA256
cb4ff62787381ecdac53d750e06227b42e38b794024c8a30df419e5c340dadf2

SHA512
179dd5ed88887c77b8bdc27a06b82745525b666caece8809c42fd0d3e1e6e6e7153a19d17e1fcf0b5dabc219ca2fc3914d57a500f7e243815d0e1a4c9fb32906

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.8MB

MD5
36a0a415cf79218b9efad5d811580a10

SHA1
c1bbf7e14676d2bee8ec5e97f77a9dbd1f7c213b

SHA256
54bf98eb225c8e69ae4fc036e322ea7b2d752fdd791bb2c4eeb6bf698a4b2e48

SHA512
423beaad91a06bea2a5735193240fd4b3f01e4b4a739a415fcdfb762fa64a62201b4395b0d2577bea8910547db6205e3e485dda321ab64dfef4b692b92d1d0f0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.4MB

MD5
1cbb711747d37cec8f81754029574121

SHA1
88e9481287ed8ca8e5fd1bb87b7a7ce68fac86fb

SHA256
f37e904ff81fb4202120939f888d4170cc14f8e158aab205238f72d2c7bc9608

SHA512
594f3deb93d197f819a1ba64b5ef171e22fde35bc735b7e61fb19de4e01021236e0e776c458f228fc7347b0384785a21452c9507f301216ac7acf373c0883c48

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.4MB

MD5
479e496c22ed926b2d35eb22d182ce3e

SHA1
41190ca73f3ca1889674fd1eba38b60a8842c329

SHA256
da45d32ade481818c9b45d651fa2473179abbd6f752021b2734599d7b19aef0e

SHA512
8eb495f878d5bc6797c51b465987e94ec3dd1b8142e798efc71a857bd8455dd752afad177ffba2fae6280ed1dd31b4fa85af192ed9352df10cb25184c78732ea

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.4MB

MD5
87911c2a8a9966e86866f09cb0e5c2da

SHA1
5d0737f5ae350c7f9e3d2565c86b421050b58ff2

SHA256
dd1861ca5512a001f99a80a157c3567d2a66904595121a8312d1369dd5ebb710

SHA512
98d57717236e61ab3c44d54f46952cb54dc413c239e1ce49121d556fdd8928f44658e98faeb98f7738c219ff8d95d187f4f3f8a937b2eb8ecd78061ae6fe9f0e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.4MB

MD5
0eafa62c7ad18e8b887c3c3ddcc82568

SHA1
b232660e7bd0314e9a5e584b6a6cae057bc11ec0

SHA256
f1136cf6fe1f5466307e65fb8bff029fa616567783a165ea1626fa87f6a1d139

SHA512
22d3aa8cecdd7b21dca79e6328671729d9212057b123327fb0f08be508755145ce82379ed06ab9904d9ea870bae29e834d04a794bf03bac83b361ab41cc65184

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.4MB

MD5
c987ace2b512ce5c0abb5889dd25f887

SHA1
8a3aef18964c3e6991772612c4b87bfd98ad9747

SHA256
c9c8a9698f99a2f51b53cd3e56bccc9b524de31e9b2aa0796d2d05e7e3db0720

SHA512
27c436483107b66454d3a55ca696239b932e8371335eedbff94aa5effc38869427b745e58d74d76214c92d9e9acffc0b40de07833ff9d24584eaf93cc28ac1e9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.4MB

MD5
3511edb2999a45472df2c1bad6af2e75

SHA1
271de4e0c0c57ea2dd4a000d83eda2373ffbcdf1

SHA256
17c0ea066f15df751bbf9f0d0d412b5e2801552f86d5c5e6f438c94b1bf812aa

SHA512
df1f22ba18a46aa3c8bd52184caf80a5b5e96b95db324e9df68dcce870870351f4caff9e4d997c40c1a28f84562dfe62ed3b663e27e8993a0a52105610a51b67

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
1.4MB

MD5
27d90f38537acb6353d210fd8a6f35ff

SHA1
6ac87cc5952bfc46a618f5bb680b681abfa6cf9d

SHA256
583146997e986e3df8297fdd79b3959319a2891dd2fa9dfcdaaa720ed4bf6735

SHA512
eb0069b74b4bfde26eeb81056aa04fc10ccf1b5ad9b186a22269c6e5b231b792599319081d364de60be02e2484b62f422579b62f95161eca2879b2fbdeef2339

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.5MB

MD5
357a4eb2103d27e84dae7444b6d7b6d6

SHA1
0312984af00382d7f6dbcd10c22c9175a502730a

SHA256
ea7ee2104821f6bae7a30cbf3b4b33e0747d3a333f60cccac29df77f415ad031

SHA512
1176d16b9215f4befcee53b6c909de0da4d76e671fbe18fba4661c284026d8d414084f587f8a8468fef6308a8d7d9526faea4e0808a5c92f3b47035b1e7b9899

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
f70ace85d7c254e80087b003ecb5393a

SHA1
50736a0f2592107466b6921441b4e07ed259aef5

SHA256
174d0698e613c10d7791e7e6948f96877d5a583d7ed7593aff8ff80253379cc3

SHA512
cbf01a3a2515a4a23e7fba77299e57f85d2d91a4ce1182306b216b6a9ca8db65673cf9a2f9937e023f16baa11147a299cf745182da887c3f6dfa4499f5675819

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
287d19477128335141adf276caff614e

SHA1
7d6fac17eb4e9d00c7baddcdb9d90b26fb417b02

SHA256
a52d27acaef9d01661bce1faa4f206a983822d489380128b759a8cd5c7fee5a3

SHA512
68209e7f0087cb4885f5981915021d2f5c2bd34eddb988d30ae5a7e5701ecd22dab5817af738685d8a1ab3f4a2275326023c08c11ab13373bef2d5392478e3b0

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
a25bdec89be1686e7ea294af446e3936

SHA1
1160828c7e95b1b384f4b2a1f3324c42a602f54b

SHA256
d6698fa9ebc1f5b9c83052adea01c9e077182dc7f33eb340388b0e654e281041

SHA512
9781dcca00c3517a72d11ffafe797101786c53f32765cace3d3bd264c25dc10eb800b0dac5256f351203e02c5abab4af1da7443de6ea6260cd844a1ad6e44582

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
0d9092b9c268ded027604188b00e6d46

SHA1
bd06a8f18ff6aa7b5c91f0f9ccb2ffd601a20c95

SHA256
858a36bd0b914035df5b3126888d2e10bfefac978e98b7d86e8f80a388daa8f5

SHA512
132e136e0c15ab1d4ce20c2c466dd324d8a84b68a6352898c77c00ae0e6599f2aa6d504953e08aba4743e964377eb7e9efbcd31a65c7fe5c61f2080d3933c2b2

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
9d503154dd2a10d4afafe2bbfa096c87

SHA1
42bfa3bc9fe7a6d002848391518f2d980d250b7c

SHA256
89e66fc12c89ac26309ac620424f4b8b52593f39f00c8478f132817c32477751

SHA512
2bc92fe6f008b92b8830fd7f4d9af529f2476a7729ce25e8b3c2c38eebc5e83881dbda15a20e8a9d2b48ad710529369b4a164a39f7da65b2d4dc6b20a8f995eb

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.7MB

MD5
3851135d2b22a769226ca963692df043

SHA1
e8d9e1af771e5ce955e7f591f968905aabce1d1a

SHA256
539401dfecf732572e0ccc21ab3877b3bcf46c89a99e8b82113ec7f17f2a5ebd

SHA512
e03b22b3dcb98cf354c920d8c6b2936f2f24a1569308f58a23f54277b98c2a6b53a4a22ee52727d09119300983ba0452af828670a7ea599d0e10cddca5952cd3

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
baf239f2fabd4574c86b36e206bc2f8a

SHA1
763032764a409f5fc374b4ce706f873ad607149d

SHA256
6798c4ff4b172776cc439c3223c93604ad4451fd12746386f221c30b4aeeb977

SHA512
6d4ff9e74bb15d282f64f3ae59ee2c82f0595c0b1cddd4db8705a6fd053ca51ebfebc1ab26a9e2615b1101cd5874564b24ea1d20cb0d16fc1a977ca245fa9ed3

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
914e4332698c4546334d28a49236bbde

SHA1
0ed58fb100a483a3fc7e914bcf5e501ae599a240

SHA256
cc6975c0868cbbeaa5617f202eb357054d55232b3503d8d10fef051a3648782a

SHA512
c661b35698486dd467c2220ceae4ffbc997cce9fee01220c2929bfed5fd22eafa7832faf87653d3341e50c71bc7d50619c16715926882a60df9fb6ef9df5b28e

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
57bdc2cf7903a07868019f65b5f8248f

SHA1
591627eb2141208003c82c66a615eb27b499b00e

SHA256
7cc71259820648ba89a7616f258dffb5b262c832bfd2b6b239785c0f97190a7a

SHA512
803c802de38138a5f2c15e3262bd4e550f5727d7da45ea0680f6c65cb2e3eaae383ab8a2c0f4403d207e6d9bd064814b17aacb61468993318ebeb85a9dfb6967

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
34a038b76502d582a148b9605d5e76de

SHA1
186205fb029e1f72bb46d9b0e40ad950552784e2

SHA256
4f2384212e5058c5cabc997ac54e99f7a4e5d815ad9befcf8e03b1872bd8b337

SHA512
b1ce3636cb80c478feeb9daa78aa54d488e83164152b533eaefd86939f1c1adefbe74ad4cdc9c051e1c545aa4790aaf4303ff9b70d1286383d80dbc467f49526

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
1b8fcf2cef5589d07ab00614b1b060fa

SHA1
dc09509074959e1ef1cd7634f860479ab0d0b44d

SHA256
8e8bad31b06ecfdd6727952b44442dda319d7ee4d4f6f43fc9a7a4958702f769

SHA512
cc2465030f1da0cfbe998c47b27c56dfc58a646cb42b6a5c8acff7d10251a245043b3982bb67f3902a7c01d9c15b2157e0b6f7c8e57bc1293ef77d601966115e

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
2918db290999ce9a574b2dfb5c8fa72a

SHA1
68d717d27a1593717500725e1bd0b06ffdcfb482

SHA256
6bd65c9a55072e169e440fc07ac48a605ca4cbf6649100036622290fb00a69a1

SHA512
a7cce11f181ab6482e24d9e746621f924d9e58fec0d900967b371b2b59a0610cc437fe9235bd8c938ca58acdeba74bf506f4165a1c29c3027ab8868ae5b514a9

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
765f1378abe725ce933a612dee09ffa0

SHA1
9763b195fe9893078479711a175982decb493b3e

SHA256
3c3fb55d4daa78374ce63e636d0f6a61c07e1d130e5901f434e8471cbfc9cf4e

SHA512
68d32af0adf8c96b8899e070858d8b25fd15a942ab9c00ccb3c7a25db5d06662fc5132d6422a822ffa548d6e0487cfe3dafb15fc8b7e66881a7124e0203f3026

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.5MB

MD5
6d31a526a4ca170b99f7246f1596f874

SHA1
8477bc7ede552a4b1b874a6c798d6fd5831616bf

SHA256
0221250b8f7f4310fb114feeaa8a16154fd51dfe3aeee4508b5f049dabbd07ca

SHA512
9229d3275c2d96cc015a503de193361a41efd2f1134725d22b79eee2896ff03b1c52b2a2f22563b1c7d2c20caf1d4bf46217e53030e75fd29a99ea58e810944c

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
0205bc00916691de922a3a113be24d1c

SHA1
01b47c861d1d18dfe1f1a15d02c029f131e034c6

SHA256
b8465ef4f5d7fa4f25acf48c9426a884125621a42e8db83cc234fc29b7d03432

SHA512
5779c260c4704ce1cb026ef27bcf839b81ce5423236593f46bdc82f4a3e69ad57ba0b3042cc8859e8733ff6b24b130beddc3db71afa1ab749409fa843ad8df61

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
b447264145c0b117c8328a3575a661b9

SHA1
8c4e437e8a06eed185eb4034fef12e198c8a31d0

SHA256
c9b79252afe78bf914b1731fff64fbe6ed23b74115d52fc45b80ec4390cdff6b

SHA512
278fb88c0a025b776fcec0eeabf1a0ed64f9eb8c535e59cc3da2b2f3b0d2681b03b310ab8ec905c63018c8a99e289c24e3dfe702f176d8c1d4f505707dfbad1f

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
37b21781175fd26a35a2b8551ebd8a36

SHA1
5dc9ecdc99a405aec27eee438aad90420790b49d

SHA256
fd5f15cca99efe8699103b4512e8d4a46108427540d3a819bdc546e0b864056c

SHA512
9f2ce23a6a50111b2dc4097511014049597aa24f2079f650e2219a56548b4efc6a2aef269dc95dbbbf19dae4844c192d485a595d3ce29caaa05b37d4e220ed21

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
c23cb45e506a9570567348c5b4caf360

SHA1
2baf45a55ad7557405845dd436f01ceeed6175df

SHA256
bd3cde6f945020b787bd10ed62afa57d07cf6cc6cf160bded1d2a9380ebf5b7c

SHA512
f85693ad82767d1ae47ee3e18c517a745f1a5032dd3e67354073de0d7c593a655015a86a2ab65efc395957dbf0120b6dc61efd667a27213a3d6441d7f9760456

Download Submit
memory/628-659-0x0000000140000000-0x0000000140285000-memory.dmp

Filesize
2.5MB

Download
memory/628-371-0x0000000140000000-0x0000000140285000-memory.dmp

Filesize
2.5MB

Download
memory/668-557-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/668-337-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/916-40-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/916-38-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/916-237-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/916-32-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/988-340-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/988-657-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1892-665-0x0000000140000000-0x0000000140269000-memory.dmp

Filesize
2.4MB

Download
memory/1892-433-0x0000000140000000-0x0000000140269000-memory.dmp

Filesize
2.4MB

Download
memory/1960-445-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1960-317-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1960-656-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2096-268-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2096-255-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2096-256-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2172-74-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/2172-76-0x0000000140000000-0x0000000140272000-memory.dmp

Filesize
2.4MB

Download
memory/2172-68-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/2172-239-0x0000000140000000-0x0000000140272000-memory.dmp

Filesize
2.4MB

Download
memory/2376-386-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2376-374-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2712-413-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2712-664-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2988-401-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2988-663-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3088-388-0x0000000140000000-0x000000014025C000-memory.dmp

Filesize
2.4MB

Download
memory/3088-270-0x0000000140000000-0x000000014025C000-memory.dmp

Filesize
2.4MB

Download
memory/3192-250-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3192-244-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3192-252-0x0000000140000000-0x000000014024C000-memory.dmp

Filesize
2.3MB

Download
memory/3436-236-0x0000000140000000-0x000000014024D000-memory.dmp

Filesize
2.3MB

Download
memory/3436-28-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3436-27-0x0000000140000000-0x000000014024D000-memory.dmp

Filesize
2.3MB

Download
memory/3436-18-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3956-60-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/3956-54-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/3956-66-0x0000000140000000-0x0000000140272000-memory.dmp

Filesize
2.4MB

Download
memory/3956-64-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/4000-314-0x0000000140000000-0x0000000140238000-memory.dmp

Filesize
2.2MB

Download
memory/4000-424-0x0000000140000000-0x0000000140238000-memory.dmp

Filesize
2.2MB

Download
memory/4180-352-0x0000000140000000-0x00000001402A5000-memory.dmp

Filesize
2.6MB

Download
memory/4180-658-0x0000000140000000-0x00000001402A5000-memory.dmp

Filesize
2.6MB

Download
memory/4256-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4256-238-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4256-43-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4256-52-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4388-412-0x0000000000400000-0x000000000063A000-memory.dmp

Filesize
2.2MB

Download
memory/4388-296-0x0000000000400000-0x000000000063A000-memory.dmp

Filesize
2.2MB

Download
memory/4664-0-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/4664-26-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/4664-8-0x00000000007E0000-0x0000000000847000-memory.dmp

Filesize
412KB

Download
memory/4664-1-0x00000000007E0000-0x0000000000847000-memory.dmp

Filesize
412KB

Download
memory/4932-389-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4932-662-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4960-446-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4960-667-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5104-400-0x0000000140000000-0x000000014024E000-memory.dmp

Filesize
2.3MB

Download
memory/5104-293-0x0000000140000000-0x000000014024E000-memory.dmp

Filesize
2.3MB

Download