bbe011df9335d5046461f95532155fe334b4b4f89db5a88beaf967592d7cb939

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 20:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-22_babd1b6d95df1253ca93ca896c266e01_avoslocker.exe
Size

1.3MB
MD5

babd1b6d95df1253ca93ca896c266e01
SHA1

f55ef769b74754fb3942ac6b4146cb829f4d92bc
SHA256

bbe011df9335d5046461f95532155fe334b4b4f89db5a88beaf967592d7cb939
SHA512

64b9f3df9c8de8ae925e7c8bb06e5f94c8be7d93eda67373ef9d5cf2f53b4a2d0329abee763b4853b057e4d2b0ccc1dde6dc7439110741afb74df1d08b8e19cf
SSDEEP

24576:/2zEYytjjqNSlhvpfQiIhKPtehfQ7r9qySkbgedMhG/5ESOhoaJlmUvgAPS9pjY:/PtjtQiIhUyQd1SkFdMhG/1OfMUgAkp8

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEDiagnosticsHub.StandardCollector.Service.exefxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
552	alg.exe
1216	elevation_service.exe
116	elevation_service.exe
2176	maintenanceservice.exe
3024	OSE.EXE
5048	DiagnosticsHub.StandardCollector.Service.exe
4088	fxssvc.exe
3216	msdtc.exe
4472	PerceptionSimulationService.exe
1004	perfhost.exe
2924	locator.exe
4576	SensorDataService.exe
1652	snmptrap.exe
536	spectrum.exe
2316	ssh-agent.exe
2328	TieringEngineService.exe
5040	AgentService.exe
2320	vds.exe
3916	vssvc.exe
2124	wbengine.exe
4960	WmiApSrv.exe
1996	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

Processes:

elevation_service.exemsdtc.exe2024-05-22_babd1b6d95df1253ca93ca896c266e01_avoslocker.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-22_babd1b6d95df1253ca93ca896c266e01_avoslocker.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\d033617bb4b1389a.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

Processes:

elevation_service.exealg.exe2024-05-22_babd1b6d95df1253ca93ca896c266e01_avoslocker.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Adobe PCD\pcd.db	2024-05-22_babd1b6d95df1253ca93ca896c266e01_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

Processes:

elevation_service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchFilterHost.exeSearchProtocolHost.exefxssvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000091a37ee688acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001d859ee588acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eb310ce688acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004ea9e3e588acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a82f2be688acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b535afe588acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

elevation_service.exe

pid	process
1216	elevation_service.exe
1216	elevation_service.exe
1216	elevation_service.exe
1216	elevation_service.exe
1216	elevation_service.exe
1216	elevation_service.exe
1216	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

2024-05-22_babd1b6d95df1253ca93ca896c266e01_avoslocker.exealg.exeelevation_service.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3324	2024-05-22_babd1b6d95df1253ca93ca896c266e01_avoslocker.exe
Token: SeDebugPrivilege	552	alg.exe
Token: SeDebugPrivilege	552	alg.exe
Token: SeDebugPrivilege	552	alg.exe
Token: SeTakeOwnershipPrivilege	1216	elevation_service.exe
Token: SeAuditPrivilege	4088	fxssvc.exe
Token: SeRestorePrivilege	2328	TieringEngineService.exe
Token: SeManageVolumePrivilege	2328	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5040	AgentService.exe
Token: SeBackupPrivilege	3916	vssvc.exe
Token: SeRestorePrivilege	3916	vssvc.exe
Token: SeAuditPrivilege	3916	vssvc.exe
Token: SeBackupPrivilege	2124	wbengine.exe
Token: SeRestorePrivilege	2124	wbengine.exe
Token: SeSecurityPrivilege	2124	wbengine.exe
Token: 33	1996	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1996	SearchIndexer.exe
Token: SeDebugPrivilege	1216	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 1996 wrote to memory of 3696	1996	SearchIndexer.exe	SearchProtocolHost.exe
PID 1996 wrote to memory of 3696	1996	SearchIndexer.exe	SearchProtocolHost.exe
PID 1996 wrote to memory of 2980	1996	SearchIndexer.exe	SearchFilterHost.exe
PID 1996 wrote to memory of 2980	1996	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-22_babd1b6d95df1253ca93ca896c266e01_avoslocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_babd1b6d95df1253ca93ca896c266e01_avoslocker.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3324

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:552

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1216

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:116

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2176

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3024

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:5048

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4320

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4088

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3216

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4472

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1004

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2924

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4576

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1652

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:536

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2316

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4244

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2328

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5040

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2320

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3916

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2124

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4960

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:3696

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
4bbbb151650842d6bb13ed53479353fc

SHA1
0186e69ca5e4a5ac1fc922cf64da8af3da11cbfe

SHA256
6358deb53a187ed51df6f2ca171c2ff8c4f9922d579e4dab2df7f58197333b71

SHA512
db5ff82e809c839451b7728931ed714b335a9aec91f84fb58628f9ab1365ceb485a6320fe2246696e087dbd0718547a0165351e555d03d1cebe9629b04d5d20d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
295ac87233aa7d2857c3ac1ffa293ae6

SHA1
b90bedfc97cea02d80aa19d475a8f482d94a2627

SHA256
c43c353e861b4133f82133f61119533ac16a82a2ac343c9a8ed01ec126c886e2

SHA512
c1f5018959a59dfe507ecf2381e9a4843732a97edb4ec3ea29911cea4591fba526a5964f40ef40ca24ffd24b5fe36b16371527a642fbb769394df206fd71106a

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.9MB

MD5
5d5f3b3f487ba0271e406491b8a5c2a2

SHA1
a7885163cd48928e5efa8bb2b3d9586357fdd998

SHA256
0b3ef491fa759d510a7ff97df9443c0e0d02cc89eaaebeb533684e6f8e2cbbb3

SHA512
14cb6c2a87b3b8c78c648073c96e5892df05c969f107bd1f38d1a908d550b5df7a2f3c2f5d4adbba595c38bf07085572acda28a8ffd8376a05bf4a775616c157

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
5211ada96e6966b2479e85501b5d8a0b

SHA1
e704da8951457fb4ba7db8951e5960c8b772ef80

SHA256
a2914bb8cc04cc7f45a468188c2f82d789b4f07a07f3ccf6abf2165302fe080c

SHA512
c37526aca2b35f0197645425217f01efd8192e786fbdcd44abf0e783d82c508672fe205ef36e732eb1fcc2e2399767ef8622c336e31be1a56eb9f5766fb21405

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
895fcad8c0de9e178740769239a85a3e

SHA1
97267450cbaa8b4db257ac0eecd6433977c167e9

SHA256
bed1ff993f5b35ac0bb30a9ffe22de57cc27cb83dda7545a3ea5efefd015dd82

SHA512
d46f598ec182ac1062c88abc4e41a4a6f09c42b65a1f0ff6fe970178c7d24d62be87784dfd11b98393acd829f5147dedc006f0446c70d089c49a098630336667

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
a874b3c703fb60052d1f6f01a21f1db3

SHA1
d4a8331a6bd41051c1aa7efa094dc04a6d908b93

SHA256
fb4a154b0feb4ab393ad8d4c32d882f081e63027af84e4ba6b4d7b7357c9fcc4

SHA512
63d885413d18dd3cef884f8307b66a9696b4ff3211d7d094e11006c816c575a69f08b491e2d01dc2c4491229da44e54f749e2dadae24385a41025f66fbb8abe7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.6MB

MD5
23651edbc9d5a5d621761a5e2a05ff43

SHA1
4b2e3e8335a56c336d3330881d053c6db8cb8a2f

SHA256
e1105a2ad7292bfc9ed98a7e3852de6d666514ea4f8c54846f411adde021372e

SHA512
d54116b7816ba8513d085ae3da5ddadcbfe698616ad14f55f9448f3bab34c50e5f1e92ecbb08dd14ead38c1eae21f6a1abcfe7a7e78403041fb36c8ee1782412

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
f33c4743f03c8f51f4aead5dc059d36b

SHA1
ba35b20f46130c0a7cc462f9d66f903bd5c35fac

SHA256
32ddccc2c9f1265e9f7043f9f6f7a92736630546723b774fd829675911fc7d14

SHA512
569688a7a272b32138c32ff3732d876e9b6546af149174e9a6102ae94afc528735aec1b2e3dcb54b49cd841c852da992a00cadf30bb5583ec56ea0da7213d530

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.7MB

MD5
85e5d88bc31ad37c16dc183c7e10fe85

SHA1
225b74554a681b08d0435d205e0787152e27fcaa

SHA256
12625d7eefa87fbcbe660b3e70f4a6719eb88c547edf355477b59e5e44506c85

SHA512
a22d39759a4d73adc188e48c26e4a34ee5846602e5191011e7fe085a330e9c056c0243442d6760747d9bf4e941fb00e0617a05d7f28428445d0640f6e2dc7525

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
e6718fd44944396a6df6bf1442d4b60d

SHA1
be1c135e9bf095dad09907009b623ca5946b1eee

SHA256
5ea72e877f735394b6c555d8f853dbf534b8c0b265ae7566f73120b87a22fea5

SHA512
7cffe704fab2ed50abc193cbe5f91a2f485b201f047323abf9b0497260802e418b64984247deec808b9db461e792b02fda9c558e397aa81ffe934c48527f1946

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
490953377c3a7acd4aad102432472049

SHA1
fa0edc42b2da1262bd20d7c924bbcc3401f279c8

SHA256
e1e46af91eb7d3f012492f2b945cef5f0ed61da172afdedc2e3be99eded4e620

SHA512
ca583af35c50e00c142a6b550860a804694c40b64495098e5c434792f9ea5c235254c3fba87dc2e510030edd0d3ef7f1ccb524e4eca599671090054d1d6c7a02

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
a55b9eba96f1772b4eab2a7f8d94adcc

SHA1
b3863ab7c3e275128279c1f1002c441180c5af9f

SHA256
7fa5e81769dbfcd728ec478bd46c7cff54048a5329c36ed01032f7a7c8ab7c67

SHA512
aceba5d897902f1f592ca7cda65e1e53369f3272174dbbec59488fc76bccfe40ff6b4a5f4f0f4cd97e8be89de2ab0621dea24475bbfbcf596776c166a666730e

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.6MB

MD5
393cfd70ca4fe2675042db07d16b58e4

SHA1
6db263ac2052c188d115bd58f7592f42347cc1a0

SHA256
8892416ad215939ad40fb59eb9bdaf8de377e54528e3c6f1868bcee2ba2b7fd9

SHA512
a91386df013a5edf6824c72481b938edc12b204f523ea1e060622ac4ff1a41ec99176ab827bec46d35b27f3c3291a0ce3374e4b8f1599f375fa7010cf3b79643

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
d05ffc13718cbbe3dc0d86b4ce5d0996

SHA1
40e8087711aeffcfb7c9a855b02b92331bd55a1e

SHA256
5f306578b875bdef407f49a94ab9e36986336add2c291d430c733b5f17fe5bbc

SHA512
579fd97688f36b09c747dfe974d9bd3c967e24abd6a59e4fd9ac7751cd7125c966ca0b420c8e0f6cfa3076973b53346b111a7239acf47d3ca41dc1984997991f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
a615cec2f8be380a820c22a65172e708

SHA1
b079a586312856d463b35a8a3e8ada7d2e66cdf0

SHA256
5e2d0dc6c0d0540f55ea48a8b5227ebb3ec055235f697a2f3c063e47c59f99cd

SHA512
120efd9c76d9b92fc7f199778754b0ab64d0547bb7cf5f95aebd115722ff973bc5b6ceee7521c6e26dbd1bc4cd7b4892c0271d819d6284b8e3a850e1b3978034

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
c059dbf75ad0cf966de96c40498d7dab

SHA1
9cfa2897eb4864d5f3d7acf20fad1cdb353271a9

SHA256
cab564cfb3dde7b154ea7dca5df48fafc85b449e0ad0a42a56e3602af441c0c5

SHA512
ebfd0890bb628e25073b0e3e362272aeec0e3d2018aecf611695ac7799b4835dbf94f14d1c626e626b4cee16e65abafda9a3b7a06ca97f4515ca5fa197c5624b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
542fdf66ae1d2eeeeef2a42164d6b960

SHA1
004a48bbc728bf008a68d91b462ca11901efda29

SHA256
007fba87b1fae3b96d825e6f6a16c0e45a3c5bbba2474f0a0d01b150490df6fe

SHA512
2e1c14637d7aa7c445b7b6c7f9588d3d5bab578699449d40f5c0433349b63c7e417b14349a79aa6eddd0833f747a28718f0182ab44c6a0e125ac99d36a0c14e4

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
a6a515b7f476683ee4e4ecbc3aab0fd5

SHA1
65658f58caabbd60124d8c4e4fea556c0a86267c

SHA256
6743539def8b4ec6125bd481eb42f8e163f3f77aab831e31523a5f65f984ebf0

SHA512
d276e8d2ea7659190f1c6814f411f6fbe7527b79f4880fcf1261277f57b6b37a427a19cd12e98b6bbd1ebea61ce4b9c1f3b4ebb3d5760ae26eb495c3fb210a8b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
91a9a2db929575a5de27bbe7412026f9

SHA1
f856aff37754b2873f987d52813d08f7520e97fa

SHA256
b52ea04d9a60018b8960d1c7f7e01bc122d1c88d01c83008409c1df21d9fbb86

SHA512
f8efc7686763635251f518b93a4a60862155aa388023fe2486e7da65eb654f69815ebea403a1cdcec06f01da82e9647442d84441180331a9795e6f7dad414294

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
7c3206a079bda9161ada390ba7f3394e

SHA1
e95f24da5b90902299e841ab25e3904bb5535806

SHA256
a81bdbd24b65bb6c272a319a04873c8ca61c677d9ab67d100ff290b77e81e86a

SHA512
353a6fb647cd852877f6c80f90d167cc28947df4d092c618d037e7b65b7bba6cd523717573ee9d52c9ae5bfe0309bf68577494b4929c365898219eff9dceab3f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
3569d6bd1b0ce3919feb3d00a2a19b85

SHA1
23a025e2101441433a08dc593bce2fba927ea661

SHA256
406125ed54ef22e7d91f6e4e1aef599400b9be292be029002ce1000bbec6b198

SHA512
b2ff3dc71ea5988d85d7d557ef48563da023714bd6747b9261b0dc2baf529714fabef0ca79f454b127e085485e658e0505d4cb52b434dd3ff8ac6d4eded0b2f8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
acf9c7fb7989c81c7a90029902ea6e3e

SHA1
8a59de8489b1bcc7644cfef918497b9398eeb059

SHA256
f06a34a660799f81f22ec1bf299119e5e005f53df1d57a3bc207e877e492419c

SHA512
db898bca3131b2edf6068e4e5f6b83b262f79d5d26eff35a153717ef78f1bc3e41b895d4d05c43de83a78eba9ff219ad7357992a0bde240e519d0cbbadaf43d4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
bdac66bb08605a3d3e2639a5815f4992

SHA1
6af0687ea47f62ca52ec064c63494d4ca8d17ca1

SHA256
b53146e9262d8f896dcb3209ca81701014f24d1677629d3a2ecd96ee50081cbc

SHA512
146e4f9ac607961ea1b754473928b1dbf2676fd60baf186b7beba23fc60c675b1a9fba7bf67d6fc6c26ff0842139943c0ed3a36ef4c0e04f668c119b3579086a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.4MB

MD5
ef5d3b375b531df99accc4c0c5b1989e

SHA1
d8981c30b1d3fefa5e7ccf207c6a8965f1aa907d

SHA256
19797b0fc37197cad628e195f2ecb34b85e820b0dfb4955d306ed212a103b08c

SHA512
acd6820e2a301e1d75cfa24e59ed09b98843db260b9c277181003d2da4556ca57aaf4bea3e6599dd49459152608c56e7f129bd1104b7d73d2cf88817e554f5e2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
4dfb19ee63ff9aa7cd28813f40b48c6a

SHA1
1c4fa8b281607ed0215f943e1b21eb144af24800

SHA256
cde7eda2317da73d76d94f1d64b7e05eb9516f2ca6656cc5fd366e7d2c8f3f92

SHA512
c99a816bb857fc9225bc8fee79faaddf2bf2458091f41d2e02654eaaf6383c763adcdff8e541fd5760720db69b108d214d99e43a7837b74a61ecb65e7a52af78

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
1b4a2791c53c5d9f8bded2746dac0d03

SHA1
3d23e2992b6f63e27b01ffc1db05eb0fdbc66bb6

SHA256
530d41f943b15434490225db982325127183bc459f98d62be730e188ee16758a

SHA512
5c37865dda88f2b7d38222f0ce41d1c04f78178e93e29c9d8f34b7d53782dab42368450ecc95518efa073745e31de4d0f1342c2762a21273f0f7a280f0489545

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
aefb13115d00bcb2b9f1b71ff1737ee2

SHA1
ca1f7e2b3b3bacd7501e0687f72b32cacecdcc53

SHA256
aefacbbda782deca372e8083e0351769e9b103501c9d48ddba528a9cb1aad7c8

SHA512
09c6dd73ff517eab62901dcc2caa5ceab230694c6f4d75c8bee3b25467c29467e260439704c047a5ca84a3486ba846694bc8032bfade29aac5a5d572225651a8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.6MB

MD5
9c5da175c49e6cb0b5888e7482b8ca6c

SHA1
05bd858d8db7e30208cf00e02cd3680503efb7fa

SHA256
998704f7e5a80d09df16e93b9a9ce07fe93d5e70c38b5dcb9dd5cee12a2087ff

SHA512
010bb75510bdf98ec3453d70379ccb867136b92944a610622956733b55ecc677a91ff2a56b936cd6e5892553da4e53e92f0774e6154e6d591873b8caa6d11df3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
bbd7ec252e563c64d5287b05d5ad5e06

SHA1
c7ad5cf4b41553c25f5fbfa74c95998200eba8fa

SHA256
77855a67193b7b925f714099c7886a79e071c1d9395899b4b25ab5e3ac67ec38

SHA512
4cef044931fb5e2ba7f202c8e6a20fdd3d59578c1e18d9169e786c6d59c00f918cb637d4288f6abfd09c5f21c6e7119c97bf062a70fdfdeac9d68e1f63222d59

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
22f235f9e2dca4a819ba017fd1b5a4fe

SHA1
012c575f60e800b0d65828665e573a9ef36264bf

SHA256
aac68f384d055d88bcb97a6d86800373daf2ad8c3e424345b3ab52abbe2b47d9

SHA512
48cafa9b2800ad2243615f5d2ff5b09418bb6ab1b587a5a3b87158c9c15859f5bc65031db2b030986603dc3f1da7f6fb85f98bdc6566250ae8361b0d64c86cb3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.5MB

MD5
1d12d6d584e136d8fb53062dec6a6322

SHA1
9156eb5ec493c19e12516285a39410247c7d7abe

SHA256
4d66ee6feb3ddf1a98f99d190c545b9caaa880d2ceddc843c4f577d08ff3cf7b

SHA512
440236244f08084f9d28f2e039908e0f5c7aba4544a9c4a075638b39b9d7b958d66b9207db4356c71bd3b30660b83c2568737c69d7cd486f818b7de78cbfa884

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
e11975e0470381aeff97b41e14cb0c96

SHA1
f20e7e0a745df43ba82dfc28d49beb452c202393

SHA256
ac8fc11db32fc4b4c7a3a8d26128eecca7d96849e1a7d5dc93f16727733b2496

SHA512
4ba8cdd62ffea2e86eee6692c82ea8d55d2572ee9ecf5312a1f6013547f457e3ea719c3e3f4d8deab4e0744f0de86cb9c8029d51581d498e86a6fa55b2281438

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
6dab8698a248ea27767b3ad1dc1dc13b

SHA1
77ffbf380c135f71921bfbf6fb1d44cb39e786e4

SHA256
107cfbbbc614351c8c96db35bee1a179955c8a8cb9ca5e9eda32390566195b01

SHA512
d5f8bf5cfa1381b87797de9744a2ba3d46397a49f2cd1bf6f96f10a00da3a780fbbdbe0400f05c08ccaaee739b6b76e665aa96e15fdbd491d2557664afd0bc3f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.5MB

MD5
6954b501fc57e702994b673577b5a2eb

SHA1
bc62091a74e59f9c2b51eb9da49449773703fda4

SHA256
a0e5a22ec77fea1f22f14589cad7947d1411dd0d7a02922081533db7b41deae9

SHA512
e749af9a8dede9e831e7bc140677810d563c60f0a183152d71778fa11a356d49806da59a1813e7156774928d8a4204cf8c92c351604a7cfd59c24cc64c0aef40

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.6MB

MD5
9d000689876387be0b308def54197b06

SHA1
8c63e6fd695e4ba2236dc922ffc93798ec1f2a71

SHA256
74a6fee2accf05d39a78aed178d6da23f265b91e0b09798e1a2e05b1044a8186

SHA512
44e42afbce73a114585a49f33e4115c34c244132b8add422adc39b865ee574a5dadb900696bc2864508c9cb5fddcbd077511fc03f348334b6588728f155b7c87

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.8MB

MD5
e68d35d981cc6d126f218a095e2a0e3e

SHA1
35322f9bb45dc073f4f456a16137a7715ec91e5d

SHA256
6f68d77884b7dd7044f4a47e8c95d2cf12a153ea433f13d397da8cc1a3b24b71

SHA512
921743af70c76040d370689aa6e9af81f36c8401c5deddf9127828cd9fe24a6d1842d22f3d65501fbe071860d32d55b8b0660e2bac198394d88b7c8ba8962dfc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.4MB

MD5
aa8b3b3200c874e2452a03667cec81b9

SHA1
a3aed4544bcf9cdcf22757913df8ea4799e587dc

SHA256
eabdb9f4bde5bef572dfab0f07f4011aa9335d8df1bd4006ac64ae6e33f1ba9b

SHA512
cfda8289c4c27c265fa843541cdc1baa68733c8e33bc5c2f05b30abafb87f0a8556c0a5b418eb7c4f1a13728f38068eba97e2d079c677ba9a14f5a51f18ad697

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.4MB

MD5
6a4172f62b3eeabf10f28d0fee0e1cf7

SHA1
d982086ff2e2174a3c49e9398dce06c92df107d7

SHA256
d03f076d361f5395204fc4ac8432109161094416e001eef2a4f84ae1bc31586d

SHA512
f6ee8e9f465fc1f16e2503b3e09cbec4e5722082085f9df321e424e7e7919aae5b99d3203bc450a42a3a5d82fe0d107c8e139383bdb26e0cb24c73baed3b2b77

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.4MB

MD5
6be69cadf84b0308640e76199b12950c

SHA1
ff4327a191de63dd5649815a0c7fbaffea484aae

SHA256
8c34d0df4add7d15d7ca3cbeb7293e664b0594c8c41a8ef61d445790120039c1

SHA512
d686ab660f3f7b520f2f8c88f6f13197003bf5e02dff8eb4999a39349f91e8a1511bfab7a11ea96900f82cbe6383be89445576099a51923d4f774ebb216a4928

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.4MB

MD5
b207bc7afbb9a9973289dcc7e4e49bcb

SHA1
34fea7ca16d37caaff66f4009eb5c777b243fbaa

SHA256
6c110350e5fd9bd55c61f30e8a815a550b4e1d4d5075a70949d325af5c8b281d

SHA512
a8e0ea18dc2418bcc2c097b8b9aa182304fd10e85663d12059edbc6c681bb845353568f586d0f1c3aa1a1b299dacbaf8f46651f375dc8a2f538f8b02971c7191

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.4MB

MD5
7b228725a0ffe7888bbdd7d9f40ec355

SHA1
f222e5f4ca0ac0489fbf086fa3a81a970e7b8ea0

SHA256
83e5dc80f6bb84cadd3194115c5f19bb708f6b39252bbeb7b22dc9c6f86ed8d9

SHA512
bc9de090eb18b8ddea8db2e296645d05912512a57b1f08f21d4b0ee870a07cbaebade58b26fb64eddee9ce1ea629dc3a3f59316c98bccdc1a7ec04d6fdd167e6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.4MB

MD5
810fb2bf7db900aed4ec273c6ebc301f

SHA1
fb6c6b03ac9912df541e396b68378308f48e0b2a

SHA256
6dab463211daded993fcd332adf4bd8692dd1ecf837b1a2e2e8f743db7205214

SHA512
79003599076f87b3e18e418ffbb8f5b0dec36004ab7a4b98aed668209ba97086c1304d28255fbefe0978f749df3574a7ad539d229255f6404d7908f3786cdeee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
1.4MB

MD5
ef672af5237c0f5e4afeaa545e408b3d

SHA1
55c9056afe6a88c5d0f5d1cdf1c422d0db7e5796

SHA256
fbea3fdf5e9ce6cdce788ed6710ec4cdb1be3c3dba4e01a00733120c4c7c1590

SHA512
ef52766d0fdda3a93f17eeb1dbed5edb9fab97f28d34ada67108a4d5fe611185babf6c0c9495c869ff07b541d4c9a6e1619f21a346e83f57ab3a418b2153e6b7

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.5MB

MD5
74ef18a2eda06412a5f00ff336c78fa3

SHA1
b239132dd46fb87826ffd940027a62d522846e9d

SHA256
53628198b77810dc2d6d969f7a347310bb01aed4c200d30e9293bc273142c282

SHA512
d423b4960508b51ceebbedfe4576e5120047deaf4fcc0341d2b9df94abb3500e406bbbeb97ad7d7924d79bd201dedad25672121790e1c2e81ebadcace881620f

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
04e5a1f327c0d77b02ff0f72da68997c

SHA1
a563f01a3762f9cb35b0f9868fdb32f0ea759acb

SHA256
688e8743552f3db3b7449c02ef41fb8316454d6895960818ec714d710684325f

SHA512
c67d8b0dd418d32e79b8c5b3a4386af6ce013997e24cbba67bd6fa583841643bf778a7e40f3f94d1bf49ea9929a9c20cbf7ab1fbd7698eb6aae995c95fccbde3

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
bcf17efc12c4d3097ca9735759ae8c53

SHA1
94aadf71a8b9d13f80fc71cd631e8820c95a89a9

SHA256
3568bf3d1fc674204523e5db989528e584a152ef22bcc8125730642316a7cf40

SHA512
81921e37c46e474d61f051998cb9a1eba9d5b2f9b54c4c836fbbd0465d660b831831440600c587e3228887eee9d121eb10de8cf52a0ed3db68e31d5fc27ca8ac

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
9119d66a4e518ce5ed980f86dfe1992b

SHA1
c349fd07d8cabe6f4de5d5d1569a1bf82a400b22

SHA256
c337a6bac50df764f34663f90bee5e6140fd226d9bb83596bd4adb40f4e168fa

SHA512
25d8aa1ca3e930f3ccb49e26d7d95c8de0e3c031e76f1a3982485840c31616360bc2f4239e3e5909f19059d64aaf98de5145f648e557c007e29bd6c1926a2c2f

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
3210591f474f5a92d8e949f51cf697e3

SHA1
b42e0fe4429d42d3f6c354de12d18f8eb7abedcf

SHA256
6cf382f95b89a25c1ad7d7fb77951154b16c1020bc02932b8090bb95b98cc831

SHA512
356227b44135c349d2e8be5d11323f7f08ca7aa6499adb12e51403d2b815983ab38733d841a01952146af363b63a2f27f7a8e1f4efec186d3ee3b21653c28d32

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
89142329cde870cbd3ecd7d05b35ed3b

SHA1
44b26142fab831c80060077bf340a8697858d8e0

SHA256
498e642cc712b75e044f836d8c85390128f86c444fdd9eb5ce1b2f49d7ce16a4

SHA512
6935cd5caf6346f14960689d92a5af52b7702e6eff68fbbbc3dce988eafd99696993532aca7138b2569f8ce1972f507472ac0c9d95b932e8faf08d6c90f70f06

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.7MB

MD5
2eb8497cd4ca6ae0cba6fea5d6c59806

SHA1
ea5ebbe65db3091fe4b3b33c1747626b265e1906

SHA256
bad04147d0817d5504f86a13d9eb1a9c3e7f41adb33467663c44084dbb68d5a1

SHA512
1577e628a09ed124d213da0f5a00ca1dc892538f26c9e90ed8fc3ce33083bec46ed69cbc48fa8f8db1ee8c6e467af870ed8b89f8fde7fefbe7c051c9d761e6b9

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
143c32e0731aaeb6ebaffaad72ee38db

SHA1
a0cdce8d73afe17f204dd7cfee442050b8810ee3

SHA256
d9bbf16fa219e7dd4e96c40304e25d6e9f63f36a6eac103b773ddb91ad421026

SHA512
1d3546dd58085a1d816a9b46cb6467262510caff384a5a1dc844e89d0b4d3dde3892eae96257c5fd88364313b5481dc01c64a1582dd007d8e3b66fce27d68407

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
5a1af1ba77dd04070159e2b4bfd28e1f

SHA1
cce4973ed0e5b0780dd909926932c62342c70431

SHA256
c662034246959d96f7e7286e4c4b4f8163953b6ac77dfbd0522bfac4db5c5b73

SHA512
061fed632ebcea31e803c63775a1bd206ed64f8c426284d57f503f17793459d7727c5d42423b25646a66b0b88d117cf03220a348ac67ead2a62f81a0f6b1e108

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
8f23dde8a4a3c7a4b834146811e68f75

SHA1
1983f5adef52bf53e84d2a8b747a14e4a831d492

SHA256
eb3aeaa1ce884fc7e172568a5b80e6753ed91372caf969569620e57c4a907ea5

SHA512
e1f1836e316091d2686524137eae40440ffbb057fc3af56359cbe01a6af68f452e340bbd7aa8c344a2fd127f92b24bed86a84cc64a33dc9cab5262affa2809f6

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
d326628880967f6fd5da5f585dd6512d

SHA1
c4998945dc1ea75dbee3b34a0cfda75f63b81330

SHA256
bd6f82bd976495317dfb6a5bc5a023ec31566bfd3db743db8d826f416cf8d4cd

SHA512
e4636f35239ab932b3a1af9b5e0d4b97b94879c92c1f6311fab0ab3bb70e331e3ff4f4e796141274e32751bcb239610ccb1f062dfa98ce19a66fda485e1ec989

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
8ff23ce6dbcb51035fb561a3b18c2b12

SHA1
ba1c300869a1d8b5be1d2fe65a544fbf1bf21a0a

SHA256
b2377908361999ed0319d0c4732ea095a7c0cb4ac6782b01ec8d91baa094675b

SHA512
94f96a31dceb337b777c0516785d296e1d92e0d2488cd1f9b839a499ee24702f84e97c97b35657a30a1be5193100e9362dbba02a712edb308d03e55b892264d8

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
37642c971f0bb662db78818a782e0670

SHA1
b7a7755f26c7cbdbc26983d3f0b60bb213146c95

SHA256
0c4f851bceb55a4c32d9a59193a9aa099d042dc89222d24b90f7616012b3f362

SHA512
ee9c6b1f9308c9c7542d42702c406a2f0555e5002eac9b33b51441b59fbe0865994df360ceee74ec159fe51edec20255d5544c017da6512a607055e474b04625

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
400d617ada61ddcd3b068d438bb095ea

SHA1
74590aa075848cd9d2e7ec7a91ffd6a286d3b364

SHA256
13dbb77fbb2818074e4dc21b1521073fc595d237f6300478edc03d828ff863a9

SHA512
5978496bc36b4a8010a9fb25aade4c636969a120b190e759001109071b6a2c045737ef2af64564592438f6f7df4e01f90ce44856ae467f5a288364ee7be825fb

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.5MB

MD5
40cacde8abd5cf9babd590997e1022e0

SHA1
781c8fae55ae8e489119c2b38bd81475127a2ea3

SHA256
87a402f58a7b20eb808cbead912a72aa181ac94f3764b47e495b4ffa3068924a

SHA512
a734cf861f9b5015d049919bd92662368d9c1050e56204692fb2f28ca4daa5636da4cdd8c90e28d2923a6c54b8e9ecd4fbe471ead21b5db157c2120044417ad8

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
020863f69b2277fcd46f8b2d7c1c306c

SHA1
540e14030c46541ebf415eff0a7cff97db56b524

SHA256
f96add61e31311db3fb13b7da34fa89a91e2eeeefbf5e8553d1270ffd1c0f09a

SHA512
12fd591b6f3d6e063d10e56cb1204f647e7347804b38546341128838dd3aa935e952215d479334220b733edb87b01e044833f7dc2fda64974e82d2e5cb1c5e38

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
ad0e74044fbbf516821f2ef4e8db8bb8

SHA1
94085fbc7f53dec3d3156a8c5e91a17e9122fb33

SHA256
a0a3fadad558975b55986131a94729c0964a634c6e502eef26160b1fd4a784a6

SHA512
489ca5af6d5a8e9fe7b289973ab001f3d34a192f0d55c3e9074cad31064db23473228c872071edc9d0c9bccfee8932b0c41e61d75f374a6076f22c23d03c85d9

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
5e702a42dd721829394b737e13ce7684

SHA1
98730900fda224a31ff7ce5d08b1f2147e352c18

SHA256
888bb2a5d82e3a1171354ee1d81e50b0d586f99614fef42a9fd09028f66cbcee

SHA512
3b397d34a08a55afea2dc2449d46578fb4b28d3f5d046179c39c4671542bb070b6d64c881d1530fe65ecc4db3c4d3d71e89de00fa48c2ea77f7c3ab510349b82

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
0d21cf436e1a585deffdcda403e3449c

SHA1
dcb62e65004e9831c069bbd2c7ed9c6fb80f465f

SHA256
72ddc2953bdf8639f0da9d5e5e832d561c42c285c3cd31381edb6b7e2ad94174

SHA512
038b648f3ba90c2bf397e1ecd015172996da77ca4e559350fc13537bd2fe487f21267af7ee5e31879862d00c029fcdf46ce55a7b284e41f978edb8f2787bb7fa

Download Submit
memory/116-51-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/116-43-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/116-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/116-240-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/536-660-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/536-342-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/552-27-0x0000000140000000-0x0000000140249000-memory.dmp

Filesize
2.3MB

Download
memory/552-18-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/552-28-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/552-236-0x0000000140000000-0x0000000140249000-memory.dmp

Filesize
2.3MB

Download
memory/1004-415-0x0000000000400000-0x0000000000636000-memory.dmp

Filesize
2.2MB

Download
memory/1004-305-0x0000000000400000-0x0000000000636000-memory.dmp

Filesize
2.2MB

Download
memory/1216-39-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/1216-32-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/1216-40-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1216-239-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1652-542-0x0000000140000000-0x0000000140235000-memory.dmp

Filesize
2.2MB

Download
memory/1652-339-0x0000000140000000-0x0000000140235000-memory.dmp

Filesize
2.2MB

Download
memory/1996-449-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1996-669-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2124-416-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2124-667-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2176-67-0x0000000140000000-0x000000014026E000-memory.dmp

Filesize
2.4MB

Download
memory/2176-61-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2176-55-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2176-54-0x0000000140000000-0x000000014026E000-memory.dmp

Filesize
2.4MB

Download
memory/2176-64-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2316-354-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/2316-661-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/2320-395-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2320-665-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2328-662-0x0000000140000000-0x0000000140281000-memory.dmp

Filesize
2.5MB

Download
memory/2328-366-0x0000000140000000-0x0000000140281000-memory.dmp

Filesize
2.5MB

Download
memory/2924-314-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2924-427-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3024-241-0x0000000140000000-0x000000014026E000-memory.dmp

Filesize
2.4MB

Download
memory/3024-70-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/3024-76-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/3024-69-0x0000000140000000-0x000000014026E000-memory.dmp

Filesize
2.4MB

Download
memory/3216-391-0x0000000140000000-0x0000000140258000-memory.dmp

Filesize
2.3MB

Download
memory/3216-280-0x0000000140000000-0x0000000140258000-memory.dmp

Filesize
2.3MB

Download
memory/3324-26-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/3324-8-0x00000000021C0000-0x0000000002227000-memory.dmp

Filesize
412KB

Download
memory/3324-1-0x00000000021C0000-0x0000000002227000-memory.dmp

Filesize
412KB

Download
memory/3324-6-0x00000000021C0000-0x0000000002227000-memory.dmp

Filesize
412KB

Download
memory/3324-0-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/3916-407-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3916-666-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4088-258-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/4088-271-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4088-257-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4472-403-0x0000000140000000-0x000000014024A000-memory.dmp

Filesize
2.3MB

Download
memory/4472-296-0x0000000140000000-0x000000014024A000-memory.dmp

Filesize
2.3MB

Download
memory/4576-593-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4576-446-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4576-319-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4960-668-0x0000000140000000-0x0000000140265000-memory.dmp

Filesize
2.4MB

Download
memory/4960-434-0x0000000140000000-0x0000000140265000-memory.dmp

Filesize
2.4MB

Download
memory/5040-377-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5040-389-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5048-254-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/5048-252-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/5048-365-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/5048-246-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download