a16290e29e895ce21dc7c54e283960ea735fee3c08c4fa1d46d77d8272c0d818

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
03/05/2024, 23:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-05-03_1afe5883b2576195c8faee644fa0a67a_avoslocker.exe
Size

1.3MB
MD5

1afe5883b2576195c8faee644fa0a67a
SHA1

e76d9b104e69e79b7384200df28f9a1be73a49a9
SHA256

a16290e29e895ce21dc7c54e283960ea735fee3c08c4fa1d46d77d8272c0d818
SHA512

cf8d6171b4ea67623ef73f7b85240e78fcca9811c66c58022b93e94bd4429cc968635bdaa1eb467b667a2245d4f862b8e3d3640dd8bad087fb351f6b4bc0ff26
SSDEEP

24576:Q2zEYytjjqNSlhvpfQiIhKPtehfQ7r9qySkbgedqSkQ/7Gb8NLEbeZ:QPtjtQiIhUyQd1SkFdjkQ/qoLEw

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1364	alg.exe
4236	elevation_service.exe
1660	elevation_service.exe
1412	maintenanceservice.exe
3208	OSE.EXE
404	DiagnosticsHub.StandardCollector.Service.exe
1268	fxssvc.exe
4124	msdtc.exe
1208	PerceptionSimulationService.exe
1176	perfhost.exe
4724	locator.exe
1148	SensorDataService.exe
4240	snmptrap.exe
2992	spectrum.exe
4136	ssh-agent.exe
3828	TieringEngineService.exe
2180	AgentService.exe
1864	vds.exe
2128	vssvc.exe
1860	wbengine.exe
1988	WmiApSrv.exe
2808	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-03_1afe5883b2576195c8faee644fa0a67a_avoslocker.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\726b88de7489627c.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_101187\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.106\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.106\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008fc0181ab19dda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000efa4bf1ab19dda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000095e45d1ab19dda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000011467f1ab19dda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b7825b1ab19dda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ac73eb19b19dda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f88d091bb19dda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000095e45d1ab19dda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005c344d1ab19dda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000bfc131ab19dda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4236	elevation_service.exe
4236	elevation_service.exe
4236	elevation_service.exe
4236	elevation_service.exe
4236	elevation_service.exe
4236	elevation_service.exe
4236	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4572	2024-05-03_1afe5883b2576195c8faee644fa0a67a_avoslocker.exe
Token: SeDebugPrivilege	1364	alg.exe
Token: SeDebugPrivilege	1364	alg.exe
Token: SeDebugPrivilege	1364	alg.exe
Token: SeTakeOwnershipPrivilege	4236	elevation_service.exe
Token: SeAuditPrivilege	1268	fxssvc.exe
Token: SeRestorePrivilege	3828	TieringEngineService.exe
Token: SeManageVolumePrivilege	3828	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2180	AgentService.exe
Token: SeBackupPrivilege	2128	vssvc.exe
Token: SeRestorePrivilege	2128	vssvc.exe
Token: SeAuditPrivilege	2128	vssvc.exe
Token: SeBackupPrivilege	1860	wbengine.exe
Token: SeRestorePrivilege	1860	wbengine.exe
Token: SeSecurityPrivilege	1860	wbengine.exe
Token: 33	2808	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2808	SearchIndexer.exe
Token: SeDebugPrivilege	4236	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 4492	2808	SearchIndexer.exe	127
PID 2808 wrote to memory of 4492	2808	SearchIndexer.exe	127
PID 2808 wrote to memory of 3540	2808	SearchIndexer.exe	128
PID 2808 wrote to memory of 3540	2808	SearchIndexer.exe	128

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-03_1afe5883b2576195c8faee644fa0a67a_avoslocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-03_1afe5883b2576195c8faee644fa0a67a_avoslocker.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4572

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1364

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4236

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1660

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1412

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3208

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:404

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2528

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1268

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4124

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1208

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1176

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4724

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1148

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4240

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2992

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4136

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3916

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3828

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2180

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1864

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2128

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1860

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1988

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4492
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
93478a5ec905ecbb6e55ca25a946e09a

SHA1
7a2795ffe0da0647a43c8750c19862e9af2f1ea3

SHA256
774fb1142321e4e866530c8d463fe92144feb34c9475097c869b3d828f642975

SHA512
193ba0d2cde369cce386e07a1436e687bbb2b4537ca10e99dd6a4faf9715e404bb7c8c6af32d98ca42902f7a3ec40fe2b5692ad1b992d3e6f15d0e222c8afea4

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
7364bcc3afb0836f9a3aac0ba072b319

SHA1
91fa330e97f43ec6c2a81a3c093c1b5135ba16d3

SHA256
63728dba74e923f08bbed542ea39226326b2171de2e7e0e49d3563474e1ec8d2

SHA512
2e13d8ba48b8a051823f6863873ed068ebdc7e24886a159ea7d3e6593ef6e43b8fdd980879576552aca32bb0f8dd0a6873068dfa51c7612e4718f3fc10f5aaf6

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
470f13f0bdc6fdf67b5518a7ae998f6a

SHA1
0c6c0093141810f3ff872c0f65d1f33424610b2c

SHA256
fd7dcbf1e4a18d297b7f257da45948861dfa822af2b572709dbfdb83f4117434

SHA512
f24d72678bdd8d25803a81d890830663c405ea2bc267efcdc83d937bfd779dddf15a1be4c517724bacf25711fdef95f68fe9ad2809807ea6c68901189b6d674d

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
d5705740cde94fefa83c3efffa9b33a9

SHA1
88a85f92d8d1d98d799f444336c7431a8c7b49ab

SHA256
8fa9780f7d0d7ccc2211f06a4e0fca084f5d63b386a581699e6e4b9480ee5467

SHA512
22c3400aeb004321fa1f1c2b33210e81a8afcd07210aeae2b24281dba2205d99fdbf2b3584b0ced0b300a8f1f479b8788596e5f16d413f7f9aa6720837bd7fcb

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
cfe484332d8a6b82f65ca9c8820ce704

SHA1
f82d2d41dcdcdcddc3ad9d5935e9893a255a9572

SHA256
bd86cd6187ecf7fd587aa05d45604139469d716c19a6c0036cd4ed52362eadd0

SHA512
dc24ed168256b05323248e5f14ac1f4901810310e87c366340389adced99c4ae8cb8b8396e5e117992bd415112c380e4c81b83a5e1a8037b569e0f522a393705

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
174669f34911ea2a08082388b1fb5846

SHA1
3fabdf383ec5b7428d6c6116f2e454cea98eebd1

SHA256
778dac9a5555a3d43edea8b2027053dacc63a3f46fff3dac1ec05b2906e3752c

SHA512
03153bc874e2150d0f74ab6998250d2652207e282af36a6c8e268e9cb23ec3a4047cdfc68f25d85d2439039b56a2b22ae5fa3b9d5b9536539e4bf9c7f1b09856

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
d30b6f59b26e587d769a53675da26e9a

SHA1
b19ec0711b684f45aba1e99f29341cebaa8bf38c

SHA256
d1a59a2e605a474067cf8ff4c0bc91e33bc453ef0bb4949ce2e077d99c62f882

SHA512
0a2ee55126fbc8c192e874b4c3dfaec80b4c2687ee34edf1bdaadc132206c8c110667ed64f4c8625108adaf0591415b8299a2dc0ed40d699d3a765ddb09cf340

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
514e8621fd543b8399a9e975c7255559

SHA1
655bc8093623d9ad74bf9cd0d14e3caf04547d3c

SHA256
f6b707890fda1d16487e6364d15625e9c2b5c26f0ea60e944222f1c5273a9b8b

SHA512
e29c30fa48a9b6450d1c41f22d21108ad2750cf6877ea63e03f0fa532251b60933449b4bd74dbc3d3c7bd7d1a9a33461c00ec0ef262411d0229be705f2db5ce0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
f62751b126632f9a3fc212e5acb39706

SHA1
6f9aeb3f134009afba0a34ede4af8e54136c635e

SHA256
b411e6ffc6adb2b0f1d92b4f229220375f66309ba8d795abdc7f0c8c1360b637

SHA512
d036810662d508972af1f15f967fae9be7854a6e06c3acf65f382e9e92706ff0b55770cac371a40106128b8bf586eafeb19f85f035fdc045585d32bc53a1d49f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
2ccd880941a2d7475b1d8058687f9fde

SHA1
b3646c0c9f5a02611c112a24e6d47ae6a0da6c24

SHA256
6fb06e55035affa810c882b9cf4e9ed40af501916a4aa0382b85097dd7f7d9ad

SHA512
c02dd9ea53513ddbbd4d82fbae76360bf0a40e4259a12acceb4e456f84cce59475c14f3e638df70bc3f68523f8f55a7738676c215cc4bef6084d0f1aa22d0331

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
e36ab783bfe99de5fd5a9f4196b6c0a2

SHA1
cfe27bbe2141aa711da43f3a51d3beffc74fb71b

SHA256
d8f3782be99a471397dd7bb7b9c3abb332e606995776de8a4d23b29b5a57d382

SHA512
99f9fe378dd004db498e33679604c479cc918163a70b024cd3b4c5c09bb93a332f88f80503fc73efc17d8a39568513a6ee98fa53bfdfa6b11b068a1b9cc721d3

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
2e43ecbc77af284b0deeca006a7ce1da

SHA1
3a0e1d17e4053464d4126045356881f94345b84d

SHA256
3ceb4a75b5888cc7ced892796469539bd3327133134bb1010d63cb93281ce66f

SHA512
84b84519d3b4f66793226b5125ee0291f47020cb3e5e39a97d083ab560409fa502b65e98e8d9e33b60bd47f11eecd71b7a935e3309cb0a8c2c889f21ce647358

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
7485f7c375c64120116b67d378558eb8

SHA1
6e5f416d1b0b24b1cae38599671b649ccbd435f0

SHA256
e0b91de045a1425ee156db90cd5a03bedb60447fa3f09a888548c27a5c650e80

SHA512
5bdb4dd1d9a72854e4fd706e9834dfb82fe673639c45cee804674c99e1350e74c43326f760706683fb7ab4130b9d22c6bd71f72fe24416488c8a39dbf1577c52

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
177d0aa655f93dcd0137f02aa8e18ce5

SHA1
fd59ff766d600c087b5554127f46641b6779444b

SHA256
ad9c23dba9f4e6288d3d8577da0f1b8653c84ad8ccd794d0624c1ed3394badc4

SHA512
3e936673261f4b78b7f6bcb001693081daf77eee0686cdd5e02f994500bf16b9c825b481ca0e9bb122c85a26c27bfe9f70a35aafc21c5468d80de2b09fe6f034

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
41c615ac0139b5816b8ae4d4d296e607

SHA1
9390cada4895b815eaca20546e6df4d208a1a9b5

SHA256
4ffd42fb7f0acd2bca6e2c9cc57f21142759a559268e0e24630e352338d05804

SHA512
48d054d8f047aad0516253e065b4cd0a9eb15fc5baf9ce2afb20ea260ffb79689f224e37dbace6f9a81a069d965b1ffdc8ec5043799153454b8017f12a076f17

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
1ee6ce4d677ce341d9d0b7464f584d68

SHA1
f8fef0cb73b9a00bce98049bb1d7fabc05048a0b

SHA256
221d551beee1ca15ca9d39440bfefda64e9f6360c96d6c79699265333a86afb8

SHA512
7d25f8cd7a5c643dd4cc3b92c2e003d7aa96a04002561edd943ce1c803db43ef816d72b1b3769ff6a11ebd1276b00684ae1f2d114975d0dd3b4f10f109324418

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
214ecef118dace34ddf78326a0644542

SHA1
b749bc6c631814a945ed4d7dcbc7f705bfde71e3

SHA256
9911eb4d84d4ca981db1e0bb41346fd5304dd9ff23458f4594d2685116daba82

SHA512
643f31fac50e8f447bf68d3d3317d7635835a7997ce39dae976142674019ad9ae14bfd0c21e5b7db9e2def8e8e7d168af203d2e24a0a969397609c4f4fc4bdb9

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
e6e5c02d01011e6b733f607a438b292a

SHA1
60fffe8ebce8176334f68fd44e9e28dd51920738

SHA256
f50c284295b080734f5b72018641b60f3b09160bdb13e18b6dbc5cbb1a85add0

SHA512
6273980cc19a9edd6710248ce30865214b746803b27f692b61c89ab8417a7c0b00e3a543d0bc11387c35aa843c01335503ac7d5f525fad02c8285bb8d22149ca

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
54f90ac4b6f2e27dfb54ec447f6a4ae4

SHA1
c0da1ccbda9f9bf82cac58794effb0d6d17736b3

SHA256
d25ca69063e072bc673f66bb0c243877f1b16900f356f7567978423394e347b6

SHA512
f09b724e5ff3e4783ba30f988d97e5842bea39b9027b9f34c9e3940559518c7a898b56dce01171fa5573be5bcc8ef9c1a19afddf37fce0e8de6063e60404f4a5

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
77c7e4e63a0f1edd602ec92ba7ab77cb

SHA1
9d85513ba90813b6445939da26e79dd04e56c726

SHA256
520b9dd770472b55f0cd55c8d2ec3018ae6dbe5fe16dce1d674606e7aff84cc9

SHA512
7a56d208f4a2ccd65a76e5cfd79623b156de1146b484797667c946a8f7ce17099055fc00287320ddde18e0fd83f17eeffe5854f5ed81fd10f681d22badbc08e2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
f8b5efd9ea6951401c7f81c664a57fb4

SHA1
dbf03b7abcda5b489a9d65f8fd0b3e7bf191a01d

SHA256
5672db21aed387bec31216df72153118dc9cf6e0986e05a684382f30be2d7d34

SHA512
49861df8c19f21e18a325b6685d6a625de5aadd5c5b17d595aac45dd488c3ffc900677fbca6442c13646db21bba879ccf9b7d7ff9ef61fec6aaaf862488a4fad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
0d2ae65390d46adb0e354f0b2ad46462

SHA1
9a0dce2e0ed3636a826bd33b9cb403e30b6247eb

SHA256
6196874d898c1b2c0f6da184dc727bf93a90511ad8a0e112a73bd274344960b7

SHA512
1f7b6a5c920780398d168c8b21da7f0bc32542d217c777dad31fd1ebc062a6191841a1203ddabc02ce37db008226af345b61447205485a49af076a6b11485a72

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
4fb2553d63d7bc5afc28da0b08f39115

SHA1
8579524c4aaba8cd36d27dba16eade3b8a3c29b6

SHA256
94f72b3a14a22acd22ba9bf92e97d0e11ddad53bcfe2d18041131dfca7cd0a82

SHA512
a786093a58e7251e4bf1117eb157888697dcf28e506bfae1d2d92ce8752cb6c9791a35b3b545235bb4ea0091be3849185067ef09d0d467afed744f04e13ac636

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
f2f03c277e18d215267074e626e5a768

SHA1
af70f161d5c81eb2b9742cc96d5150846fe37aaf

SHA256
5467dc1453eab5049e5b5fed4bce27b85220c83a6bc885976f0753b93e01809f

SHA512
f180dbc16aa0f8ecc1abcc8b7071bff16519d228026b4b89e465eabed8267910d2b1f7990540b83537e221f160d5f50281e5dfc28b2d8303c95b32a262b3d03b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
7faa134600680f970b230d51b6bbac2b

SHA1
3eb368babbdeb4ceeeb0a0447d7aed5ce146f2bd

SHA256
f25433a93e113cc380ba0b3f81a1091c84200007eaf4c85203a726f3ce36643d

SHA512
a3002cc6287216dd670d5e145d88fdcd0a11ca8a813c76eee35f91e4d52a773d3981447a188a8e14be09d92ec01ea19404cdd656a33c0f3f9e2d11f258164c04

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
35992c652bc9813bd072b883d72ff9ea

SHA1
0e22c8cc1da036523a36f1f3130a55a7ad4e7855

SHA256
7319742707659072039e3991140082ff3429ede7a6c12a115561490f3e1299d9

SHA512
92c2bfcd0956df8c1faac56f11b3c4a4191d373f2c15f0b7b204b3aab8ebe00b84f4cfdfa236735de14edd4cf82cf4ad571433e8941c469a256302f4d377e236

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
2052b90276c502dd9e7f06154f945932

SHA1
b042b11121cd5f996cd52f6853f07910476fcf8f

SHA256
8a8f5101ea0bd6165e5d3220574a294014a34723b8563fb91976001a38b7ec42

SHA512
2bd17e1a2385e36985f4816d5cb2d5a430fabc84a8ddcb40e96f38a2e4ec8a6e366960d2e626089c6659a58183a6bf58cc6496fe776a9ef28f220291f34659a0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
fedad9effbe34e8b63141cc1fdd5aa35

SHA1
e43afcdcc13633e0d09797f61c46d46873ecea23

SHA256
45ec3018df0df8322067e979c0723a9bb3645bf4508cf03a4ccf1e277a120f91

SHA512
b961fd8a69df59b8dc037af9be2e590c78ca7ed0159321cb60992014eda595fe980397d8798dd8718b048c785a49011efaeef385a7580884d937f951f97fd78c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
62eaa821edae20864190d2fb3e8b53ba

SHA1
efa958a5d098c0691ffb1c50ab25f45baacc0756

SHA256
861a6f3013de59bbca5af7e4ed85b354a01bcae0967992e28954189b2887d1b9

SHA512
dbdd6ebf83f1e837b708b12e3d03bba7245e50bbb274eef0d43ee3ae2379c3cce75b1dde41fa78a7a60ccdde4be9b0754611d42045315634d15b57f0f44cf298

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
437e0ef41976a7c5b2a90a3718bff972

SHA1
b1d275b606ca730f98b33b7a64a7f2ea3fc59c70

SHA256
690a5f85058cec437231796301e7d1ba94039a209de9d7ecded8e1698d203484

SHA512
5d030c15f6f18e3b306070eb429cb68f90b516147314f84d56b828343724af1d1de5d7ab2bde3f7502a75028620a3749caac25fee6c50d52ca67958cfbf58d1f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
3b46a2bed0705d796cd307f5e76e66ea

SHA1
0ad85ba678d2e7be6f7e87766627d522f9f76af3

SHA256
8423be5e76b0813f2768a6c572d5e6f913afc71a0d3779341f644a51358f3a78

SHA512
e00e833f641ec51864d1886a83bbc1ff3f6e77ce86d0dc753cc7fb46a51d0e94f42107ac6183efa6aa946300c6da61c48531dab1422a9fdd767db05c05f037c4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
fdec6211bda315899e1a062a74ebfff9

SHA1
3cae5c828deb3eb71912dc311d968077435a228e

SHA256
60bb7950ef96600269ccda4f351f9fd392bed3ee6e4ccf714456fcfbb693195c

SHA512
b402157025e3be360318773e2bc829c3a7e22a4e563079277d8fdccfd3f5daea0b3cc873960cc1031fd712792a404a73e1cae3f563ace67ee03319f6e2002432

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
96c953ac4036e8003f4bdc3ec624baf6

SHA1
5c017f63d35960197bfe5eae0fae5ec367817fcf

SHA256
64d6cc4b1dda7906aa87f5fc1198fe70cd33a3bf560f1bb568d5d5dde0e472f5

SHA512
ed1645128162c235d9e4824075e5054d0d6336f49f17c4a90b18500d20a47777646ea5012904a30257dbdaeb5c189df698fb97b56449142a4dad3a2755e02af2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
3bf1a387c0a222d6277b25cfb708be36

SHA1
44718214c7d5db0f4c1ff6fc7e82a1322e0bf984

SHA256
2957757ec769a147bb385ee2ba993de722627d29504ad7df71d55cbb9861f210

SHA512
2ccb8dccb087fc50723476c1d241099006d6cc3d7541135e969afa270c987e47a3f9b4e9c15a7c80aa1d6132dea637700604b467c05b3c201f030d8360c27124

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
43d132a758a203aa84ca7887f058e05a

SHA1
add50709adf006b1589ab9853136766870d3bb02

SHA256
660a6df511fe38ffe3ea3e792108d622ada7833f67be2abc4ba5b8a0b3b8f242

SHA512
8f2402e0da4649188a3ff0fe6df60f8f01fd7c0664f2f6ca9cfdfdfc565d8a1bfd9ff17e80850e74f16bbc77e4b210bee610e5bdb8fe0204099a7cbecd8bd90a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
f88bf3266daaf5f0d1cbcb19ccdd2e25

SHA1
6b7d5a23d14f98048423e319c862588857c20f3b

SHA256
1a0085cca65626edccf01eb9cad8bc343f73f3dffebe76055b82ec15ad735b74

SHA512
4aba3f886221d55bd9e791eccf3b9ec74b5694a785dde5589a640973ca3c2948c18b2d75f38c1f5063459d8a920ffd5fb7f52b2bb513c602ef902a3fdbb972ff

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
766d989df0ca3fa2f0e1ff88e19d9deb

SHA1
0820fb8f364757f734a9fbf29a6af15381945cee

SHA256
476906761521bced436a450c593e03576272a654126d1821da6e63dc23179479

SHA512
020bc0959f69f43ad9cada98b97f380e040bf14a83d3976bb9746e76ca0adb9074e6ebf726d8d267fbdd4e10743e8833bf4147c0815dd8b3b443fcfc37971503

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
48fc80290b5ca85e8b7c5b5a182fdf1c

SHA1
1dc8c943e291536b4b722d503b875b05541b6bea

SHA256
b865126c618a11776927de6578291bb71a63e93a2604d454bababddd66448f14

SHA512
b7025c98663cf44a53c616bfe81c731bb923fd7cce00213bf093247511c8672a6f6005935f608c9a4d29722335ac5be2ba529d1613a0833c5c7618e83fb13659

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
c39a308c9fdf68d9dd9c9cdb352f66df

SHA1
602cebdf5cb679cdee4dda10abc548bd37e105b6

SHA256
98f162ce2df7eb8bcc0172a21e74f31c5b29c47a7643bb77a4fadd1a599dccea

SHA512
ca6b1f962e1d8267aad0cd3e2419dbdfd7a381fe9c32527ad7e2d4fa8e67067a1cec81edafbcc9e1ff49c82f3cb077eebf29cf70ab2e1187c2b617e068ad3fde

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.2MB

MD5
66b4193633cae3431e5d896b4db32fbe

SHA1
fb6c1beb59a1f99467e1d66d5b892bfa9ac54ca1

SHA256
42395aa2a665f32a4f5de8c1322bcd4722b6d774adcc33dd3ee6584a1d1da7f4

SHA512
87bf81620e430da07620bd152083fe3d6d818fa9b1bf36dc610fe95a711c3ccd8c6e6f0e2752c5f764532c743f1a4371c5b4d9070b9725a0be106a5709b8cad1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.2MB

MD5
2effca5ac494dd426ce20b0e9a7d20a5

SHA1
bc23444dae7f9a61b438dea5b8c67c27db7d2518

SHA256
e1bb3786b0989e4ab1d1a9fe914b3f13d13bcc829e59eebbcc4c1c519dca204f

SHA512
c4dcdc7b5781562c7e22e8f59a35bce6784bc3d25358f5039920377f9fecdd75eda08c32490c7598c1be92a9f69bf8f4e6552b4089c89d7673dcc83665a26f08

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.2MB

MD5
4c5a338dd1fd44cf00ff039e5dc1897a

SHA1
560964794effbc1e392568289626d5b76d1cbea4

SHA256
ddeed658114066f3efd2347c832b35d15e723f32e20d83129852c17cc5bee7ab

SHA512
55393ba86b8995d73a4eb50270851bd55b480e08fe91049c9b3d9c217ced356398931b33c3c95e6b9a94856c77c0259382d92387dad238d4e5eb59aedc230e2e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
1.2MB

MD5
1df1ac38174225805d8a31ece83cb653

SHA1
a89ec3fc9f786d767a43492dbbdfc57513c97fad

SHA256
3130e594831a402b849de049346b9f48a23486f3cd6c48adafb8149d5160016f

SHA512
127d3a3ba15129a5660fc974a6693969e01ceab13bf9f3f9b549c8dd112bc1bb7546321113a975d079ed64556db713c5d55030f47f66b3d59a8be7cbbd45def9

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
4cacb18139d964eb0c385acac78f48b1

SHA1
01e545775cada9f27063e2b463e93c218a0ddb10

SHA256
85450c6d00a52fb167d7aec2f8a6c3aa880e6aed05627128901bf8d2509e8e91

SHA512
9d1971c32339c1a696a8efc8aa0a2fde30529802ae87a865c7621a096da020e4acc3627a8c1ad7a71252fc543d1afe707872b3ab8dc13938454d0413bb11ab11

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
ed529a1b689f24dcd00faab5f8e24192

SHA1
475f32513b1a888bb1a374a0fb2b5c0680dcc00c

SHA256
fad9020efc8727db8590fbb4dfdc716360a3ca11fea80103f3f66c2c0985d042

SHA512
5575e46d9aafafa270450911f43f9e3f6ef991fe6e8b73a15ce29f73e2b3f349452389249842177ca225a7bbc4dce1e460851bef40e35440051bbb9ae61cbe35

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
097500bd6b44a921f3ea69771aae85d0

SHA1
b40b0a607fa95b28b68e97b9fdf051ae15d0603d

SHA256
b6a5ecd0e9efad17ac9fe7cfe25a8633aa0b35681af54e9f4ebe5fc89f1113c7

SHA512
32b6fb8d94ba552706d24d69347b3ea03f879d03d066a988472f4929597c370cbd20966fa0397193c3988bc3468ff5ab623dc83dea66e77c005fdc5eb249fefc

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
a4453041d682959b69e7fce8d8e23563

SHA1
1fbfedff03c579227eab10382b5750554172eaa3

SHA256
78603d116bdce848722f8b35216ff921ed3326e0857ac8abae936f9637080d89

SHA512
11a334afed6834db3f243b2c88bece6b559764ad9737fa14a157729dc47a5018886798273f0c25ed4f7d5c8aae9f82c9b970234958b5f5519d6e5a29a3681ac2

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
81d5e781cc6c122b90ec07aff9a1a880

SHA1
9e068fbe5591c33f07b998faf80966bfb8879951

SHA256
e4edd6dbb5fa903381c85edf185ee21cf76a61e9915d07804d53a5f9a15f075d

SHA512
f4f553183e76c404676d3f82a370dad7afad343f5d6bfbb256c345484e0bc3594fff03634143f07614b300a668f180b6055c04b5df4c3ecaa712328f88b0adf8

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
76d3f173af9b91a554b2d94dcc953998

SHA1
e092420cebb93c350802a0415b3534d7cc3ae280

SHA256
89e05bf9b767e088db3ebd6d256f624215c74f5c2f058a4e958a2bc65c7c676c

SHA512
e42afc8da56551a8684f023c4866ca778599d99a8cb1f48c977f4682c004cf51cf581b1ef051c1fce3f1bb0fe047fda863489cd7b74cdea9c2991a640299e5a0

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
a6ddb478bb5068fc286b5cde00127718

SHA1
29177a0bfd36ff44b0b6dd0badafda747a2bc05e

SHA256
5a26595422d4b40d4411f80f4dd2694b29c51d14542177454d7ea4cf4ec36f07

SHA512
4c54f4384d278372f4bde94090aef92691ee3f9d0864baf45259df2fac51f0cfee6cbc36e449e9d79e4c484fafd673db908fd6e0024adad0950f69536c972031

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
18794668f294c377c18f1bf43b167eb9

SHA1
fbcf705331d8f2758d3c696abd9938cde11dc670

SHA256
359d660b861ee583ecd2118876c3c4ad0fc52540e26d25363cccee97308024f7

SHA512
617fdbf9dfb37186dd9893f2ee9f901dc4a75ac0f3d79d9472fe51c45bfb76d736b377d0e17ec0b40f1828bea7160ea5561cf793195d153e1ad6540e514514f7

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
fef38fd0de8ce3ec795be42f4bf6b418

SHA1
9456a6e9b61349b76b78f606963bd5de12ca426f

SHA256
9d82da7983a283c31598876d24663c965aae9c9f21f1d4ed0c9d6dd08741672b

SHA512
175503af02a42416f0236fe3a78800185534eff654a5930eff173d96a8055afb89caf7d03ab41d86069af15f5a5e96e790010d00ad99fec75c6c5c82cf2d2497

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
5bfc6c73a0f124aa20d812aadc59d1a4

SHA1
a18a56d067aef6a945916fd3d49ba5fa5871f533

SHA256
77dac7b2b638d39d860ddff42e64d5e29df4ac412e1be540c987cf8efae77bff

SHA512
5896c186e1f263137d7972c2c9a82da54a6e545e31ddf293391925cfb903af53cd91d07b6b67a841fd25bbb284a5aa716c3244b7ed8cea6fdfed2d9af0b18714

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
dd7cc5ec84494e040672f1c398e360d6

SHA1
163e064b318a7a97e325336f47a05d68a4308b94

SHA256
8b07b4559394f400576ba28e9490ef885e05e156bf11a701a7c00078e2bbc8fa

SHA512
abc7ce9b515b9aad29bac67fa15cbec53b88a6bdc7d305e157c152e94f138e669e4d431b723455e256cdbab4452ac4d6d2017ae635ac59c5957543428ebbac7c

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
c019edf654fe5736c2e625e3ff7ddc6c

SHA1
68ed5d7ca6c738d1db9abdefcc92c33fa906ef5e

SHA256
40f1b605641ef71d5313ea6419f04034d79067025b10ad4bbe8c3b7aa1c48813

SHA512
f0cbce1fe9d1dca0096573da4fd6ebe2da9216803904f8d586219e064bdd9cd77df03d33cbceee445751112d655aa01a98ab7a24807e06184f37ce725072d001

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
d88aa63dd935986c2fa5b211ecc6cab1

SHA1
eea2eb7f5e48d0792f3b8126e04e3270b25fb36d

SHA256
24c4c469099c3676facb08e2247fcf77f2ecd2ca4f23e631d7e8d551f2681c2b

SHA512
e816393436cb9283a8cc0d75200307e4a8845df2cb14a8efb8f4ba080a7b2cbd16fd8b911914cac8a70b7242afe5fc66a00e3332f8a480a87907a89a0253f8b9

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
ffc2196aad60a1ac3404da5f7de238d5

SHA1
cdd9508a778e380882ea1100ec16c70fda69cfe0

SHA256
4e801749fac525b6d3d335b6002d3e14266434a768447c560c64ae7a8a1ac7b7

SHA512
beff2cf3271b111c9c5f724bbf3ce5cb8e1a15af731d776b28b35147bf67057d140470357abdbcfb30cc6abcb67312bed46ec79c07a27bdeb62478f477aa7c35

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
d7dfc6c08967aef68e866185e20122be

SHA1
e24be59ec3db5622f48f5ce62471d2b778aad2db

SHA256
a61a2997082dddde4dfed0c9f5ac34614d6119c893c36d813b820ba12b493f1d

SHA512
a384bd7858d661f53bfeb609f47e87c6eae3535fb2f72c9409a06dd59c97ad55429a7d12c831074d5c8b64465b79962e1a93c46ffe2bb5c1ec843c8daebd6e41

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
9709c4a05e75df765b11ab051f70414d

SHA1
4ddbedcf0a360e6fa8caf5ed99f3ef03f34ba848

SHA256
cfd155127cf3c4c95541965de0b615b11635719b0c82570dd563f01ac555823f

SHA512
3fc83fc7bc5b251dfa67a0ae5aa3711e794d233b78af13424cbfe390716c41a5cfc9d2bd6c77924bbafac6bcfba3abd4a6e9f12a04998c04e4c90d2439bae599

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
39470a4f939e99159ea6dd20fc72e8de

SHA1
af708dd02cbcd53b8020711d29a38dabe4d80b18

SHA256
fbe6ef72585125d116efa3449afea5f645622cf4708cf18348c41fd9f7491a06

SHA512
c3a3826d6d093d092ad76530635286237077be2534ff4754bf5648a37a8b29c8e963c47a560fe1ed5434c642dc4a3a9b6633b5f23c2f1b262efc9608adac4bd4

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
39cdd5d15c4d73f9a0c61ee6857ceab4

SHA1
321bb5bbbdb4e7783b300c23b0f178728d22d4b0

SHA256
98ba3f22cad094933bdd7b8ad045cf822291858dcd30718bc43312cf9954e47b

SHA512
2a82cbce4973e7b0ddb6e2d58c77ebb9954a4f17b602a99aa58dc034162ccec498dd062fe4110e1411f2ed1b5dc07777c01ca99c156bf52d00cddc5f44955254

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
b785cecc7cc91fb495856b7f133cd18b

SHA1
1c798a2e9cd2071978cd59cbbb8bb2168760d25c

SHA256
4ee2b04a0d717a532fd7bc6c48cba9a631ad0ad61c87db918cde1251b10922b4

SHA512
549b0b3cab0d44e1a77a507dab8e5496c46b4a369f6b7d59ce907f3528e03ac39f15fdb26de8fb8354fc410cc8636b799e18db3f5f9e4a1dc8edfa27b4d3782a

Download Submit
memory/404-246-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/404-252-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/404-245-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/404-364-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1148-438-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1148-608-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1148-326-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1176-413-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1176-302-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1208-401-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1208-286-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1268-280-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1268-256-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1268-257-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/1364-19-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1364-12-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1364-20-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1364-235-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1412-60-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/1412-67-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/1412-65-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1412-61-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1412-54-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1660-44-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1660-50-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1660-239-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1660-43-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1860-418-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1860-615-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1864-390-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1864-613-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1988-426-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/1988-616-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/2128-402-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2128-614-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2180-388-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2180-376-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2808-447-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2808-618-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2992-605-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2992-341-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3208-77-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/3208-75-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/3208-69-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/3208-240-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/3828-365-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3828-610-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4124-276-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/4136-609-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4136-353-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4236-40-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/4236-236-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4236-39-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4236-31-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/4240-604-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/4240-330-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/4572-29-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/4572-0-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/4572-1-0x0000000002270000-0x00000000022D6000-memory.dmp

Filesize
408KB

Download
memory/4572-6-0x0000000002270000-0x00000000022D6000-memory.dmp

Filesize
408KB

Download
memory/4724-315-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/4724-425-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download