4f64302bee1e9ca57898ec5c5675bd8b33ce1b0dbd77ea3a09c11ef33e16be14

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2024, 10:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-05-05_3272cd34907601ec717f3b185c2c92fc_avoslocker.exe
Size

1.3MB
MD5

3272cd34907601ec717f3b185c2c92fc
SHA1

fc9021886b830593bd360f64d5faf62caae45659
SHA256

4f64302bee1e9ca57898ec5c5675bd8b33ce1b0dbd77ea3a09c11ef33e16be14
SHA512

e44e4bb8dacffa5da391b0879d8fdacd023e1273f014ebfa22547b94faba4de12289522d125c429ba755bec7a3596cef34efc0c5e8bcfff639a86166793b3cb9
SSDEEP

24576:C2zEYytjjqNSlhvpfQiIhKPtehfQ7r9qySkbgedli1vaYxhaOKVh1DiIz33PTgIF:CPtjtQiIhUyQd1SkFdlGhaOIh1Dp33PM

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3932	alg.exe
4816	elevation_service.exe
2236	elevation_service.exe
2916	maintenanceservice.exe
5048	OSE.EXE
2908	DiagnosticsHub.StandardCollector.Service.exe
4604	fxssvc.exe
2636	msdtc.exe
4320	PerceptionSimulationService.exe
2172	perfhost.exe
1388	locator.exe
2072	SensorDataService.exe
4280	snmptrap.exe
1932	spectrum.exe
2408	ssh-agent.exe
3504	TieringEngineService.exe
2244	AgentService.exe
3848	vds.exe
5020	vssvc.exe
896	wbengine.exe
3624	WmiApSrv.exe
1384	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-05_3272cd34907601ec717f3b185c2c92fc_avoslocker.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\12fd8dec8beeeac9.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Adobe PCD\pcd.db	2024-05-05_3272cd34907601ec717f3b185c2c92fc_avoslocker.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{F3190C87-06A4-407A-A58A-3F71181B4541}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000026f4abefda9eda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000022938aefda9eda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008891a9efda9eda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b8d066efda9eda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000072439befda9eda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4816	elevation_service.exe
4816	elevation_service.exe
4816	elevation_service.exe
4816	elevation_service.exe
4816	elevation_service.exe
4816	elevation_service.exe
4816	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4648	2024-05-05_3272cd34907601ec717f3b185c2c92fc_avoslocker.exe
Token: SeDebugPrivilege	3932	alg.exe
Token: SeDebugPrivilege	3932	alg.exe
Token: SeDebugPrivilege	3932	alg.exe
Token: SeTakeOwnershipPrivilege	4816	elevation_service.exe
Token: SeAuditPrivilege	4604	fxssvc.exe
Token: SeRestorePrivilege	3504	TieringEngineService.exe
Token: SeManageVolumePrivilege	3504	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2244	AgentService.exe
Token: SeBackupPrivilege	5020	vssvc.exe
Token: SeRestorePrivilege	5020	vssvc.exe
Token: SeAuditPrivilege	5020	vssvc.exe
Token: SeBackupPrivilege	896	wbengine.exe
Token: SeRestorePrivilege	896	wbengine.exe
Token: SeSecurityPrivilege	896	wbengine.exe
Token: 33	1384	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeDebugPrivilege	4816	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1384 wrote to memory of 2384	1384	SearchIndexer.exe	122
PID 1384 wrote to memory of 2384	1384	SearchIndexer.exe	122
PID 1384 wrote to memory of 4900	1384	SearchIndexer.exe	123
PID 1384 wrote to memory of 4900	1384	SearchIndexer.exe	123

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-05_3272cd34907601ec717f3b185c2c92fc_avoslocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-05_3272cd34907601ec717f3b185c2c92fc_avoslocker.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4648

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3932

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4816

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2236

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2916

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:5048

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2908

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4720

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4604

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2636

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4320

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2172

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1388

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2072

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4280

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1932

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4552

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3504

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2244

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3848

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5020

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:896

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3624

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1384
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2384
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
65cf30c220f8e9b6728381cc91e331c2

SHA1
7ed867ec8cbc73a59e34d7486a13c0d39f7aa8b2

SHA256
7ecb53f14fb79f4117bcdea8ee388c410cab202347d8a4523e235f0ef1908ce4

SHA512
48d3ef92ce16597b7604e00aa6e8ab59b0f58e026cec84353dffe1d7bfdb4d52f1f9bc5a22c54c46359409641b8e858c568297683a7e18988fb30ea13abfee1d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
c66497c089ffb333493b434ce7c20a4c

SHA1
3edaac87efed3504ba227ff8597dec048a649910

SHA256
a3da72c34bfedd198ad5b15b78e07004959adea51c81dc5fd0a56b7e37e1cb45

SHA512
71e253ed21df52b3b5a44a0d7d45ce980e501fe573622ff0a4736b4fa986b2e12aa8b21eee67dab86732ce0836457eeca5e12216ba1367e42ef3f653baa980ea

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
8bf2674d20aa4c8192a64660db2aea0d

SHA1
af8afdd304f413babc3f60c4f6514905b2aa7879

SHA256
1a97527d57b1b324274bf5c647df6ef0fb6602277441f5ae7910928ad149fbb7

SHA512
121c4d2e77e0ebcc5e7f964fc68bb2b7ed719bc5cf944c40749f7cdec40655410901405ddc45ab59b52a43b983705168ceef57eae75afa23226973f51959917b

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
f407eed06f0adfb991db31986d4efd1a

SHA1
c5b2c58cc46c8748d2e904bd9ed0484b01034396

SHA256
dc6220484613014a3404d23313258c3c9d1417a603b355280e713df7984bc111

SHA512
4c65aae396cba97bffd5bdcde88a0b2df55f3224cc4007af4e87c6d08f41c4edaeb1dcdd7583e9943abe87c490ebafbb73ba1e3497817b20efdd62561295f797

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
87b8357812c12c462fdf105888a0b80b

SHA1
20882a62847b9da5da91d9d305e40030d2487c8f

SHA256
206ecb2454cad0a9d5a2dad05cb1d2a106811a86f52c0311aabbc1f0dee5904b

SHA512
fe36363fc6aa9056d0fb179c83521fb7026bb46bc4e8e8b958dd1280d4ddc99c1083b6ff13a24c25226700776cd1ac0f238721a431d28c43c5c3381905e70f49

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
c0e412c6731103f50b32a369082c1c84

SHA1
61c93b4a3ef3ac3b3a4a59d23abbe83ef514f69d

SHA256
a8d10579448bdb2f796a52455037f266b6176e5eb440441dc05a0e534b618604

SHA512
398cee72f4aa2bee4170a3d7f88e3c17228298c4462c0b68b796edcbb2ee88339c7841840b38f494e080bbe7687a2cb709338aae9c946679811215bdda7a41a6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
6813b33dbcd49de151d9894e031f5444

SHA1
4516c807744b8b3633a798e2fdc27bf8eb1c15bb

SHA256
9db3c2b4adb741fb8f2fe68567268c436e46810dc4e635100849913b1610a5a0

SHA512
c509561b7f8ee6ef8969c186144925fd800910dc58eea8844faeb7d58e2e68ac3b3fd8af2f64add136500f2637df24c67d42f5ce64e0bd80166c052cab3568c3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
65798703368f12e3c5965c85e4d26b2e

SHA1
387826990568176231432dac09cb31813547b657

SHA256
866a61011722c7a96580ca230886c8b9e98923620ff1f7b0d5674af2dec0a43a

SHA512
7f0f523a51c9f4df8d7b39bebe68f3c402f520a9a7f42f03cac4150ba247cce3bf17c05df2821fec68e7dc263d2c790cdec622db327a150c199be6df493ca5cd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
ef00524696a8da2c0d70dec40afa71d4

SHA1
47180e381b57f38181510aac99447cc5804fd3a6

SHA256
13cfc79e3b8ce09f05000b6ced5cdfebfe36f5c0c62095479ee39a433ca5387e

SHA512
9a004b239f4e999f4628f99d3d6b0d92bf14981557c4da65ec08b1fed42c4f949668d292bc9139eb9b4e97df3dabdbb298d523e3da7796e9db69ab175edd991e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
ae2a9527751b0b2515e14c7211c988e6

SHA1
5f4ae87456e2fe63ad071802462c0cbef3a4e776

SHA256
8518fb74c0430a4e7fe280c30419c33c58b2c2797192f35c3cf9ceac5bfc7ff1

SHA512
d3a390b36a29bedd6717ee52d6c2b9da07fefad106c2edf314ad18938c37c1fb398e67262bfda15948ac802ad8245e2dc8d65f4e104745e6e434df2b3c0017bc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
f56184b021282783dcebc843b291f19e

SHA1
ae29848e465ac07f6457a757cdbf23577e4f7ece

SHA256
9e21f8d6d0a9a080a52266cddc68bc98a03c1ce0fb05b11c2b369345749ab3dc

SHA512
b9676a632b1accf5d57bc797920f17b3093467ec1149fa29f567e50f15addd857c5547ad290303abf04fcaaaeb6e2a5eae05e8e99b6095f2b2eb622a19113df4

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
2909a2b04cf7a8e8516ce28879fe65f9

SHA1
1f1c4bf5e76460404ef4b90e2e05cc79cd218c2b

SHA256
63e0402831daaa3c346c5be9065966fc9a03fb457322d64aad9f3e2af2695180

SHA512
03a8a6bec9408bd53932ab290e27671d0cc97f819a4863c3f75de60295ff705bffa3fab43344130116e1b9d6db6f30faddba8e4da63f146fb76095fe1b980dee

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
89902e45b17de1a455ff82eca7adff9b

SHA1
7e940a69379a6daecae93b14e7aa899b2ac56250

SHA256
c177c2715b161fcf1b8225dcb52a24628d459221556b29982b23746ab1d45498

SHA512
ab557c25a14ad5fde9ffa5926626b2bf2eb1791b22f43fad0e8c840f399b51faf0e01cb36e73e7dd5a4294e9e2afa62fc86b6af353bc7f2b4793c5919262d4f5

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
67270e61ec1ab2fd575f241c97b2a9c1

SHA1
48db2673938c7895052e98bd63b13e448c3d3d59

SHA256
9fa02158a4c15400c171fc659ca1e5b8dfd35def59393a60c23712a98b95a1a9

SHA512
613dbe1cb52f72dfbbde6554d5b51840a7ac2baa28d943f6c6d89d864b9756458881a9ffcc24e41071c3a87bea0b9897606153ac0c616f87ffbdf7a434035ebb

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
a005283298c017df1118baa2d60e9e02

SHA1
6ff62d7448868426889bb705084a943227619279

SHA256
938b8013fa7f63070b5f695f14bb004d0ce1b45630701ad1663b0ef5cde9f711

SHA512
6c5081ccf222695ea60ae2f882a88cc0393bcb5473e3d2b9cade1f38e5a99b87e737528d3443fe47bd916540281069bfdfb6ae244c0c7cff05c85e53a4191657

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
47e22f30ba56c14cd34ed30f9decd12b

SHA1
85efcb84c0653f978d23f6270fb7fa9760904523

SHA256
cb80382fb5916f4cbefc9b8ffacde032c37090b3c8a37ecc12c4a0ab02c447bf

SHA512
f88741449f6cff3020ad426ccc25a6d951a53cdc8d35f4e78e6c38a296871b275ab1880a742c1ab7786de4d040ed0f747204b01c274e523024975e5ce165b6ed

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
3835c88509eeaec016c966ce71b1076c

SHA1
1e3abbe32e1538cdd751fe98d53a2cc7f0d49f0f

SHA256
102982177be48f7d8e729d693ff26bd8f237883cc723b6efca8ac3a78c374e7e

SHA512
6541555e8fc531ec34fd3a5f9b6456c9053a03fcc0f9439d07de08fa7c68e57e19225d1567ee3bae3f617fbfcf6b507c65e359da6259ec53fe96865caad68283

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
dbe923ae804bc849447b7ca55ecebc58

SHA1
65c87054c122b68bff8fc724a190bfa02f8e08b6

SHA256
5ca710407ff050da99e0b802e624fc950ff4312c2a7414c4ce2845545b713cb1

SHA512
fff0ac28ac701e096f5c7e67e198bd6907033826f865f507101a41628ed038d0cecd1c9fc9659b50fe918ba42674162532240496dfd4123ca65e4af5e08a4c3e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
d02f0af7fea2e52efd047d55954604e8

SHA1
66b83d1604ed7bc2c7876dfdac04bd063a325c29

SHA256
d90eb4723feddf03249e6d28ba3521442d00125d5a70b3ce319722bcd445fd0e

SHA512
ba3ef7ec9c69867a49f6ddb29ae8b276f844e33b72158b9c5c6ff72a5c7f5ae46f9fbce35aed0a90c88509f3a3d71269229f51c344e6a0aa0bd823081ef90dbc

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
a226bf98a386a7e9ce66850f9ec6bb74

SHA1
650020183dcba778b4173601bc269b27d701066c

SHA256
b4c2cef1ed965e62d86a8a4810dbbb3a079d7fc322c135c96137dc86700fbb2a

SHA512
f49d8e98debee03c52b537de91578465c39fa370f6b6a31b6917db030a8d1a55bf9b433e831f3d267d105777b13cf96254eca0a99e1ae079f1b59822bb7bed40

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
a9332de8bf01b1e632d03c71ba816298

SHA1
6e5fa7d531338f5115d6efee7d0b80f467f96b29

SHA256
0b091bf520173890692859b96b72dc950f6e8623fe396576119fb7ec3a171b62

SHA512
679decf178dbd6081e86d628a5c4e876e6e361b91dbc33a814fe22993772a755daaf289e1da1667e6bb819e6fcd0e1f557b5ed8af2f3093403763bd3c953e927

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
9b55b2598dd74805ca4fe9116a7e6851

SHA1
c2ee76eca57dfc083238774a81a093f2daa6a0b7

SHA256
64b20cbaa46a8d0beaf855200bdb2459e5bf426ca77321520300352cecdc5734

SHA512
1dcaa8756f80bc22857fd8d404f1b7169ef363d3cbacb8a121014b026824a619089f1b4f9c79b5e62409f90bbfc2a10f81b5e29c7a0e24f89df04ae2706d9f4f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
67e5bb2cdabdc7154e01984c4d59d289

SHA1
c5d935f970ea6ff7ae7348a2e88aa3ea3847cfc1

SHA256
329520f65116e7b32d2e33922592a72d25708552e1101fbf706370f85447f16b

SHA512
685fbe887ac4e14aa2cec6989f7775e425eb648594b67955b522acd3cce42ef54c6306ac7a323ed18458f372fadccc222b3d85848308da30a22b1f941f5f9a2e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
4c500c46abe75fbf0e7e2402891f34d0

SHA1
4531f2971aa9719e09f6964530bab4c263a9113d

SHA256
54223522edb15fb3dda57a5b47ecc443457bcaa7e1fe5f7282f620f926d991d7

SHA512
1c7a9c8b719273c3a1641f268c843588ab769b862961f201c7c325722a05b5ed1668d60631d3e05a725a49c7b8bc4198c1d0121388d861049c50ca41e880b8ba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
6003f72ed999e42c800413fa4b475ecb

SHA1
0c02fd91cd6408c95a50b39839f60d10bc2fd49e

SHA256
f6a7d46da5f937718b82fdf62afdacfce61e3b240a16d1c278a9bd7fff238f4c

SHA512
40d5b2f76683819aa96d38db1f465c5681d7f883dc3370733999b3fe1f9a4e7394868b2edae08aa9c7eef8cde3f840889368efc7c6b70f34edab57847d007f92

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
993c829ab0cb8dc07f94c461d33590c7

SHA1
90273f11f5c200b2c772e173869116d47b8b08df

SHA256
01770c17457c9f5c62160f95091905343c4d8cc6d6a04b09195fbfe52cae207f

SHA512
b59f01370bdbf12b675c68430df096f42641c44ce8ff7b1ca6fecc1e5ac567b6f92592530e8670a8421e323e46a474f70ef8c2faee2fc48164add788effbee06

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
b292c81bf3d24ed5a50ba960ceaa6a05

SHA1
1d5ee850f411db6e23362515c7b91272b8c617da

SHA256
ea39da1912de125c89258097f1ff579d70c3ac9fa28f64b418a6d7e8f0cc4932

SHA512
ab01c4dfd497003f60172c3509a985ad67a57c1a20eace5887d0c328d6d67bda68ec4c02b92c3f833c0827bb8af0bda87dc89687660ae16cffa0335745f0233f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
b0114bb0e4a5c297e6bb6de05753ef5f

SHA1
77e9696d0f23355ff203ac987b3c3418f811cf3c

SHA256
87dcad11877aaf3416c6dbf0538e7768892b20c0db76b5070624f64317e18f39

SHA512
dacce481105e9a58c0728174697a31d9fc3dd32919a6711a5863e97cb0807a74510a0a0eff4fda163272f2ee508597b1419acebe4a4042fba843adcf8654f86d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
7aceff637707ddedd7105aed8a04409f

SHA1
a7192556539bdf3a8c6bc31086a97f8a7453710d

SHA256
a72b7c89bbc5db82ad5904cf8b46a7266a64109af00f3aa88f11d8a77f0689a2

SHA512
d1647d15f520cce924b9d3973faf731b9a7f8317fd7b22e84963b1cc8f08fd057246587b6dc027f89ef84d42e378fbf70f3871dc31b34d30e3997ead707172ba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
334a3ea4107f911455f2a95a9b99ecc7

SHA1
177ff1db3e409fc5e9446de16a471be410b7f5bf

SHA256
85f8a7917828d5659c01746c3ac3c2af18abbe1d9efcf408cdd88d7f426ebd27

SHA512
b9ac5f019b34a137760d47ebd4294fc155af4cf27cc97d7010f92f886e2d43a5d3e4c730330dad55180d8f5a6792e713f4d1767b11b9aea646eacb7b00f4a690

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
62885e9b5758afb94b24a4db061f3171

SHA1
f8fef9c1ff6b2b97a5604a113e927b6c89070aa4

SHA256
3097d7a5e9a5734a2b3f8ac8d54baf1e1d0618749db06bf4724aad6b9d6e9304

SHA512
74b11e5e15eee55ecba1c997e02ba38f79e46d39968aa99921c1c5cbaf1f9e53c1c3d1d3ff8a63f469e402b4084decb71cc4ab68c8b7a5822a7d28da9df4acd7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
38ece020ee801fcbe05833e391b74c50

SHA1
69579fbd06a1d17f6df5f06047995d6277d5112a

SHA256
88bb9c1d2d01d59efad2a451b39ad9309961e287319be268f2f295c140da3378

SHA512
4176cd954f80f1fa8a3335b257f47ec015a14f4335f464ceee050a194aed786a323a5cb4c355a9de5b952f6892a84c29b7cb88932696c943896f3460cbbe9f52

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
c19f6dc89fdbfee023b31b257c66145a

SHA1
3850fe27f04e2df7b708ce45ec15878e562a436e

SHA256
ba9155d9a1f25ad8dfa9eeb43e068dfa4484c4680b5568bf39f25a57037992ca

SHA512
f24eb9ef662a3f2f86738986df27de86b133045a24a3772a270ba0ba0ccc55736ba856a4a0302f5f141819ead65d8c78942063442f81fae5a650fbc12a32b5d3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
61671739916ff089b30259bfa8a6cdca

SHA1
7341b153e619563f7abbc6467962a5d79b012dc5

SHA256
6b74ece19c61f06d6a1ac92fd3bae70b13d784df14deb2421d5930f6ac33750b

SHA512
7b6977b6cc3a48e4fbb37683f254dca5cc851e1241e1651c1c7ed5f23019ecc83b8259120b79ea4decac6337d39ac056fb9bbea6977d729bc5bb773c9f7f8f50

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
f80022eb42d660aa05f45ea34d5089da

SHA1
d4bf6d619d4da49f2c42a73c30dc879c8cb3455c

SHA256
3fcdb2b8ad0ca6e7ae51d899b56bd88b09cb401fe2b5434176089823679356f1

SHA512
ef0e48c5a45807f76ffdbb17567243325517966e433aa34ee4cbc4ad91899b245bdd252193692a1ef76d0f0dab93cb43e25f11a430c2e569efc18fce0587452f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
a2d2980c5556b6a3880d2c90c5ecece4

SHA1
4595c410f16227fd426182dbc39fa1dfbce08b6c

SHA256
96eeb88abf4903066966903f26dc8b0070e50fcd0277dce9be99f0d8b99c8cc8

SHA512
55a7a88edee3e95be68548a5eac355c350d2ae4edafb1056081c702b5bcb18801db87a758db2368f07afcdae27e6140007780577589343cb78bdbfa9ec0414ea

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.4MB

MD5
6412ddd8dfc1598e827c1a73089d8e4c

SHA1
596819dfde342bccaecc7033d1883603fa18d1ad

SHA256
e3581dcafbc7aa950282662dd725d4be0c257ec710864933e8b0df1f2e9c81bf

SHA512
6ed1097c46a10b877e0b0fd4b02b37c281167c92b66f519ea7a36e59816219feddbd1852fc2efdf803a884ef694c9eca7b93656da5f8f651cb8150b7fb505e00

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.4MB

MD5
b15972f5cd9a2677c5f0268e0e142005

SHA1
030457dc9d6d39e24d62fffc4065809ab2a14458

SHA256
38a6232e43a46ea606afe8341ae0cab1d9fa68dddb12701a13f6c20f9dae4683

SHA512
f640a919115464772047cf4028b2745f9a751068e78290852fd39762bb9c84d0ce9249801a5db70fffe0d98dbbb1b3b363712b00c93b4ce2ed77f2814368f574

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.4MB

MD5
86607af63000f9f18ecf1b8d4cbb4669

SHA1
ef52515f79a35b046fbc580ae92a9d062cdd812f

SHA256
4c6e1b0cd0bb7edadf3d77dd100427479e3bea0670cbd606d6ef109191e07038

SHA512
a78ce765ae1d45aafa96d772d5cd485d129f605056393d37feb58ffc7d25d23122b396abaa151be702a0a380e5606587ab66600ede054f052b20f8da815dfa3e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.4MB

MD5
b62be0b07f09ca9ce2c5d89d3dd0a6ee

SHA1
29680a1410d5b6ce54c8201a204a70d951f1a510

SHA256
e9cbf7acf78f503836d5a4c0b5a0eb22f55ac911238281035946e5b8dd4f3832

SHA512
fbbb985824282426f90526a699db6b586e08251afbe0fc4f75fb5411af5e6e19a74e4b7c2a0a77a9db66e2539d64a6420276da54c7e371e2855d13b700068562

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.4MB

MD5
48b2eaa709eb57598a1c4c0a9efc3ed8

SHA1
ad1f1c7b738951a415da8f7f470e788b427cce74

SHA256
a0591707a094006e90ec7c82cdca7579df6784f8e5d6f832e30a4b27088fab88

SHA512
b007daaf3f9ffedda2934a1de698b56c47833128eaab666230378ab9ff26e6f562e3a8750d6fabcae09a31d22c3582f00c6940c9e663d33b378c72f09ca8b0c1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.4MB

MD5
df7c3c2893557c5c64c921f874a95324

SHA1
861b883d2e7c44556ca2edb60c0dd8bfc00e98bf

SHA256
0ec49d92f6affc27cba36b83ef5b47a876e03aef69d4458120c7f7939c9f98b2

SHA512
929a1d92231be7efe210918fb4d260be640690449aff02901da679ef23633ab03bf4d4aaae3b91ea919d3ee08e77a0efee1b03a1f7f5382897ef3e37f3fff1da

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
1.4MB

MD5
e29fa4cbfe0ffdc0d933f683e06d3f47

SHA1
6ffab11909c1abf18a0bf9fa4a1bd5053458f5be

SHA256
f34e24f3eba1ab51b52ab093c6df3643bb8631047aa7030174148a90c5b5dad6

SHA512
79bafe5e7becd92a88d940cb44c1b42d7a5568dd481d0e078c62105fba58f561bac80e48884a88e7dd05f0a60fe2bec9cdff9aca42b21b8c0c35997dec668cc9

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
773eb6db2443ec8dde002215b06d11b7

SHA1
47a8ed6a6cd39ecc0c508e156cf2968a03ba4303

SHA256
1815bc44bbbf94c0b2528df214c80c8c0a6f23421329249dd37725873519172c

SHA512
f67f022573c501d37ce23e5cae859f0b361583402526560d345acec4ac0510244b908e6b37139bb08f8a0c6cb5acadc8a775fd50a584da308618096121691c3d

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.5MB

MD5
6f61567af4359000edb42f3fe3d995da

SHA1
aaa299b1de25fe5f4d62aec887bc22668adfaf8a

SHA256
a248aaccf2065523c98a70c99c234e1a8733d07c09815254dd64bb4b1fdd3ab6

SHA512
aa4cce57bf4a140f041119b9896eee4f193b50bd64d2319bea383b18f542e4c603e29c196cf04041a5ea1a47aa359325f45854c709db6e77e841f5a7a4b1cc9f

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
4a72d27ab9b4b8c5b529250db21cfc1d

SHA1
c92bc5042d01d2a893971827f51789e63554a5da

SHA256
b3651f4b3d90463da10fe65a913d0787ed273275fb2130ddd04fa25bceea872c

SHA512
3af0f6e6d30e005facc0e6714735e16dd294a54b58fc2d980b591da9038b431c4ff93f1830b364153134a929ad952ce1c373a2d5842d59106db4630e4257cb0a

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
efe7e11721ec2ab3783719063ee4ad6e

SHA1
ed6ca4b2bb9069cdd7fb9473d8fb0fa9e0d8672b

SHA256
eb2d48d439329f1c3aeea62a9ca19b14e7a9073e66bda5221cb9c038124c1f41

SHA512
60e1a825e308394881671efe019c3334f9b114b3e8e84f1a6e3b0951dfaf806cfc95ff394477d95c07b23e5b5854336fdc6a5d3d112c96173e2d54bdf094b22c

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
477ea19bfbf9658ae16670b7120ac16c

SHA1
c0fd3725ab64933c47b7ae39cb15e6f18e1959f6

SHA256
0bbee6fec686ae359552edecd794a7f3dd495899b7903d4ee3e7de5f2442a6dc

SHA512
0f800697563f8d4ca1d7ea8ea992b4c65f0cc5f5d20eccdfd184dd68f166b2c52cbda739501ea52bbbc73651d11a9c12eb6a0c816be609062026a2d0b28d6ad6

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
5eba2da5a3e0a2c6bfe2b7e35ca687fe

SHA1
13fecbb38d93587b7934fa8b6bea812ec849217c

SHA256
8d87fb96ccc6e8eb7d8db51968a20a4621e416d1ca86cb2df13b3ee7d0db7e3b

SHA512
98337198bc737b0483cfc85085a4f3860e6c7b1ed2ceeece98e7a98a5a4abf49816d33df6f43ef36ff57975d52cb918a6942131ae426e463c67f15905f94deeb

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
f98470673f37570df1e3d10f32766a41

SHA1
a7b5703033ba3cfedecd58cc5e65c0ce1acf25be

SHA256
7bc5c37ccfddc8ccb01cfb216857f6bc4b369db2dd8a87bbd9970d7cdc45b306

SHA512
47c77133fb5567a74280467ce5d327159dd19676e0c6c925f3be2790279399da85a71a44a94dfaaabe68d4b995388f6d8457e3d76d482056338f64a9de32272d

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
b92b36b07545bd082cd598e9a7c2c8a2

SHA1
e55e94f37d285b6a71f1469301f291020e4946cc

SHA256
40992ab1ce2c97526913324182449377e1eabe5ff046e0e53917e8519743225f

SHA512
a5e7686f47e33d6ae46c957bff2c90e948077c2e0fda22f8acb0e323c4b4c4fbc888c6bde2ecdf2b1b0b37000714501a3d9c1031355924949bb912587c827ade

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
c2893668f22d37784336532bc867add3

SHA1
b2265869e15492e0f21cb4cac25060790a9ef576

SHA256
a36ca3f993206fcbef54000f855b647279ebc04c926e37da3bfbe7dc96ec42fd

SHA512
aae3c155db97c3fc5a748622aa7d01df425d7ab10a65b224dc1791b8a15e5b3f199bb76e1ba3fe4f238db24fd3e44964de21f1c62b95012e56d40304bd1ee038

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
cf6573d6a4a3a54cd444b6e799fd24ea

SHA1
73ab48f175fee83693899c83a767aa5b2dba995c

SHA256
e7705e73545a7f4b56e4d8b483260d9c598ce1028f453d60b7fd5466cc44cd2f

SHA512
7b216bfbdf7bfdc29c93464fd3648bfbe4bc98ce47a98153277ad8863861caecbedc89dd8cf1cb6573337fa43ad01518511d3886d498f50c4b4ad8b3733ba061

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
270dd3fe019d469b2fb8939515ed9314

SHA1
f6cfe8109261466e83663dd9f822d30d2e04bd0c

SHA256
b1ba03a5695e26a0f94d3ea171ab0f095097e5ec0feeda40c3ef163217529013

SHA512
00650d31448d1bfd170a97471d02d563e2f4677231afa75eb167884da01e32855cc235bc95090f696e5501bc072d0400e5b2f4c7563c97719b87b0d2372538de

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
dd9b44dd830281c695bb7a28d1ecfd2c

SHA1
28e060e254fc8f297aff26fa8d4d993bfeec2ca2

SHA256
160dded33d21a5ea77479504fe58ecfbb3549eb56bd6503cf98e7f95b3febb3d

SHA512
fa9c82d61f149ae4f70331ad49954915114dcd979503e24656e72efa3bbc2d325cdf3fa9b13215e1db4b44fa8fa7f2c6f2144b0bfa7a59291c7ad593bce86607

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
363833caa228c15fa2cd599db718e537

SHA1
9953aa0174766978c516fe3af027eb48158ce00f

SHA256
1c3c78edab3be7fdc9cbba7b9d45dc09023b53935b2fc5bf6551d672f48f9fdb

SHA512
843962c4481705b1560cc1025f298b7b74eda4bdb8a47f5369c43f0d7f0d5e61dc5b041c8f0eda122e5691af7f1c63064611d2244a882c4f670c1ac0c65294da

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
6fe250025992e12fafffe88a07887d5c

SHA1
40ce82d8fb11f215b60722d4c412afc111f6815d

SHA256
be64a67a1e1253852d7da5b6802bacb1bf9951746678120da28a969ab3b6229f

SHA512
bf30c934d3eea1a50af7b453b27e9362966dc326a6193826be49c93b11d41d32bd057c98adddb8e0ebe932a0b82ac341af24a7713b8805fad675e86236524eec

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
f932b386a7ed308bc7cb62b435e99601

SHA1
3a80531754eafe3c06371a9cde48f5dfd803d28d

SHA256
d8992e65df29215329a92847118a5b53950e2bf4359ee407376f900db7bc2661

SHA512
54288eb603b4c1f9b3d27f59050fc609ac71dde77f7b2a08753bbc5c9e0c30e308bef3414073ebdb493487b3077482bd2e36087a5ffc6ccf81b9fca91b7d46f7

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
dd5b068ad9a6bc5d3f2d805019e33bce

SHA1
fd5cb0e37f0f6c0440bb1414b0a3f81f5ba3c6c6

SHA256
a2c66028a6946b8b8739f0cc039c085bef9e01254698a95be253de1ea25870ae

SHA512
12834a8298e31c74f1f5127041885553000c73e475659cf7cdeca5f84abaa91d227017e36ed62da6d6e7c0f420931f2454a8e523d71dcb71f8fd2f3a4fe60733

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
6e62ec586061dc87e61e5bf02bc5b71a

SHA1
48f87313179589ac97fb6488d3724eebabd145e3

SHA256
9b0b09b5eaf08e3811679f830de056ed25254b7baf36235bf3f026ac9a3cd4ce

SHA512
45336b37e0938df60850cfca4ed8d4c4b97267266bfbe08a5bfca81d6517fb5cfa29ee4cf6b9b79282c3bc758d9d6dee7c44eade78d2d4b18b45d175a54141c3

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
35efdc1ba9e190ae9886ab753906a31a

SHA1
80c059dc880476e374f7744db3b28f8cd2a1bd22

SHA256
74905088a2d06389fdd282b2dcd8eddea67fe6bccc6a3ac2938b73b4a756b26c

SHA512
233bf9c26a51470e238048e691bb3396c3da8b5ffe08f6bbddcbd47a0db5a96cf77cc1a699c161638e9c412f101a2dec51ad217a63dfe176e5ed3327939a9f63

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
318d353450e409a7388fde427d73cf7f

SHA1
434cd7ccffbcd66a451963589387d4aed1eac644

SHA256
6d6678314e8c5aec2bac4a6f795fe133e1755a11855002064dcea8faa82a18ab

SHA512
017784ecda43d8ac651f962fc2edce3df6632392e36c82b0993d0ff8d5b1ad9abe8e7f77afbafdf8542086f770f4ca72dc3d4e414167c5a90a8e4ee9513a71bd

Download Submit
memory/896-698-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/896-415-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1384-702-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1384-448-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1388-426-0x0000000140000000-0x0000000140256000-memory.dmp

Filesize
2.3MB

Download
memory/1388-313-0x0000000140000000-0x0000000140256000-memory.dmp

Filesize
2.3MB

Download
memory/1932-688-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1932-341-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2072-318-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2072-447-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2072-691-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2172-304-0x0000000000400000-0x0000000000658000-memory.dmp

Filesize
2.3MB

Download
memory/2172-414-0x0000000000400000-0x0000000000658000-memory.dmp

Filesize
2.3MB

Download
memory/2236-42-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2236-48-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2236-237-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2236-50-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2244-388-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2244-376-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2408-692-0x0000000140000000-0x00000001402C3000-memory.dmp

Filesize
2.8MB

Download
memory/2408-361-0x0000000140000000-0x00000001402C3000-memory.dmp

Filesize
2.8MB

Download
memory/2636-390-0x0000000140000000-0x000000014027A000-memory.dmp

Filesize
2.5MB

Download
memory/2636-271-0x0000000140000000-0x000000014027A000-memory.dmp

Filesize
2.5MB

Download
memory/2908-364-0x0000000140000000-0x000000014026A000-memory.dmp

Filesize
2.4MB

Download
memory/2908-246-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2908-252-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2908-245-0x0000000140000000-0x000000014026A000-memory.dmp

Filesize
2.4MB

Download
memory/2916-64-0x0000000001DE0000-0x0000000001E40000-memory.dmp

Filesize
384KB

Download
memory/2916-61-0x0000000140000000-0x0000000140290000-memory.dmp

Filesize
2.6MB

Download
memory/2916-53-0x0000000001DE0000-0x0000000001E40000-memory.dmp

Filesize
384KB

Download
memory/2916-59-0x0000000001DE0000-0x0000000001E40000-memory.dmp

Filesize
384KB

Download
memory/2916-75-0x0000000140000000-0x0000000140290000-memory.dmp

Filesize
2.6MB

Download
memory/3504-373-0x0000000140000000-0x00000001402A3000-memory.dmp

Filesize
2.6MB

Download
memory/3504-693-0x0000000140000000-0x00000001402A3000-memory.dmp

Filesize
2.6MB

Download
memory/3624-435-0x0000000140000000-0x0000000140287000-memory.dmp

Filesize
2.5MB

Download
memory/3624-701-0x0000000140000000-0x0000000140287000-memory.dmp

Filesize
2.5MB

Download
memory/3848-696-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3848-391-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3932-24-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/3932-235-0x0000000140000000-0x000000014026B000-memory.dmp

Filesize
2.4MB

Download
memory/3932-18-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/3932-26-0x0000000140000000-0x000000014026B000-memory.dmp

Filesize
2.4MB

Download
memory/4280-591-0x0000000140000000-0x0000000140257000-memory.dmp

Filesize
2.3MB

Download
memory/4280-338-0x0000000140000000-0x0000000140257000-memory.dmp

Filesize
2.3MB

Download
memory/4320-291-0x0000000140000000-0x000000014026C000-memory.dmp

Filesize
2.4MB

Download
memory/4320-402-0x0000000140000000-0x000000014026C000-memory.dmp

Filesize
2.4MB

Download
memory/4604-269-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4604-257-0x0000000000940000-0x00000000009A0000-memory.dmp

Filesize
384KB

Download
memory/4604-256-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4648-16-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/4648-1-0x00000000022A0000-0x0000000002307000-memory.dmp

Filesize
412KB

Download
memory/4648-6-0x00000000022A0000-0x0000000002307000-memory.dmp

Filesize
412KB

Download
memory/4648-0-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/4816-30-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4816-236-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4816-39-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4816-38-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/5020-697-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5020-403-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5048-240-0x0000000140000000-0x0000000140290000-memory.dmp

Filesize
2.6MB

Download
memory/5048-67-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/5048-76-0x0000000140000000-0x0000000140290000-memory.dmp

Filesize
2.6MB

Download
memory/5048-73-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download