c3b515c9bec9282f8dab6b8264c1d9b390608fd9b27b935c0ac2658f17e88067

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 10:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_1458975315929c40804b59c1e4cf82f7_avoslocker.exe
Size

1.3MB
MD5

1458975315929c40804b59c1e4cf82f7
SHA1

527b76567d7a8b4da6362ca72eaf0ce579496def
SHA256

c3b515c9bec9282f8dab6b8264c1d9b390608fd9b27b935c0ac2658f17e88067
SHA512

e362396ab3699d83811bda0595bd55c7d06f80e84d255acd4b83409aefb4dfb23dbde15cd0c73917a0b62b61cb31b22e746a5a517f784afbe6af07f2a688871a
SSDEEP

24576:92zEYytjjqNSlhvpfQiIhKPtehfQ7r9qySkbgedTgokO3C3VrC8JCu30GiISOrcw:9PtjtQiIhUyQd1SkFdTgoBIrCuEfIXQ

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEDiagnosticsHub.StandardCollector.Service.exefxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
4536	alg.exe
2216	elevation_service.exe
1460	elevation_service.exe
3664	maintenanceservice.exe
1716	OSE.EXE
3860	DiagnosticsHub.StandardCollector.Service.exe
4892	fxssvc.exe
4912	msdtc.exe
2804	PerceptionSimulationService.exe
228	perfhost.exe
4248	locator.exe
3768	SensorDataService.exe
3320	snmptrap.exe
1900	spectrum.exe
4240	ssh-agent.exe
4164	TieringEngineService.exe
1268	AgentService.exe
4324	vds.exe
396	vssvc.exe
4904	wbengine.exe
4568	WmiApSrv.exe
3812	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 26 IoCs

Processes:

elevation_service.exe2024-04-28_1458975315929c40804b59c1e4cf82f7_avoslocker.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-28_1458975315929c40804b59c1e4cf82f7_avoslocker.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-28_1458975315929c40804b59c1e4cf82f7_avoslocker.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\35c8496185ca13a2.bin	alg.exe

Drops file in Program Files directory 64 IoCs

Processes:

elevation_service.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_98656\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	elevation_service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	elevation_service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_98656\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

Processes:

elevation_service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exefxssvc.exeSearchFilterHost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a6f74e835999da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f504de835999da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000602218835999da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bf0e05835999da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000014a95f835999da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005fd328835999da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000026be34835999da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

elevation_service.exe

pid	process
2216	elevation_service.exe
2216	elevation_service.exe
2216	elevation_service.exe
2216	elevation_service.exe
2216	elevation_service.exe
2216	elevation_service.exe
2216	elevation_service.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

2024-04-28_1458975315929c40804b59c1e4cf82f7_avoslocker.exealg.exeelevation_service.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2504	2024-04-28_1458975315929c40804b59c1e4cf82f7_avoslocker.exe
Token: SeDebugPrivilege	4536	alg.exe
Token: SeDebugPrivilege	4536	alg.exe
Token: SeDebugPrivilege	4536	alg.exe
Token: SeTakeOwnershipPrivilege	2216	elevation_service.exe
Token: SeAuditPrivilege	4892	fxssvc.exe
Token: SeRestorePrivilege	4164	TieringEngineService.exe
Token: SeManageVolumePrivilege	4164	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1268	AgentService.exe
Token: SeBackupPrivilege	396	vssvc.exe
Token: SeRestorePrivilege	396	vssvc.exe
Token: SeAuditPrivilege	396	vssvc.exe
Token: SeBackupPrivilege	4904	wbengine.exe
Token: SeRestorePrivilege	4904	wbengine.exe
Token: SeSecurityPrivilege	4904	wbengine.exe
Token: 33	3812	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3812	SearchIndexer.exe
Token: SeDebugPrivilege	2216	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 3812 wrote to memory of 2456	3812	SearchIndexer.exe	SearchProtocolHost.exe
PID 3812 wrote to memory of 2456	3812	SearchIndexer.exe	SearchProtocolHost.exe
PID 3812 wrote to memory of 4196	3812	SearchIndexer.exe	SearchFilterHost.exe
PID 3812 wrote to memory of 4196	3812	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-28_1458975315929c40804b59c1e4cf82f7_avoslocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_1458975315929c40804b59c1e4cf82f7_avoslocker.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2504

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4536

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2216

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1460

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3664

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1716

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3860

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3536

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4892

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4912

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2804

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:228

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4248

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3768

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3320

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1900

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4240

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4876

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4164

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1268

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4324

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:396

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4904

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4568

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3812

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:2456

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:4196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
f874aae47edf33fa975263086ca3b84c

SHA1
8c24d00486dd0d9157ab9959b502cf0cab9a7823

SHA256
d1632b7271d9dccf8aacdf78cf232693bf769a4ed86d59ecd16fcae84748037a

SHA512
5760ba6de6b2dc7e7a170a0d2671c86c92b2ebc8f94183b0c97d850fad73421cd8dabb6a8bf6065151f4b5f974eeb710c5cdb539adb8322a425f9403a4addc67

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
b3990487c3955b272c11621a5d1be8a9

SHA1
b3d29f02db0cf17f4a4d98387d0bb5b14d024bf0

SHA256
ed9b17c7d7864b8f6a5c83655695f1026b4d634e1c44c86cfc36ac7de12d24ce

SHA512
3bad72f7945a7d25b6470c5a64f862bf44a9b189a26b29de83609b35a69b538d90e1aa2e9e3fbbc3427608e67a9b3c64f91a8023dce0e60b55c83f2363cb08ad

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
c5bdc23f7eff51491708227a69169253

SHA1
8ae1b4b51a1a8470caeae27ef43c7e57e5030da5

SHA256
b2774e90d58a98ca25aff409eb7e7a11c3704e4866c63c2f3f61acaa42b29ad1

SHA512
f31312669de4af524afe15308a3ec4d714a41c34ce76519711343d328e49c821c4807a2efba4969a2e2f7b5c671ac4adbd11e4f589019d6bd5dc1245e38351a6

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
5e96a7475eb4f600b1bd89af661e56eb

SHA1
614cbf489aa967d3a781bc29882f77157bfb7c08

SHA256
845c17ae879bed37db232d3f64563f8aa10123e4f073d66e8410b52a28886214

SHA512
13951a45b17ad864fd3120af875f30e0cd36e5c678a865df74e209dc13aca7c3ce37b3eab0e90c2140bd098722f5e299fcd6da8dc756ce0be90fed02ff4c14fc

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
b5fc5b0acbbdd3b79a7d3fd6dc6fe754

SHA1
eed28c5afca1a71dec96f553a4203854539898ff

SHA256
3b4ad89beec2b0077fc03da37c1b6ef445734c880ac9077c40d24698f225e49b

SHA512
14507d11595b0abde34f4efa5b058edc24c10ce9faf391c26f377f1a7dd2e6f264366c167d466ff2c35ceddc7424dac5f8e75a0c07aed104f27438f6cfd7675f

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
eaf2c08a567e5f8b311026a2fa8444ae

SHA1
acb58dc33a603ced87ccbb2503ee55d3fd95844b

SHA256
5aded3bfe31fe72c0072de1280a8b5e5ffc0bd4945a9f71e09fab507c551cf3c

SHA512
866c5ca6e44ffa2774bf67854a307f4c1728d3d96ccfcf74f23f96c01b25204a24be657313942fe6963c09c878ec4057bdeae4715746e4861a3d8559a33fffc7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
4e2a41370db1dce2f5aea4d6e8b39b6b

SHA1
22b8efa100307adf5bd831d0800d3d2eea025f56

SHA256
53188f4444b139096ec0058d5df29f0f005b38f78b389d777774ebfcba07e6c8

SHA512
e5ad4513c4ea94def662c2939e6103a531d6446247cdc21fa2d4a6472df5dcf27f56c91c2f501c2a354455c9c84c41f32cd0356c8bd6949519a1bf2a20b850f1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
26e52b4fb10fb7119dabfc184f1a2a86

SHA1
e8f8478492fa79a21fcbdad489b3eebb64cbde4d

SHA256
0cf13bcaa51eac4a0ae714ee3eb4c17a4d2b75e728d47b4d11fd1cb4322ff79c

SHA512
46a260e233c0328246a42ace5750842487a2d8234da71e04989912d05a08b3ab20198fb6d267d61571455cc54e94403324e74d1980cddf6e7691a4e882ef5346

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
0d90bac4ebf9ae382c16a7c930f969b5

SHA1
6d59be1161c2e5d78e5d041796e0779124558eac

SHA256
bf04a91eb1497f8a5d8b902b404de46a21cbdf3776054f613c7aed3cc9fa21dc

SHA512
10971027fd0abb52b6488b2d870555d50bb2ed89f497a5654010a0c232120cc95c4bc9f2ad754ca3e068555f23993ed5a82e1588dd18cd9e85e8655cdd87cdc2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
1210373743055f1c24abd487af80fd6d

SHA1
d77d37fe0d37316fb27d2a21fcda3ffbe8487fc8

SHA256
b36e81fe5accdca786488391a67758fbfbd70789bf92e9a8a813e53ee652d1ff

SHA512
c4683a7d16c962f85f33f1e6b33a382979774f62245529feaaf76e4d19e03deab8dad4d74a5a068d23905f16ec8d9e5a7aab4d5c0f96c452b0db10fa6ce75b90

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
d4bf4488f07ea3fb8a6abf963ad9ad45

SHA1
e50ab358807061419edb7354d3a8b0b51be4b7be

SHA256
d2b3c4c99724583e7f417e9aa379d0486efb23558306faf5772c829ac016d71e

SHA512
f6f66ea9e9f75c79fc3bb592dcf3823218c6b61d3523e6e1969a449df64b0fccc0e372fced6666716b98a27a4f03c5ee5a211c4aea3ffe7ea98f24341687fba1

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
0cf947b917ac79e176b72b05da6a1267

SHA1
c10030bdcb29f21b17fd5005534d78872fa90b99

SHA256
f69bf8cb1850cc748f685038a2fb20570aa174e7ac2109b29d965a078f6158c5

SHA512
57a0c364cb8a207cd18496de3a1faf7e306f3107c2b39f6647eb42ee11abd2b4f51e5f8d04dc67be9461146e531b49d262d9107ddd0b02142b0114fde307433c

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
6c676669bb25c2253c53a68a1677054d

SHA1
db8c3d914f1caf7d518d6f2cda00157f0615115d

SHA256
1a363ecda88bd4822c07ee3ae808cffc6dc4386d57c626977987cc36e9954a21

SHA512
889331c00a040ed92a9efb9f8e04429f745c7f5eddccfb700a5d44dc09a0dbfadadabc8a8481b122d7c4658342581d571c819bf6fe6e6a92363ac6793ab43ce0

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
a360b2392eb8cc110b121a50ccffc514

SHA1
bc3911b6567d349b1a85fbde4b3569414040633a

SHA256
a4c7eaca00e2efbc93fae207eb706fa44d499daaeb33ed4feef3e981019eecf5

SHA512
edceb9b17c27e1e11c4a6ccb4e2dd7596320e9e320078e2e27c486bdb618f60efc0f4b4ab9d16cec095db30964c884f5408dfdb7964ffcfad09d2b6ec65cd9b4

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
a6321521859839de30e3ce8dcd545f7c

SHA1
b0eaa95d8e7059dbe6d9e5376aefcfec1203316b

SHA256
2a5df735a23102ca7a9048c4194c949a4566dfbf0d6438e6d4b7a535494280cf

SHA512
93532aaa110e7611f30e1574e8503890a999f16684143149d6965f3544e6ee472ce0eb224f6fee1fdf7a80fb11cc4cb504901273ea7d0c9ecbd214f90c5044e4

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
7c7046a115be83f67ce7cfab44d31d74

SHA1
1d42f8fe1f5c4c7f6de2fdfd2fcdb996b821bed0

SHA256
5738fc734d7d781e5da7b362fe081698330d5e4cc659d83dc32be207aeac8475

SHA512
3c73be0c4c10bd40d6457988c3d2bc219b3abc06f311b12e2e3fffaf0fbccabc2cbbf098d8c3c6bafcf5f72a7d3d3eeb2126aa7eb83c248a8ccbd869108e6ac1

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
6c6ed9881d22df75c1195f174fcf65a8

SHA1
5fe30330f3bce8eb1b2a0f02685acfd6e4995a86

SHA256
93cc8489b3b89077f3cc4d96b7201ce5aefc3e2c6596078211eb965522bc1567

SHA512
a8c4f1a6a47abe3a27d1931e8f4510bf8ec37bfd2bd590680b34b53516c8fd536f5bd1f66bb3577c04f05e4589834bd5a926f6a100500c3bf7cb7fef3b5e5556

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
5585c8f815dc4ca585304d0844f0dc08

SHA1
cea28d6251ca024c8c1bf8e0d075a10452505ef7

SHA256
7fb09478a79e59748179392c89f5b4190982a808586c1bf3f83349fa7c320e5a

SHA512
fd328ace1d280c5958ba11fe2add5c4fc9649e150e54fc6cd03196af251a522ecc012302cb257b4de74becf62fe1dcf8f2fa448b973bec85c7f343bdc04d57bf

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
103b5efae6d7fb9af40abd68483d942e

SHA1
c9997f987f9f2807408d81ad35d0f97445cf76b7

SHA256
d1b8456c292a8063eac2c544e1706b82369dacaa174830a53bb8f4dbceebb8a7

SHA512
6b0d43c6e11c4b6ac91d1e170eabf72bdf9f45c9d48e40a88c8ff8e93f1617abfa6b75d33c5c3c4ac94935376c7a986b79618abae72366ea0feb12c48875a306

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
3d0e3ad1a0063ae76464403a6d63973f

SHA1
60657fa6c178ce6c98acb49e0ea982080e9aa8eb

SHA256
70ff6f6ed139d2088a1c91b766cd92c1035fa66c0d22eb1a69a732b65745e0e7

SHA512
275a4c1ffca179f1d7982cd3ea621fa976948df576bcb8b6a1ec7d805a3af9dfa340131e66b5d6fa044de6efdbb2507a3ac819662dad17d96ff2d91f02b57ce9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
a7af452c11eb87657db00ab960f321b6

SHA1
b08b3ef42aa98a4b74a8a92e03ff36d0c8f0a039

SHA256
8dfc976bab111dc90e288da5ab5bd2a3e5d82b36029e2ccf03497cce66fcf1de

SHA512
48596f43611d82c3cbc08ddc9c37d9e9a6853de363c6693415c04bcbdda3ae37167ba30ebdab11b6ebffd790d643d030e98cecdf1e013d52bc25423408320ae4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
9398899b0e41757dcb98d7f2d7b00310

SHA1
b206238e0964fbfb7ed8f9214572c3a2f4a494a2

SHA256
8313fda496081301cf5b8651e0b1c9f8044e0e63a3c9ccffe19a19eb1b009890

SHA512
8f78f5cd779016a1f7c52a1e8d73c45c4bc8fcf408e1fc6033cc209762726d0c94698d37bed79a43f4f3d08c8aeab7470da9f4540554cd5f8db9740640735900

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
edca52be1add8cc5c7238eee30533249

SHA1
26e28a379d5e8eb68d1b7da67ebfced657878113

SHA256
8dc2ea6cb16d66e65c29f58bf36a9841270fa05a4877b2834dc0f4654ecf50f6

SHA512
d4d209480e12f435acc44c47ee2f913e6b7da3d1b39e544abfe636f06d8b1437161dfc56c0d7be744e663f42bca922c978dee0a3c757ca92494bcb4a03e776fa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
9a9c4aad6ab7dc0148ee6913cafb0b85

SHA1
87407b22740c4382aeaf10fa994b40d80c153d87

SHA256
70c4c089b8e21bfb3f6eb9b290916beb38d7e033bfd88fa791f3394239fbf064

SHA512
d942acbce5efee7c738651c8052bf2bdef1fcbb92f40d71d215b0cb8d192c81db6fdbe95f86bfff2582f336d14f11876744980eba0a13415d9f2b65922db8337

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
9248594e05ed3fd1c2815574889126b8

SHA1
fbaecedc9b2d72b9084ee5e94f5a75db1f8058d7

SHA256
d0122d4f8709e38b0ffbca5e51155729cfea7f779bac020bb651bc72b72373f9

SHA512
00923e867985590984e73017ecf00bcd7de31e41f22bbcc7825b1dc7e74922ae7902b2b71f6c9f3422a9e4e2b8d049e8ef9dd88a336b0bc64d14d6425413b335

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
efb31c3a43b236918ed031af79919df9

SHA1
109233c43caadbf382ed67a82d1954cd7e04b6ad

SHA256
b3200944047c37f8ff4c285e8bcfeab78591aa8f8d1cd4011b0effb5b5ef0b33

SHA512
b6fc047e4f39e255944388a2801624e899b40e797e938d3a8e5023ecac87f396e92dd3b40bda70988a2d1a11de7d50bcb1d57d881b2b77835ead34d7f46a18e2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
4f0d66ac00a8aad6287dd3bb29bc3fdf

SHA1
23eef6d807e10ce4bb16c452e49b31a58a386e24

SHA256
6d3b9decbb218140fa8f506efd9923133a2385c38be43c496c566d5e16c5a6bc

SHA512
dffc151134dc2da140e5f561db21fc94d406fc5e2f388ca61be90259fc45d316e0ed9d5906a79f873478e1e44a45c2a5ceda084083bfa5108e319c3dc7877761

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
1c2d26317669631800f45be9ac2ebf96

SHA1
5ee59d0e920c2ff7f3d27c643c33328369c8885a

SHA256
59503707c17e4d9b69561778cdd10fe1f5f27437266f1fcbe4780d334a0aeb15

SHA512
eec9f0f0929efa90f065239236f447fed121c7e935691f8f259a28ae223be84597587fe21a6009a1b54b4cb7c4ecfc0b5472a4e7d991fa3b61334d2e0c7be24d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
628163d39d67cb5264d23373fd4ace78

SHA1
91dffcdf6760c55f329f9da044e011db0b0d38f3

SHA256
e2ee7b5d362682a1e3887c04eb5a8f0a0886dd3025036646965f4222ed653f96

SHA512
a13105b63697e84d612c19f6ceac1bc5aa387bc0413ff60f6e88b1deb0601573409069366cc4f8f499718ee486f7e3ec9f10d1d101a51d477e669461cdebd5eb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
961f66883850531ce2b4d1ccedffac67

SHA1
cccb7bde272f51a459264b30f846d763803c84a0

SHA256
573c4a0e297515bf2383a4b4d3b292cad4c20ff6ef7291766bad2d93e066712b

SHA512
b4c7171d2878cb8f695bd297d7e81444aba3711daf29b86740f7308491e35a63d750ce9554a7a7d6085388788dc752cbda3b57f4d72053fb16f5f303aae61eb7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
a36e4447f3450dc5c977d0a476001c1a

SHA1
d27006d3dfd8c990292a1d574f82e467229b5cac

SHA256
5e6d2917c1429a9775a7b5ddae9b4cf0ffb57ccb4605c93202d5f5b00df88c5a

SHA512
5cc9bb27205c76cb4a89292b10a54100aec0141edeee9758dc3223485a86acbbecedef82d5ae14ba7069b418e9068044b42c262464a0ce5425c391513da44ec2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
335b6c77fdad0b0f20c8cd658da3a51d

SHA1
a25d53cad5be8278495ef9d23c5163166ed88505

SHA256
0072a2ce56c68bb6572e83ab50ef5fa9e1cba2b7f7e2711f4856ae0c7eee76ba

SHA512
2c87feec13b7c175f336a3db1ad349d030bc34b0bfd445cf97a0769d28d7d1242efdf15d127ceffc41537a442bf65a6eb3ccd5f4b0121f6024571d400beff1c6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
7b4035b5666feeb04cf4e52838e055a6

SHA1
ec2b53081e0195ada947cd44ee636dbd7d561439

SHA256
bdebbf1d82df6415362487ab32214e3d3b20bfffb60279127a60ad44f0c0f054

SHA512
f7d754f92825302d5886fdd82d1cba7420768e9592cee05a980396c996ebb28bf3b236ac977f63e3137cc334b25b92c7c4ab630e15d677d64760b02cf5add52f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
8e652db7c9cf5695237a416cea475818

SHA1
0433ec00e647db983ab5780ed7bf8bca01ca8b77

SHA256
1724c65a9741c21a686f12011c3ab5697bf4bd5f57f680389a511e750ad2a420

SHA512
8a8a1641533b108c15cbe32c9466ab3ba36ef34acfad7eec0b894c349a0da4849b7e9e1fb0f9f3994d4ccf82393996cc1f30ca9f91bf7516993a7c8f499df714

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
ecfcfd794b36222e7261b86ec0ce2c93

SHA1
9f1394748f2ba0c6cf2c72c2e234e509fcae57ae

SHA256
95b8474375195b27931cdb05b2ae0e273abe47f51bb867c470d5dd708ab5cf57

SHA512
07b5befbd8957ae31201d37cb95f9609d934014c9cc1201e4b51dcf4bc85cadf697f2a0e866bef5960241f523d42a77311b83911f0015b71b381c0334cfa1266

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
bc50ae145d15f007956400d205d9f707

SHA1
6ca7a68b5cf2152533b1b6db158263a8766c115c

SHA256
b313cdc56101e014fe30a6b01821215f3cf84325505d0c373cfec3118376e440

SHA512
27cc5fedcf178b11787845bb7b155596618e3adb1c8254e67423bd7f7acca1728c75577afd7d7235766e8cf2a99eabfb8a419fd3cbaac9ce7b901a43ea2c0cd8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
95fc637f663ac4f648cacfb5af92e5d0

SHA1
2451e63fbbd85bee42536195110712e26cf24fcf

SHA256
b2b56202d7024821e52e45c9e01fdb2f3038f1391fe711246bf93f403f6a6cff

SHA512
aabd208ef1d41b6a30f1906a21c478648973b1513a8d215c820de47ea4f09f1893e447f2c6c8955a2ef8d66831213c6b89caa20d7cc704ac6f94b144f667a885

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
4bf563d3771f8067f497f9bbf2155c24

SHA1
a9c73879c50f2ddd7d44dee1e1a9c4361778c82a

SHA256
c19fd6e2382c0422f031c33af1b1e37278eb47e904750735bba54a0d7e332085

SHA512
882f22a77bcce9d54fe50f2c9c686252f3af4098e56550dc6f5f4aa0fb02077537f13c15cb841522ac83030863a2d7fad4638c147f11dde134524ea2c33d1f96

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
aca557f5ce23b9dc3e29ea3d964146e6

SHA1
d65393e800cd250d84032dc5240dc87c89c37f31

SHA256
9ffd34fc804eda5a9431a550d6418f1458fde6a759863121f047efa87ff4cf0e

SHA512
4f15f83bdab52771f8426c850fff3d37f60f189e2cd1a6deb17a3450000085f679ce31de2d4fe7214e15ac51184e4be07a63cdd690118c8e75e292257f9f6057

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
a40f9a65c533a26fd55f712d33d48875

SHA1
43ffad2503b7ae09691f1004987af1a12ef3d83a

SHA256
5b38907d66565380d9ae603d81692d9b6e4a6bcc8980862b41933d14ae63a8e5

SHA512
fdf99849ff2fcc3dfb771109b3bfa5b24a1e25c1f29c7801b5002e7fb150c33c4b8f0446601c8d759a08d3d6b30b6a2fa7d546334343a84b522f6fcaf0a22852

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
a8947bf543e148396f53c39287f64120

SHA1
19afe116cd6ac158cb510461b0b33d4920b101d3

SHA256
6df7a6226fcde989776faea9ab04ac62000867605f20abc77167aa190b470b98

SHA512
8ffd5273f54a5f40c1797cd85f37a559fa64547bd63fce9d133d592572ba8f89d4026fb6143e3122552f4308472b759c919fe476508df9ab7cca47069f5f091e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
91994c7357c0d77a82465eff8e32e007

SHA1
cbb809044f83dd428d2c083b0dda966b5d93fe1c

SHA256
0c2710baee99d3a0ed3d4ec7a84b5642baebffecdf984b5f84e3c92c84d38367

SHA512
15ff0b163bfe09aca880f4cc6a8a2b84217ee1a31665603ecc354c352c94edaed56440ad139abc957d572062695d15f2c40f60592d9554d0a99db59dda66a2bc

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
2683f35db9702882911da056618d5d1c

SHA1
21d2958c58473ef7414d4e9d031c03c34c4eb77c

SHA256
1ee1bc9eaef89cc0bf2b343c581f9de6a7f2bb925f528a06d0e1b01144d5ccd4

SHA512
d512a1493beef86e7b4659064cd3d03372d327766240719872ba9f683287aefc91d36703820847698fc87ce116f1fbfec319a856edbe01fe9b7e46f508e38ba5

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
6c8b8170460922b11675c1dfde805324

SHA1
ee244f47ab3e139dd0d15dfaefd9e1be6661294f

SHA256
e1c5fb935fe3f8d8608fa7ac3a806d17a1a2b0f2b44c208c2aa4d55a065f0159

SHA512
13fef463048a2687d27b28632cce1ee560dd8b85fac86c8f6d3a99b5bf2a27f9960713d184c42034162ab7ccc3b8910fc24a4ddcb8c72a72428b1bc5ab44870e

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
2ed58485e7885b92d8ffa48a567f8ca6

SHA1
5d471b7408513878db3a1e866b3ebc58d2de123a

SHA256
705395c9ac1abdbcc3c1db3f81556861a9ec8d81b3855107b4aad4d8ccfd8624

SHA512
2f2f7eb16bb0c43ef51a5c28f62494c51489133c0e4911f3eada9b1a1dcd0706d21c0a9c69d263ec238943f9ac375e1b4396c79835a8290b1ebb760ff7e0fd8d

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
9796a894a8173a3dc30807b5cfc220e8

SHA1
e64ca023750cbe2545a285fe262003d41c1d3163

SHA256
b6244738dc7c0889697a6e565b5f50d54723d3dd46cd7735277a9e3940e66cff

SHA512
b203235e0880e0be31ccda2e09f71c398260a904cbf29268ddfbb5fef76c80c2cd3d0fef9d18fff223727c01f681a4fcef6db16d1cec5e051392db753ea80f1e

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
e10ea3aa8b17ab3f99c6beaa92f47aa0

SHA1
a0f98a396f9608e54654d75cd0f30d6a5df2596c

SHA256
ddb8f4be3448b3f8a23c65e557fd882e5b99f672614ae22e9b7c61f841a605f0

SHA512
795648356ce92a90947f127808b6d81f2701276c637e29d92f05f683cdad780e19a5d66b3ad984c4f81077999219c9b1ff536894472d40582830001d62c4a3fc

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
c486f5ee2aa83f475039a74e805a4e73

SHA1
51446d3e4737bf62ea6ec0a5ea98146976e72407

SHA256
0a8bff88f0e38e1e708a71072c03fb0d562c512b499b4d58474a52bdf75f7502

SHA512
099607a1a8de2719f6dbc35bfad2834e9b81eb8bda7ab61c5037a12a8945c2cd536ce0df92a4a8d60c294803eaa8875b93c3d8e2d0e4c83df84e83b804b09366

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
b10a9700934f07877ba00d44ab4094fd

SHA1
a3c159f3f9581b8c7f03cf3d3813a31949c7610d

SHA256
d2fa6d7f80df57e113fa93ea86d6d52a9952f0b17f5d988da6fb071bc944ae28

SHA512
882fd8c8f284c024cff7c54504149cdde887430509fce3266147b91148785b4b68abff108c0dd52a6f9e61b6100701293ce540477767b66d21e32dd5a942837e

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
12d7c1cb330ec57ddb88b1bd1f998d9c

SHA1
add8892e9e0177bd55448f250e0a4e271cb7a816

SHA256
16822d33dcd31579f0d61a1d8caa3e6b7f8e79e0bc9f464e0d497583108b3a41

SHA512
de59997f0cae4c9220d59a57e6c167192b38aed0e5ae7e0a5b0c0554356912835e3dd348dc6a2035e087d51e697e9263220a73d46fada94328bd46102608c2f0

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
e43efc83c5a7d9c2af96f1479231a2c4

SHA1
c6929fe4b88d551e9424ed4f28a1882c26018cf0

SHA256
2fc38bdbdab3f087aabfbb02002f80f928b3b874bcc104f265b42337c6043b19

SHA512
d2afeb6d4eeaa6c68f8b2ddb79dc7e382745f12100115856fae3cc7c7c8946eeca3dabafe879af134a2eca981d895f2cff06ebfb97ca1f1540a9079f47aa6e8b

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
ea8718338ae4419885685102085c72c0

SHA1
766dee3cbff5231555e66c339f6de061daa01922

SHA256
852262a535a99e8befdd8c1e5762faaab320f358c9c6909f4500a2f94791695a

SHA512
b8f7ba3c463ded664f863c50c367be1d66f9075613a8f4ba87b7abd2d5ba5f448e0758506fa3249c2f9b63e2480c1731be1e10c09b62fb3f0452c1276339fbc6

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
e7b32e23648d7f6e476a480028835e47

SHA1
d9fafede9810cdfafc6b8231f75d85c49f53b737

SHA256
38f34a848ea0713ec6de6f4f6895883af169bc731b524e7e4ac21e271594efe6

SHA512
99b5ba18b39b443ebdc6565bed2fd0742f9f110674db654006ec15f66db350a558f078cb060630a73612825914619ad5e5437b659e9a89cf0584654a2f638637

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
3af111e724ee97076880ebc27395f29c

SHA1
30fd19a1abb27f8238e9de4bfc8f55577a3b34a8

SHA256
a99c5534ffe1d397860c0419fa3ae651c8b6044d9ec2022d3cf6b39ff656385c

SHA512
7a5d91fdb631f6ed11a9cb05a0f898b2f983afab30bdae84e667d96fbf9dc241224007749fd6298e509c5ff574602569a0696d06573864eab6c03f6455ca0e78

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
7970809dafa3e5c34122a8ffedd61017

SHA1
e0b2119b41ba170a431ee92480a80a9b65371b61

SHA256
31cc2b4b1f74fe16922806a26c6d4b3a50c81a809622ea96b8d1b9a2100ef794

SHA512
4c22dadee8eb9b88c764d2d5762c885efed8b8602430a9f07581c17687d3db9f62e62e354aa2cba26452437f11eeac9290abac70ca494a571c3901ba0c30733f

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
732c5cd82a0d453cd3d92678b51f62a2

SHA1
d5e6f1303213574abce55141afafea9c716ce361

SHA256
30a02f805331150c0842dff6432d2a3290fbc452d06de48942f767e09b057a0e

SHA512
bf0c5ecf8df8d0e5571a54d2b0bba007bc821b090044284bb157005139cb672eb5d08c7e7d66f9cd92d745fd11c08b77e925c2843f27ceb13d9dcced8b0ae09d

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
c57465d303517039756968d875e20bc3

SHA1
34f82c7618e01179137358e752bf6d450830256c

SHA256
0b54f08a16ded4af82ab45605e00f4d06c344232b58a20886cdb04e2aab75ab7

SHA512
ad4d8decb02bb4e09a0f69428d0b8c159fe059aecad36a852c891df1071aa678e45b1dc79380aad2fd27dc7f77ae1d73cc7d2809a9d40bfc00f77fdbd05405f5

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
10c0e89ad6467ebfc33182a8a75aeabf

SHA1
6be25dce90a918da2b04ec87de62579b6ac5012e

SHA256
8f4aba515a400152c2317762e43c96b162b3986d2992e144f224162b7005521d

SHA512
7ea98e9e36154d9b5f5551294016379e4ec60f6a15cfa98c5eac91686f25a119525a684d0dddf8c9d3814f943a5a9adfa2e876b1f90d86e6dfb897bd982a450f

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
63d240fdd02e62b4cf72d48529be0399

SHA1
29aa5e9d792074bf8514b51f73c53615ee7b0514

SHA256
73a6d8283fbe4b6c7d6cf844227e49cbaf315a3f6c25affae5061e96b5411a64

SHA512
62b6a097cd50432ce39b3446314222736e340b7626ce435cec0aae6ebfdbea6e283405e8394626a55fbd4d992c5bee0eaed4d250bb7bfcb29c38e48d5eb4df2a

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
5d039b2992f60cb4b44c00aacf9c3fb8

SHA1
6d128bb167762373c4add03ac64479d9e80a1cbb

SHA256
cc6995946fe0fc97f7106ef8351f77eda767b11c529f703bc1730fb615ef7b26

SHA512
38dc980bcd73b116f35b76570f86559fd1a8e6953739d4297d40d60a2990a8645047126a1ecd8092b22f75c7792a54dac56deb9670957964a4fd97e5a143140b

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
9083e85b9d86266115b89bcff6277955

SHA1
22cd304efb4f8b67d71e1b32d399dc68c05fbccd

SHA256
80e642de6ca10a61775f8ebbbc71f9a6bbb631877628860ca912b27b61a0cf38

SHA512
272d7e58e9808909986d1c20c66924c6f12db3547edf773edb0faf5d1de2c85074897398bc1e0255a56d380111d77e25442790b751f12bbc167ff7260e0e23b0

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
9039d9e392a8ca0bb4d2a5d4756f5ae4

SHA1
e2fc1d81f9fcb65198bd68de9d991aa995d02edd

SHA256
45961880ea11c0950ae0ec4034ed7b2b39bbc2ce1b25ede1630a51eabaead38c

SHA512
d9a0960e7b722c1c4335b134d0060fb3e6a6856f9532dd8d1f32f661e92c4640db1f0c0ae8f5108eda57a916fba84b6c381a081efe3055e9e6167d3ab7e74a49

Download Submit
memory/228-298-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/228-408-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/396-397-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/396-597-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1268-381-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1268-378-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1460-44-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1460-46-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1460-53-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1460-241-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1716-77-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/1716-242-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1716-79-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1900-587-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1900-335-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2216-40-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2216-32-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/2216-41-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/2216-238-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2504-1-0x00000000022B0000-0x0000000002317000-memory.dmp

Filesize
412KB

Download
memory/2504-0-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2504-8-0x00000000022B0000-0x0000000002317000-memory.dmp

Filesize
412KB

Download
memory/2504-29-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2804-396-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2804-284-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3320-324-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3320-584-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3664-67-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3664-56-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3664-57-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3664-63-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3664-69-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3768-433-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3768-590-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3768-320-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3812-601-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3812-434-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3860-246-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3860-358-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3860-253-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/3860-247-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/4164-593-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4164-359-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4240-347-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4240-591-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4248-301-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4248-420-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4324-596-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4324-385-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4536-237-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4536-13-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/4536-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4536-19-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/4568-421-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4568-600-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4892-257-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4892-258-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/4892-270-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4904-409-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4904-599-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4912-272-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4912-384-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download