75b86e2b94dec6f2c7866f8b9309acf7f31b0bf92374389484c632318b8f8e1c

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
12/05/2024, 12:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-12_b22fc21cbb3a6a3617750a1091b01a7f_avoslocker.exe
Size

1.3MB
MD5

b22fc21cbb3a6a3617750a1091b01a7f
SHA1

d346b21d971ed9d588643fcb9e9707bfcd30b9cd
SHA256

75b86e2b94dec6f2c7866f8b9309acf7f31b0bf92374389484c632318b8f8e1c
SHA512

027a9030d074408e363ac6ae0595016633de83aa0ff6316d9a4650312e001e58bc0eef18b0964c43d80a2eeec64a458f0bcd6080faf9dd577131f09706a6e0e9
SSDEEP

24576:a2zEYytjjqNSlhvpfQiIhKPtehfQ7r9qySkbgedZRVldlnXfH9gPwCn7vOb7HHcg:aPtjtQiIhUyQd1SkFdZRVlbnXf9gPTTg

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4812	alg.exe
3040	elevation_service.exe
4172	elevation_service.exe
3276	maintenanceservice.exe
3288	OSE.EXE
1268	DiagnosticsHub.StandardCollector.Service.exe
4400	fxssvc.exe
2720	msdtc.exe
1824	PerceptionSimulationService.exe
636	perfhost.exe
2060	locator.exe
1312	SensorDataService.exe
4720	snmptrap.exe
2848	spectrum.exe
3036	ssh-agent.exe
764	TieringEngineService.exe
1872	AgentService.exe
4844	vds.exe
2452	vssvc.exe
5024	wbengine.exe
1376	WmiApSrv.exe
4972	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-12_b22fc21cbb3a6a3617750a1091b01a7f_avoslocker.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-12_b22fc21cbb3a6a3617750a1091b01a7f_avoslocker.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\9be352d7293b476c.bin	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Adobe PCD\pcd.db	2024-05-12_b22fc21cbb3a6a3617750a1091b01a7f_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{878BCDD2-1ABC-4948-8DA1-C8645DF0F833}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\caps\hdpim.db-journal	2024-05-12_b22fc21cbb3a6a3617750a1091b01a7f_avoslocker.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b18cb76668a4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003dab786768a4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004709d86768a4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ba51bc6668a4da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e3d7036768a4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000033ce76668a4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000059ae3a6768a4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009d4b386768a4da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3040	elevation_service.exe
3040	elevation_service.exe
3040	elevation_service.exe
3040	elevation_service.exe
3040	elevation_service.exe
3040	elevation_service.exe
3040	elevation_service.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4056	2024-05-12_b22fc21cbb3a6a3617750a1091b01a7f_avoslocker.exe
Token: SeDebugPrivilege	4812	alg.exe
Token: SeDebugPrivilege	4812	alg.exe
Token: SeDebugPrivilege	4812	alg.exe
Token: SeTakeOwnershipPrivilege	3040	elevation_service.exe
Token: SeAuditPrivilege	4400	fxssvc.exe
Token: SeRestorePrivilege	764	TieringEngineService.exe
Token: SeManageVolumePrivilege	764	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1872	AgentService.exe
Token: SeBackupPrivilege	2452	vssvc.exe
Token: SeRestorePrivilege	2452	vssvc.exe
Token: SeAuditPrivilege	2452	vssvc.exe
Token: SeBackupPrivilege	5024	wbengine.exe
Token: SeRestorePrivilege	5024	wbengine.exe
Token: SeSecurityPrivilege	5024	wbengine.exe
Token: 33	4972	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeDebugPrivilege	3040	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4972 wrote to memory of 4464	4972	SearchIndexer.exe	119
PID 4972 wrote to memory of 4464	4972	SearchIndexer.exe	119
PID 4972 wrote to memory of 3564	4972	SearchIndexer.exe	120
PID 4972 wrote to memory of 3564	4972	SearchIndexer.exe	120

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-12_b22fc21cbb3a6a3617750a1091b01a7f_avoslocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-12_b22fc21cbb3a6a3617750a1091b01a7f_avoslocker.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4056

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4812

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3040

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4172

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3276

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3288

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1268

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:740

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4400

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2720

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1824

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:636

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2060

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1312

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4720

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2848

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4168

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:764

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1872

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4844

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2452

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5024

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1376

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4972
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4464
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 900
  2⤵
  - Modifies data under HKEY_USERS
  PID:3564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
fca3c93b57273a1dbfb946a5b99cbff9

SHA1
7a034849d367d051f5b36a6642186c15b58cd82e

SHA256
6a8daaa71ad2df2bde9f99a0abca6bc5be5ef538e06bfea844c524e8c496ca41

SHA512
bc3e192bdc5c91a453656377d86846acdf17f99316c6ff6340a2c60b37ce3185c3787a05ddb4816a033122121de32652af886c85c6f6b4b3c3081255e7a14cbd

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.3MB

MD5
99c68523829ba1340de46b09038f6f07

SHA1
0e81cd9c418061991c3203e7b5e3bb8dc10acd34

SHA256
496157f22c3255f0869ce2aa75eade0ccddb1b1dc04cb01a06375f47dbed0d62

SHA512
59d6f6abe9122897adfb73b95cd9b6d6b492a98c8aa0a3b05238255c5ebda19731c34ddd87bd8b08e03855578e85626872278df22206cf2a606a3881ea26a651

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.6MB

MD5
f1feca0e645722706ef1a4cb409bd766

SHA1
f91b66743f672170d5d0911f1026e73120efbb2f

SHA256
af51bd698fb87b943114301d57338a13f176fcbd047b226c7bcf26fbdba2add4

SHA512
3c571201c896e999a9d0d1cbd56d768431e2748ec04c8fed4d871b9621247b36a89838fbb1fc14fa0edb39efb071466ce9e27f4bc7ec9dbd437b5bafa38694da

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
5ba69936e8f1fb4fb841f79d05ac4c1a

SHA1
2345d8061b7cd41e81713d78e3bcde4842cd48c7

SHA256
0142f0f33e43120ce0c6048c4a98b232831f45cd90e87ad7d9d93f9258afbbc2

SHA512
9a10d9c97d8b60b2790c71f305a436f6dc3a427761c646276198cd99d88dc93918e9753b538571923bd8e5ff578f11df1353e162f0ff7422852fb114b8299488

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
d14680868712b2118ef2c3990e39401e

SHA1
dafc730ee2502a7d01d35ef1e2bb4ccea1771343

SHA256
5072e9c71b41b390587ace3f531a64c097d042af7f44a2844db47ac955ef09ed

SHA512
1abce8c5a1fa1ba410ec788522c62774e8d580ecdd794772cdc8cd02fed94c584216429d815fb76cd10229f3c7078eb7b26d56ee2c53f67a32f5d593af4d1495

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.1MB

MD5
b034f1c10b74234593e3801b6f591c19

SHA1
49adc29c1950c9f5534fd967a86584ab968d0a51

SHA256
c59dff538c88130b5119c6b55790f973d6d000ae8282c04cbc110e64d275bd49

SHA512
9011b6a38c3a72c906e93e55eea7ebc972207eadfb6b9661d0cb5cdd4bf46781078b5be9d75c6ce108f96beed9020daa1351f1db2ba5c38ad7a4775bc8171ee6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
af3ba84536e9ffc5996c67489ef17406

SHA1
44baf930b3d8478f165aa17761034abe2ba868e6

SHA256
30ebc2754a6c339ecd5a96733f2cc5486c98b755c4bbebe3401af0b42da4071d

SHA512
9ac5c44606288de86753890beb8d84eb6cd30539d7ea91ec8932fc70a34c4c763250c02f65076bd4f81c63d5c6b55ff4f2f289009963175a414e11f31172f213

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
e101cca18af40b6d48d4618af919cb39

SHA1
793c51b7ecf4bc53a4b090e3a9c21b4065d696f7

SHA256
4497448ee7a5c1427e89718e8053092f38d9dc6250f5b6180c93546b39ec5504

SHA512
74432903e13553a8bd23bd37215c3f8c6fc820430357c9e8884aa49de851fd8b1bef96364edc792c36047b8fb8267015ae1ad39869134ef9909297ff30aa9dd5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.4MB

MD5
fae270cdf37457521195fc2e87745218

SHA1
3acfc47100abc2a89a8cc496d1c17d45859c73fa

SHA256
35e9bc3b173bc11ec29f7e3c2fab5f05fdf0f83169a7faf03f7f4f04f1b61618

SHA512
55822850a92539e58f30789ea3831c8121371ea3410266d228bb3aa47af35ae4a2a9feb8fde1a1b3b89e6a9e963b3f9f76f7457fd5fd562a26a5db3b72098c6c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
c2ed603d8071d7d389ab0a8d1e39ceb0

SHA1
8c07c15c33d5e1e1d82f9e6a47c849eddf6cfe95

SHA256
c90766eb742089b84a43f7a8459c5ea5c9d048ac53a0268601f3f9c86e5bb0dc

SHA512
dd22f8d336b1f6aee350406e89ae2476c5995b40019aef48a686eda55564405959848496c55051fef595964859109830197fccb5ac1c4cccaac12d30c949d094

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
f959e81d94a23ed33ad6ee1c585b5f62

SHA1
8f5795d5c4ea7c5b90f3c0966bd51bd7e694e7de

SHA256
c4ca93e19b3c8878e4c5c1c71ca66c0d3c733b05de7db9bee226bec96a7638a6

SHA512
c369a1126183b583f8435ae705f5fb1afb355cf909686ecc04c169624a3ac6e9c64f6a24722169de3983d5dac1747abdc042375888ae4d10736e8e2f07833529

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
ce766d2791ddd61f46fd37719b44169e

SHA1
d8803b94bd10f876740b5a0cc864242d450fe357

SHA256
0552f9d31509760629642162d0047b6ef670d2d409ee951c1c56bbd60da1bd99

SHA512
e6f8c86d7161777c63438c7c34be5a95f143c8e5d698b79854296dde04dd0e7f5f094ec510a0c5a246e82979ebffb295ed73b668694848a09248891b02ee65f6

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
8f50689e35e504b90712bebfa7029a20

SHA1
4ed7c09a9b2acad0293fb473a655eff8e8e33366

SHA256
38c76e2871bf10a441f5a6cc723476db70354c736254b2f59eb1ee43ffb8a12d

SHA512
d42fd3ea37c8b1258553b0b215424500bba59e24c7074299dd9df36bd6f2c783309c2c75f32537923f6b9982851e4759c1189cc7d047035ff7ad4b1437212352

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
c45577f77f19270b69cd49830e281895

SHA1
09fcdc0d04e9d0559ea5c4e94b6489693f4450a7

SHA256
9bae47f67da49be9bcb77dcacfaf256715e69545262b40fefa6d2851e03f5bf0

SHA512
7a69d5471a36290ac1d818a734efdf6e1dc5e5bcb43b4e666e4c4bf962e5454840c7115cde1cfb8eb943416b7cdfe484f5beea8761a1de42646c7dc52cdbe7a3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
36a6537f1308ef1c7dff9a54a34626ca

SHA1
a33d7312a3b616b1cedb850a693187d342bad428

SHA256
8cf4b9c2502d64c3570c88bfa4037b05973bf241cb6ac9782b4d8c2cbad5cd5b

SHA512
d383246d8cac3a020af44f1bd862ce20fe6a0a617aefc4ae2e064214e7c5bf7dc9aaa3c25d7f98313a8ee96780289cebbf49623d1b9e5d90977552f5b55ecfd4

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
7fd53e1b92bf2b2753535435116b5304

SHA1
338288b750b36e42aeb71f3b927e837e062a0b31

SHA256
1a7547ffe62ca33a8d777a2bb4076d6710eae7d81d80720b96dca2bd9a5cafbf

SHA512
4c36683fec08596ba2af47ea3a33d6a004042a17d1d281f8805863cd9e5126cf1d05f5e1ad283ebbce15a78e59f6c4badd0093d69825786627b7b0b0b6d623d6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
adabb77b8d46b44a26b2f7aac3f77f57

SHA1
75860e16591e3e6d233a0d8940f96c1799006002

SHA256
fb5d936a5c2b48db9a942a39c6bf5c45dda898448fe7166ab356ff95d6d907eb

SHA512
08c3627cf71bb98343b14532d2045044604c68169215751d100995dff0a5f4bc5109cbde86ee27c1aec83a18bd0e3bceea090f54502eb298c6be41e551af97fa

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
9f99a9c1e6a601e3e640dcb61f5886fe

SHA1
cad921e7b28c72064d5f0c083599995faff47c1b

SHA256
8f6c2d23e424d8b9ec36728fe4a2efb4d4fa2756ef13bd62b8df92a9823294c1

SHA512
32e518c4709d096d1c83fe993526b82078b390ba3d10fb2d3232e0bfc494306bd480a8f0a1780e4bf13f6c309327717d506d850e6faefcabcab33dd0ea3269b5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
e8f203ea5e5e4f46bb476d2eb1a2209d

SHA1
296548d2b1a1c448be3db594bb474711bf30aec3

SHA256
93316b5a732b7e3636472ec213e0b7e5d6ee1a534e2701e06774775d8ac710ec

SHA512
436784a575a620396fe125a8cfce9fbff3ddee9508be535d85dfd5e10457e030fc7e7af1eebab397862a62d2dafae85f72a85f7a75c24c853d850c51850ce19e

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
98d39e55ab2ea17306c03166e9a3a3ff

SHA1
f10ece605ef0b3495ad1f7a9fdae15af983dd561

SHA256
e719617a18b937e351d7528d180eea5e50cfa932b9c27e225c172f4880638be6

SHA512
16989a46ffa757ef3e2bce3f6889fc4155775ef0ad7717bc6c259208abb1f6fdc3bce842939b1b593bad5720650f426f1fe29fdf2190ed3ee2c39a2a6ee10abd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.1MB

MD5
d5335d215bfbcb09810870df56ddec84

SHA1
0b37a0dac2e964ce249e6a571172f2abd10b53dc

SHA256
2ced4d4bc80ef546f7eff02f53f19c0e562e17ee5262475d0392763937add13c

SHA512
35b4fe02804b53f70d69ec8ae55a3fbf0c52982fc4c2753ca4e7732f084612ec37b536d4b25f85056233015b82e1a5b1594d083d94c19a0cd6c5e66d24b77453

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.1MB

MD5
a65569d870d456b7f75b0f0855241354

SHA1
a00f2a5006e5d4d486293bc4fe981c5b8b844b06

SHA256
8b6aec1940745806aac587b93260dc38a7e5721e4337ff9917ae92a884bf9453

SHA512
f7d2330d41e5a7e731e1b302391a1f58ce22f8662de2ceed165a9277bc65fe8291dec6e4ad131f30891ecf58975d83f43e597e34ee3c03637654ed12b51ef305

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.1MB

MD5
b98f684026340bcc0831cdbb453cfeaf

SHA1
76b67991c031001b847ac7479a48875c4e17bc9e

SHA256
24959ed1a67398a6311e3fea3f285cebccefff02cd154c3515d125b4ded4c21b

SHA512
ddf276e1227c796d80d8d940284ed08e86a5d916d58f21f722430ad92ab9873fdad31c7f6b3e81fc63291bcaf06b90187dfe586340e774935a48b2da990f8c5f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.1MB

MD5
7c5bf1a20579096d81b73341b1b2979a

SHA1
7a6a54dfe0a1b5050fd1359b67ef63ab0e0f23aa

SHA256
0a93ffa83312f8a2fc33db604dffaaa46d1c10917d40a3c2a6445bc544ff72af

SHA512
84834b9f45ce4d0e4636ec81701ec4954b369692ed7ad5a30d21354970ab8b2d9f8056e896af5a93dce3d38736b63f9ab7c349c49ea6404e01c4b3eea7620f93

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.1MB

MD5
1f69c4632ecd3c7c6da5fa0ba5c77cee

SHA1
29e2154d4b6754412aced43d4ec9f2390073fe7b

SHA256
67c2bfa439cc1517e871333edc5a1bfd591f3c4e8ef02156ee637189d44b1de8

SHA512
2ca8acb7a2b4008a6f67c316a68a7c827420b71d79ab6c124d7abe18e0daab77c04e07827fa4b444a3fe16cd9d4ec91a5397f27c9e70be0cb7389bb221fab754

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.1MB

MD5
fef35c56a2f3b4a800640ac212714c16

SHA1
a01b4fcf57a74fa87894dde476765ff90e9f53e7

SHA256
bb36f94e8e0e45d98b9704e154e9062bb0da99b357e61c76e7d6339516428bb3

SHA512
68772a4edf976d094f019640bc0c90d31b1481eb542e4e9711d0bdda1294af634d24d4c3fa4fe4a823681da4b6a3f2e9e8901661c9c8b1bce0c2c4d24570f004

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.1MB

MD5
b9cdbab6a7b120e3fc41848f88e45999

SHA1
ed7408accfe9e5c74cb51c8be7456649b7509baf

SHA256
7e14c7ebd42a0fbf0a0e95651d1bd923f1006014c57d6eef28249987a733104f

SHA512
b8d62a877bf524dd2375918979eec135b84d32b5ed247070ccba2e4e3634fea96238184ced8960594e6a1d40b1b73c9fb60b891c6e3b1a7e575f62dbc710ec73

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
cd4a3aa3dadb568fd873f3ce719f69fc

SHA1
ec8ccfbfab93181ceb2853b49688a85c56699c46

SHA256
8631d47d6815e2ff65c76a922dbac83de4a272b0d761b4a67d35c063bd449d8c

SHA512
23897c4c73f079cff5bdb7dd0436112fdfbb86443c3e0d60f43a2c867ffdf923efb47bf13419c6506bede885c0864df7dc9364e30288cf922ff28b066a8dac34

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.1MB

MD5
ea1aeea42c6c165197c14a8a28afe1a9

SHA1
3ee4756dfc0c671ff903fe952bd1e6c35d0cb0c9

SHA256
4584f1c097d75fa65193ba9ebe53d864169610d4b1cf08a2940ae3e0d5becd7d

SHA512
942de2aa577e27e2b7e078286904e7ff97379b4547deca2aeee21921abaf99afe84dfa5a3a1d4fc28ab9c8189fd02ac88e609d975aed9965d2c37f7f1640d479

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.1MB

MD5
8fe958f1bb1962c12f056ace94befb9c

SHA1
5326016d45b4a8978209cc3760d1dc95b310348a

SHA256
02eb31e38f5c60d4947d42e832687f59629785014cc7813a0e8c96056640777f

SHA512
bbbf09e8328ce5f1e659731f7cd405948729f5c830d3b428411222e448b92ccfa5c1eaf085d4503fdc30bd2a66bf9eb8c42e1ceb32712596d4936c1643e7ce34

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
5c267c22846764d51e43f659f24952ab

SHA1
b60be214b15e0a7459e055636c2b6c28fac6de67

SHA256
a214b34bea2cdf383ab1d578a76164056ad159eea26ed4eaadf569dcdee1c138

SHA512
d72b127ae3140fad1adf614cf6d6cd164fb99020b5e7a69d1585022aac360fd099cdad91bd7ba818cd8593af131b4357d3c8eaa6bcb82ae27188d40c23f99245

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.1MB

MD5
ec530c449827f5ba928f846c2f79020a

SHA1
56185e0f81031bc8b074917711f70b7427b08362

SHA256
a3011ceb257317b7894a5245534f1d1da0e4141ed15c1e6fd3a563d379b4fdbd

SHA512
387ece3d254e0c56c07373bdc8f788d40c86c108fee093a23c1e183d464a4e12256750799e1c8466f4b2cf26d2e829f56df30af6beae9c3b282d03abbda02e38

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.1MB

MD5
a353814cd1ee9374d24c8d8127627042

SHA1
8e2b95c210b5a2b0be42b66346ded4def2b69ac1

SHA256
94002b95d043adf5a28687eede9b1b431a92335ac225592dde0ceba7ff9ec212

SHA512
825c2748596b76137c1b91004e5f17fcc1abcc6a7f8a836e2904b9380387fd59ce380307ad3a9129c6df088c8a48c3761eeddce1c175652a9cf18be564bc1985

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
092aca57cef17fc2ea209683f76eea8d

SHA1
0427a26481bd887049cc172f1884aa51e31f00b0

SHA256
3c252f236d795603ff79983f616aa7bc87c94a9a6c81da9c8045b82b300d8efa

SHA512
ea397e612517223ac96026d88178bd496de116ed58e4ba3018d9751452b29e2274913e79e7ff1224b1d8d6c43c8930b289721a4453bcea79b9c36c21c370106d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
767fa0c33c270da9880f46dbdc1058b6

SHA1
f167fe43039aa12d2486a75b97a7410c77a02f5a

SHA256
a592a7d53447f0666049b9f5cd2ff83354b913db19d078ce48c2810fb9a468d0

SHA512
8bdccf75046dc471ec2c154dd799daaa286f86f25c655e30eea5d9fb8d6615f7040b512ff7e718d33ac80e5f91db059f7ba8fc23f3d74f27758a3049fa06e294

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
9a80513dc22a3d5bff5d387a2ca8311b

SHA1
756ca48a50174204bc402d31a437f36cd94ae537

SHA256
e46b037293dc93c8f547ef46df8607b3e3d435515ea16707967a70959f575c37

SHA512
70942ad05f9b1c9138a66ef5ea7bb190bcd1f1ebee7c56cb7801e7d7a024ff4cd1e29bb3b037e22f4c9d7f6b2e1488c1a6e61ba97d264ee13686d78763e68d8a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.1MB

MD5
9289ab96f0839920718a3a8e3fada3ea

SHA1
13cefc2272cd3dd2cc85e480e3081061afc8debf

SHA256
4c87136000fcb271c9b20fe6eb979b4451d2b8feac4914ec197ff66e1eca17ff

SHA512
55cb90a0c54978d2c705c552752eca7fe24744dd0e017f4588e01cd5663ec5b602e6c31952ba0a2889131ee19207261c23c56b7404202ff9b6e35201610e4d4c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.1MB

MD5
c2a180b3b02048566dbc644144b9186f

SHA1
d31ba7845cf5e42bab82a4c4cd2ee9e29c0358e9

SHA256
3f8fa6f7820a6dc24d027a290469082b16930b3acde0e19f1594a714931e4214

SHA512
bae0658a930240db3db84072cb96ed7fe460aa5941243c9a8f41c6554de04a269be9559da98801a56cb880621507ac310b22302e136dfd90befdf53689b690a5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.1MB

MD5
42cb4b4b7051ebd330059c07b6ef6c94

SHA1
66a36a9c873709a7c8d56f1079947132f4ed68a1

SHA256
f0a46c79beeaaec6640a5613df323b3c44d744b737f58b844958f43b003f443a

SHA512
eccf3a2f17ee684c7e24e03aa6e5e2d85b98f8ed4d55fcf169985495e35088f9b625292133f459906d56318a3dab8d974fd7d4c9c75cb8b22e239e3a5bca6934

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.1MB

MD5
6feec5432618c733bdb80a524e61d9b8

SHA1
8a84fa5df8cec6acbb623c2f333f7299e0d6f31f

SHA256
dd89011240030b13c3f70ed71b26c63104333445d0a2fb363c0655d6083abd30

SHA512
2f92a6814b40eac1c7f8093faf9ac5d95276cf39b4b9de4b4152beda7b0cd4155a9429cf2b71596cd3097e745c1563ad0aeebe3ae27968fc6c3573940f1b643a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.1MB

MD5
b8db8e8fd27d6ac50ec24e24cacd45c0

SHA1
d2b24769ebd72dee9413eefadd379e9151107fb2

SHA256
573568a9e6aa951d6a4237ec46732d7075d8609bfbb955b511fb33f15c697b34

SHA512
51fb76c079ad6c7ec09d67485110cf514e8b27ca2f597671701f31fbc64b2b36d2c4ad92e5fbaf85aaf52bf62eb7258f2dbb8b9c347f90ea0ae8c5971825d007

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.1MB

MD5
a1501373eb10242c3c8a76990e77a418

SHA1
98ba34eb5747acdff3eb28332a585a337b1ff124

SHA256
7635529e42ff6312a3969a1efbcb732fc708aacac4d0e946890c677cdb6e2f66

SHA512
1f5fe0c4e880b060ac4afdc9745745239f9d389a48445ed7834463d9b9a31e9c5fc06d0b6f78eee3d8067ca1d2d09cdbfb1e35b322763c8762bdec47eca7860d

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.2MB

MD5
ce12c0626fa8092fec0e195772b144d9

SHA1
8a44b9ba4325956f847bd73b3d37a141af66ba33

SHA256
07d4e3ff3ef7727d3424db55eb31df3203ddf163711578c2709dee225f38409b

SHA512
e0d4cadbb8ef86e775ff694dae154bb63e9704d15ca084bae625c59846b55046319ed3269fc11c6e62d70885e2af172cabe82d8b997b9cf94efd396c4e9c1af4

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.1MB

MD5
e48cc886a90e70a5bb0c096539cec48d

SHA1
884c75cef77c1ddae4666ddbd149e0303bc52b14

SHA256
77ff64daa1c11243f28767b6c7803c78b3fe8e95a97efed6068a4594eecf3c96

SHA512
c72bca2882fcb04ce8e4f1130501fe496fa7527dce2500e564df3d4ac10c7e9cc134cb1f5b6b53564e224b4780da4f4d89fa706b2f1a04e5fd4e9c47bf9315b5

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
d36888abd9e8d7d4d78d979e72512674

SHA1
557f25ff8e31d0939ee2e6fd309b743d7618767b

SHA256
5c080c5498457362bcbf20e0ba85e8131f4e36334f5d83e24b4b94af4fdd5161

SHA512
cb4ee343e3277280ff075bfda8e2e1b4d591aaf85ff132b04a679c592d37f36c6fd6e1e9d0981499c6e455384a64620ef01876526edf300144a9a09823c77509

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
4860c4af18d2c43f0d25aa60c525b354

SHA1
7d36a8e2a3aa7e2abfc758f3b38a9be22a5dd99e

SHA256
80b723e5823a5bf61d259c0d108104015a53aaa6e4c3faea511e91f2d45f17b0

SHA512
8dbe8ab9ca38788ad31277b408855c36cf00b2a0e5c13c227e79c4e838d683d79ff78b4fbb439779d69f50d93300766cc36c52185bedb38d1fb4f45cc77aae50

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
0f8137b4076ef88dc5642276786386f5

SHA1
409acaeee32155ae1440bb07d27f8616280a07c3

SHA256
d7ab960e6dae5e37106c6c8ffd6da8481be7dd74a1a17227e218b6c5c1f19069

SHA512
f91253cc5a5d98b4022f43523b604aa52de047b2c6b4778c0c68cd49c453f6b3c3eded9ceab43a87fd18f0a9b5305b6fc02c2ed0fde8024efad18d96aac0fcde

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.1MB

MD5
52e713a7343d4154de73777a7c87b6bf

SHA1
35591dbfd0a4249a605736749fb76157bf0647d4

SHA256
e5cc5662267f9049065040c2ad24791ea3b293a948b3b5fd5b69af78006ddadb

SHA512
3e423b030f73750593a57ace3f37901235ab30ee0ad6df7e06d56646506d6429f9e375a59e79c574bf0b8c43a16a4e47dde0a3f4c4b2267782d7f34882714894

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
b597d683587c692d97f240b94ddf35c6

SHA1
1236cb8ab73a71e2ca86f00a8f2c552251a81bd4

SHA256
f65b1b7ddde6b2319c5666d33dbb2a9ef187124dc5fb96e10ec6b26463d1ff4a

SHA512
c87b49ac63c317f61f813f0cffb51281f70898a14340b048693be319db31cf066852961cf1760f69cb3eb944917db28f9b4a6b72c2745a56ccfa0e8c8062a4a0

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
e7534cd1dc1afc6fc58fb48bbe43756a

SHA1
ca425f2170a1493a0e2201bc08ae43906438bf7d

SHA256
94bb29202554f1fd1c1d6c102a1aaaeb2bc030539ff7ce870ee088a9ddfe76f3

SHA512
ab38795fe1dbe707dceffa2dbd9b9b11c371750919f893f04ea9e5c32a180d25358c3c09c1ab902a4bf4e20385a55182aa26a861d937961da6e8758512222c8d

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
3994b29e47594d79deabd5c0ac470530

SHA1
444fc80e75df8d6ef9bfb0c28ce8afd8ea5f0d45

SHA256
93488c19762a00c4d19c22a3923274d065b75eaa9f7db9749f47730baa099f86

SHA512
1f8ecbea8ae27c4e1fd44af71f27e6cff73d676f6d35778a8e06d6f48cab3451856adbe8e1fdf83ebf863a78ce6d82a9039b8efc139976c9d928a1ce763d8da1

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
9ad4b440e10a531895531b967e8014a9

SHA1
a61fab871c207d6a577f0802daa9329a37843bf2

SHA256
f429c53919181dde7871b891f2c34d977e4753513a1b49c33dc91696a3c3add3

SHA512
cc126bef7a8754d408651020d774312c6f94c6d30157cb522ccf1d0258d48a1f8d21f57373624c34863cccd9e96f47ddea2dee08ad856852323b0fc55dba0f47

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
5a78e84196dc4a60499a4795ea5d20c8

SHA1
7ca627b1c8e58cc375e9e0483bcea4a3ae9f2006

SHA256
6ec75ee3a638fb38bc7cc81b7b8f844c451af38c2f42ec3efe8f0440ec75e8f8

SHA512
cd5a85bbc2d639069bb61f08e2dfd8cf28cfbcda99b02d52a6310407fd1fb290e634083d9edb30d05acebcdecc8c930c1e0464928b19f74845d29365b7216556

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.4MB

MD5
2aa01afe82b844acc993b583555d059a

SHA1
5673b9f198e034432a0e82b9d8f1e9a58a479fca

SHA256
72a40b29abed6f4c50e638a8aeb7da2b78f0119ea16405e71105e10cff53c4e8

SHA512
d5a7d2ef5201accc2564f815f679621e6658b613143dea539b691171583dfc18daaf541591aca8fe41b4abfecab306e626eca510fa569251d9eb5ed06cf62091

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
ad08f098387defa7d331411d7202d11c

SHA1
4f737cc422c78564dc360d023c33e816c8f51f9a

SHA256
c3a40f28bb275d4de08d03e55d8ed9655ebd94ee91ebd416bae8008e3a886b5d

SHA512
4e2eaa91a0a2488e1fbcef6b8762e509741eb9616d9d75ea3702065c6a45d7a90fd2f10696fb335e5f12a3bc8b46d834ebbf64f0c25ff2acba58de1c1e0327b5

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
9c596076fd5b23a24a3c1acd1aadce5e

SHA1
fb7b4b8a3f286ad66136b84b397036df76a86344

SHA256
486f1b70aee26d99f922c88b9795e0d45279599e89267667770d275d0cc63e84

SHA512
0b997ae53f147d5302ef13abb147c31ea0cb083181b3cb41710c01f21969e2fd3aeb53c7ec3096cc340b54342292368efe33584b20ccab2bcd8a60170a8c999e

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
c20bf15962af96053941219284aee11d

SHA1
d17f75e148dd09c98e0fd1784d9a9266d997a1f6

SHA256
655ee11183785f1e0f1992e46d05fa39c3a5a4fa81a611ad968d439d65c16cc9

SHA512
87cf38133d8a6b6f0cc1c94b639012180bfa43b3fb007ad22b2b5d6025621d93d9266069605e73b8054ef235e717f2b9a00333ab4a6856f5e472129353c9ba8e

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.1MB

MD5
9846ebc55ea38a80760ae4315d543bc8

SHA1
1de08b5a5e81e2e1223776b274ca6327df21a6a3

SHA256
acd36683d433f2d08310ce8770cc88cf3511fec86a1cea1ebd8e50aa49fbae97

SHA512
7c034a2341daf4d2467a1015b7a029ec3741f4cc447c8711d6585120a986587aaf094e963fe3fff6c689248c4f49e58a38cc39b71e5595d3454f31fdceecff25

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
f52dc322e8e600b0b9ce9344edd2454f

SHA1
4ace3b52e8bc3ea5bca66964f13ab6b5170bee14

SHA256
abc4da6d385e292c9638930e858db288caaf75ffadfb94d1f83fedad94ad0ef8

SHA512
0c7a4d040fd5f7470be9c45ca73001dfda26ed19906226a0c14a6045c3c5275fbf4a8e5660b7bed36561bf0d87229268e351f53aa683f62a13f09ec61353eff0

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
42fe7d701160018e01873d42807b3ed3

SHA1
c3603a3bed0d108e7b0933b1c139c8bfc804a082

SHA256
eb1b79c8b4641c292bace6ca5ac2dbcc1130571eca3588dcba48e1e1c1da1398

SHA512
b22ae2b60a11c02dbdd3b188a850b246e6250cc092a6ebf389c1fc3ad82d562e487c8eec65a5546a21638081a8ebd1c6c24bc337c3e215293cd774ebc168cfd2

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
80bc07425ced885ca47e9a9f0ed4cf88

SHA1
50a04e8b08e44ce07b466dfe479ac4cae99176bf

SHA256
bd690a1d0cd6ade9d1292d9cd76dae3f98254081340dcb7402b01f899ce20d83

SHA512
5692e6aee652aba9ee172173e139d617f06e30b5905d51aed5367aa2d894180ed0eacdcb126ed6e9b03778ff3861122a47329e883b1f5172c73a960a4452f236

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
7bd4e75f5181621d076576ecf336fa14

SHA1
9077ac9f4af0d7bf6aef35185a81d6df6b3a3dc7

SHA256
c085e6e42d12df320b222096e728e537e3fd516481b38d8e555c1fe87558723f

SHA512
a2e300c75eb91dd6bee444841759cc3c720d83334714f8a39d29048ac3416454716e80172b121d472024a2a1fea121fa6a940317fbec917ec97f03e0177ec8f1

Download Submit
memory/636-299-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/636-412-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/764-371-0x0000000140000000-0x0000000140171000-memory.dmp

Filesize
1.4MB

Download
memory/764-658-0x0000000140000000-0x0000000140171000-memory.dmp

Filesize
1.4MB

Download
memory/1268-251-0x0000000140000000-0x0000000140138000-memory.dmp

Filesize
1.2MB

Download
memory/1268-243-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/1268-249-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/1268-370-0x0000000140000000-0x0000000140138000-memory.dmp

Filesize
1.2MB

Download
memory/1312-316-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1312-437-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1312-643-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1376-433-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/1376-664-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/1824-400-0x0000000140000000-0x000000014013A000-memory.dmp

Filesize
1.2MB

Download
memory/1824-281-0x0000000140000000-0x000000014013A000-memory.dmp

Filesize
1.2MB

Download
memory/1872-385-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1872-374-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2060-424-0x0000000140000000-0x0000000140124000-memory.dmp

Filesize
1.1MB

Download
memory/2060-305-0x0000000140000000-0x0000000140124000-memory.dmp

Filesize
1.1MB

Download
memory/2452-662-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2452-401-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2720-269-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1.3MB

Download
memory/2720-388-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1.3MB

Download
memory/2848-654-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2848-339-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3036-655-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/3036-351-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/3040-238-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3040-40-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3040-32-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/3040-38-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/3276-53-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/3276-78-0x0000000140000000-0x000000014015E000-memory.dmp

Filesize
1.4MB

Download
memory/3276-72-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/3276-59-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/3288-128-0x0000000140000000-0x000000014015F000-memory.dmp

Filesize
1.4MB

Download
memory/3288-64-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/3288-70-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/4056-6-0x00000000007F0000-0x0000000000857000-memory.dmp

Filesize
412KB

Download
memory/4056-29-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/4056-8-0x00000000007F0000-0x0000000000857000-memory.dmp

Filesize
412KB

Download
memory/4056-0-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/4056-1-0x00000000007F0000-0x0000000000857000-memory.dmp

Filesize
412KB

Download
memory/4172-127-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4172-239-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4172-43-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4172-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4400-268-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4400-255-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/4400-254-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4720-328-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/4720-522-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/4812-237-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/4812-16-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4812-22-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4812-28-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/4844-661-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4844-389-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4972-438-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4972-665-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5024-413-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5024-663-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download