a63f92dfaa9288817318c73a9d3aa5dce2cab6f61124182b22bfb63c9b2b7f4e

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24/05/2024, 07:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_3362ab8f9f014e8370c57d8410f93a1d_avoslocker.exe
Size

1.7MB
MD5

3362ab8f9f014e8370c57d8410f93a1d
SHA1

4590c1d73bce8162b52dcc701dfddd5d25b86b1f
SHA256

a63f92dfaa9288817318c73a9d3aa5dce2cab6f61124182b22bfb63c9b2b7f4e
SHA512

929b83d937fa0a332e360a3e6f04be355cfa12d1e890cfb275dcfa7ac97f8e19ceede330431f63544bf663ccd9df8f3ab54e9391479419a24d00cd988c5e8f4f
SSDEEP

49152:UYOStHCl6rKaaIPtegIjdK4gg+TeEDaK2CmXb/EQGd2T:3O9Ue7jdK4LVXb/MQT

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2828	alg.exe
3116	elevation_service.exe
2800	elevation_service.exe
4104	maintenanceservice.exe
4528	OSE.EXE
1088	DiagnosticsHub.StandardCollector.Service.exe
3700	fxssvc.exe
552	msdtc.exe
4184	PerceptionSimulationService.exe
3564	perfhost.exe
5056	locator.exe
4792	SensorDataService.exe
1040	snmptrap.exe
2024	spectrum.exe
3440	ssh-agent.exe
2484	TieringEngineService.exe
2760	AgentService.exe
4556	vds.exe
2248	vssvc.exe
1176	wbengine.exe
2564	WmiApSrv.exe
1604	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_3362ab8f9f014e8370c57d8410f93a1d_avoslocker.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\cf14718992be0f3e.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006d969bd9abadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001e0d92d9abadda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000068bda2d9abadda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000004357ad9abadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cc1fa5d9abadda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b0c4addaabadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3116	elevation_service.exe
3116	elevation_service.exe
3116	elevation_service.exe
3116	elevation_service.exe
3116	elevation_service.exe
3116	elevation_service.exe
3116	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	444	2024-05-24_3362ab8f9f014e8370c57d8410f93a1d_avoslocker.exe
Token: SeDebugPrivilege	2828	alg.exe
Token: SeDebugPrivilege	2828	alg.exe
Token: SeDebugPrivilege	2828	alg.exe
Token: SeTakeOwnershipPrivilege	3116	elevation_service.exe
Token: SeAuditPrivilege	3700	fxssvc.exe
Token: SeRestorePrivilege	2484	TieringEngineService.exe
Token: SeManageVolumePrivilege	2484	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2760	AgentService.exe
Token: SeBackupPrivilege	2248	vssvc.exe
Token: SeRestorePrivilege	2248	vssvc.exe
Token: SeAuditPrivilege	2248	vssvc.exe
Token: SeBackupPrivilege	1176	wbengine.exe
Token: SeRestorePrivilege	1176	wbengine.exe
Token: SeSecurityPrivilege	1176	wbengine.exe
Token: 33	1604	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1604	SearchIndexer.exe
Token: SeDebugPrivilege	3116	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1604 wrote to memory of 5072	1604	SearchIndexer.exe	133
PID 1604 wrote to memory of 5072	1604	SearchIndexer.exe	133
PID 1604 wrote to memory of 4100	1604	SearchIndexer.exe	134
PID 1604 wrote to memory of 4100	1604	SearchIndexer.exe	134

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_3362ab8f9f014e8370c57d8410f93a1d_avoslocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_3362ab8f9f014e8370c57d8410f93a1d_avoslocker.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:444

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2828

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3116

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2800

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4104

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4528

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1088

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1628

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3700

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:552

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4184

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3564

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5056

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4792

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1040

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2024

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3440

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3260

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2484

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2760

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4556

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2248

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1176

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2564

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1604
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5072
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
78a74b74ab2caf15188a19493c657642

SHA1
961974609115d92ff0c51b1548ce5d210ea8bcb9

SHA256
c533aa31ed0c777fb7380399a7469be5d63ed69b1ce9d47c6b9f9ce15dd17178

SHA512
314ad295c2eac4fd4d1e8018d3f4311717310a6bc496f59976e3530a383f617121fb248e5cebe4ca44c24964e50aea8c5d9e74c5005aefb070198882629c2645

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.5MB

MD5
462cac2d930091d2d329b86ca962ecfd

SHA1
36da9e69429454a2f1e4e4573c2f56104fe4be75

SHA256
8d0aea1bd8813213d76e5bd30e125f82e8f2ca86aadb823bdc7587f1b9c75ca8

SHA512
67ed02f86b9fe6951198907bc2e4afcde6ac1f9f3edcaad992b3418189c2daa542245e835f3664217596b5899496aae43b868dbb41ed87aac0122526ef6975fa

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
2d24a903f36f6cbcd2b5e969db117cf0

SHA1
0f8ea9316fbf30b2000d7ea2de426adc807688a8

SHA256
151aa72aa2e80649db96efad33c42ef647cc5721d9bdc2eb01b7f0e51f7a2046

SHA512
e7dd7ac16de9f3d358d1617fb84127c415e46797d63c8d5450fc94121871d0bc7bd6d0209f3437005691a33ed558b6dc209ba2015b54334d51e1023985a5f7a7

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
8bdd69ded35b71dbfb3fc3a49cdb53a7

SHA1
47cc1137b03ff2dd0d530d34a537c6f4f8ca997d

SHA256
922d8afe6a89066d51dc80fbafebc47f87bdc609dd0382434da7cbd6224b7ea2

SHA512
39688c041984bb33010cf084c591e8227302fed6ace306c6bd5491b2276a28671c56f99d13f6eaf7103cddfb45c5d0a033d50a934fadff3b266f7e411cf25c97

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
67034d1319c59c81a082a929a5487b9a

SHA1
13357f09b08cbcb3dae6b1d4e41163531d9fb039

SHA256
1dfaf2e63963d20b2edef9c9977fa5904b9db4b4e83b94dd9b30d45c8275d916

SHA512
81d038712612c8030b195f05763c40a7b33f34e3aab7e36a8ff437413622bf8aedeb2a0ec81dbbdf32df5128a62d2bd3d9519bd7a8493261b2662fea9ab2d549

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
01a7a3469c992a56d90d67d118412bb1

SHA1
f067c93a89a03b67b2ada1b8103d0d49620716c6

SHA256
75b0d921e122dc15ad9b106bab9f6d5eaafd7fd1f165c15dc80757a60a641fb6

SHA512
b06f080ebe15bc0c5d652b22aba9468d70fef36e7c02130cda529639a277c6894551b17cdfb3b41a209fc06d285c22f3f3bd98d50f5efaac1a52de7d26a7cbea

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
22915fd1018bdf771a7cdff66e04025f

SHA1
2bde677df47edab28c3367c089427763151444da

SHA256
18d58ba38773b93353c3250249b0170dde51056d792818eb3b733c23527329d5

SHA512
363b62762ab362bc05c8fb65459e267a93fc8db2abc7e14af550b95a67a67f68d34b688ecae359d3c38e78ab9e4318a3ec87b998488707c3798ea42ac7ebad52

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
a1a33342fd75da79930b1744a4220b93

SHA1
6ffadeb2da310c1c043b3a77bd81e03ccd171d11

SHA256
f10dda3b575fb351509232252bc66b4ae0309af01b0d6bd52ba0156cc5f9efdd

SHA512
008ec9c06a088d35fa4654c7f9fde9b00dda6b3f269ec8e4fa33137b625fbf2cdef17e6e8fe4a6c6c85ae61f95b09f644ba320d1ec90b629eaf4d944bdc841aa

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
ba30ab0282b557a3a91265c30efac101

SHA1
e6ca32b5fd9054bc916c019cf0b34d5feef208f2

SHA256
d5c6f8cbeceea3cdacd83aa32c7c3dcaffcd3b5f5d5532dfa629509c0864e741

SHA512
ca38d2c601da1124c4916594892ebdc847cba2196aefc8b6d3b0a46bd2fbbe5974945660a5ab104855095cb6e6e524cfe6a30d0176da1c2aaeb28a0132c3d4dc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
7c7e10a0f2a73127a51fd32dbc9e3321

SHA1
f77c790fccb665615d9a0d648014bbd226988b65

SHA256
e72fd34cac4c58586e918ec51e48af9fe2d28c9307adbc4ac53c5b2aa3324057

SHA512
fbe76340d06c2d30d25dc94960f4dc909aaec2f2e7d2ebe93506474927607fa3c84d41b351f40bf057dec3c06958c367bd24abcef236ceb243bcc7dacd30e02b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
d96f4521862224d693e4da3501223856

SHA1
a725ecfc6dd1156f32b13af0df491f61879d1cff

SHA256
d2384c75bf82074461d752202f921f48b38d3b06d59e6c368e756dc0fdcfb558

SHA512
7add5a46f4f50e377fd5b3bcb95eda139ff98879b5d0e6305549b683a1957c6e50ed2c944c0b46471933e8697d5a944f870f1c198511fd4d8e2d9b9f8769567d

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
38296d17e23a96ec30bac4bda65610ab

SHA1
35b4a81cf639bd426dd62520a66b9d4acb534fe3

SHA256
8d4553836565356e410fe743b2b88f096ec4d48b2fee4029f02572f296362cd3

SHA512
c8036321bae669b2995d911dd54f751a24f89799f3ebc1122a467977a88c319699c727264b89b768816527057a23602a59047c39304fadccbc1ae6d70a91480d

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
0713421ab6ae27f6da6ecb087302ede9

SHA1
2992e53f5ddb53f45b9b43be1c48564649eb9447

SHA256
6fac2290f72a66bb185df37c46bdac8ed394b6c52e9d12248a7793f5b6ebd4c6

SHA512
5b5cf9f80ad529ebe36613149fe8485d9b0db14ac307e24d1db28aa3ab459cb760b46b010e92c360437a47bac251fb257fa3d8e1afe3d346274ba2b0a6040a6a

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
5aec032b72efdfcb0e1fcf15f71e18d7

SHA1
346cda133246d322cc38c933633c495072905d06

SHA256
f5ef27ec4ef2600d2a9e5a103a029ccaf77cf23b45be031c82b58a98a088c751

SHA512
52f184b32b6c3ea8f8652f99138b515777048a7c64a149dd83e3ae008b1514297e8135f9580c4bfc9469c904bd73c0e5ee513f254f542033a012b0587dc76771

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
07be1149fe985dc44811b63568f8d02b

SHA1
51f5cf4c1c8cb2583bf0f2e7db2a7c7a0f5af9ee

SHA256
d8a547f4fbffa40bd174e6be015269562b143058a69edf4e8206ab7702568512

SHA512
e50efc42ed9d8c09e41f8cc8f6af27b0ee41b84446e89442990554fb3abf13c8c834c535fc6b5344b39d6fc6710c76a83c78e2e7b992436f9cfc49f05ffb6eb9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
6f3610b3eb0800d64cf9d26488f0647d

SHA1
b6af638a4b486b99bd073424c84d9bdf96b3f5ff

SHA256
05abff13b43eabc9a4408e75cd1e91a54d6ef1dba8f2d0d77b1bf6edd74a28ff

SHA512
4873da7528a7282312ae39d32480a4702529753ea5d7310a153bf43bfd39e1d3aeb06b0bd7f5108ee5134b713ff6ecb4b4d5946dd8a48754f7c43bc292aaa653

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
8f93d5087963826307c1115705cdc4a2

SHA1
aa6de84ac52dcec3a499859b6e027400cf77dd50

SHA256
fd2131ad55ab62a98f3f7bce0ba5947b2d61ea6548802a376c3fe55ba5c12eb0

SHA512
b95f410826d8baf934c944ca4c7da7fd5d441003dba50345b46eddce8586872666f3261a2145b51fdddae5b3788653663806750e5467de5209b1598f46f36db6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
83bf31659696497eb607232d5445f743

SHA1
8332ed699c32f3b1a5b218aa5e297f6e50ee865d

SHA256
1232c5b02a11be7c28b7bea69cffb21f68a699bc6303ff398d08e5a3d33e5c45

SHA512
15c8e4388357030237b05a2bd842d02203aa2594a93321125c9d552553f0ab0053548a0c971cbfd9f7151423fae07d88d6e2c4a9d1529e583ac0451b8f34d536

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
d8e6aa77a840c99834dd3219a36fe574

SHA1
959fb71f327f1d05dff5263cfc7d8d36d2cbc6b1

SHA256
6b90fc937733b91d12eaf01fcf137741f3d61c9e87c67ef7e283bdf7c07aeb67

SHA512
7986548adc9af340f20e0b7292f17547057e7408044513d4cbb5aa5f6e90718e993b78049da9d6ccb6a62a58688a151679c104ef4431350ea415db63696a6fa3

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
9303584b0978c57ffa2d3e918ae8efc9

SHA1
ca255499fca4312e00e89c78d6340162a5a30d28

SHA256
9e92cca9bd80e150467ad90334eee225f5c8574606d55c8af7c4603935fc87e0

SHA512
fefbb548087c96a8284f18795cf16b1d917519eae97ae7bf0d13fc95b571fca40ae2ce5a66ee5edcc4bd92bf29c68bcddc97c6a69dc561cd8c4388a733bf9a96

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
3a14d8cbf0c2a05827bef36616195310

SHA1
e8f5a80bcf11589b56839b70ebfffb6463473a68

SHA256
48b3b4d2f616ec84c9095455f91537f923df23525b4d14edae827823800eca89

SHA512
197f9bf24fa5b130a1662cce60ee2b1457206f1e5f47ec88a5e5581efa9780b6c589466ef306a7a67b3123e3bee5e6e31214a6e7629a459b306e65473e4f9268

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
a11d60aa512e6415213a9016d50cebda

SHA1
0c85671848ba43cb4e889bfa5e291f5fb89354fa

SHA256
1ed303eef31a773fa6707482719c3d50cdf2e3fb76dd323878b2b5bc4edc9009

SHA512
53f45b29a94570a84bb7c75075c3e9c9283be26da713e18407664298c633d3aacb35d6f1c18091002270f75062a432a4ffd3a91950129753baebe2287d590d3e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
c58dd77b52bcaac7c6d40195ea2e96bd

SHA1
1cf89f89b4cafb87e216c445fab9a597c9823362

SHA256
7d94b2967e27a678f128434f07babb67e974a491750520d74cead40263775ac5

SHA512
65aa78f922774e0abb56b41dfb3961d561d7c0b42d24a298e5d428b89dcf87e7a07d229dce7b4db599df74a3611057d3b8c7395080a69a094ba41dca6342d6d5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.3MB

MD5
687a376ef4deb2c6cac103f82c55a341

SHA1
dff36ba5f5f21ebcd1e81cfbef25debc4cfc6024

SHA256
64d1ee47c1998de2e60a4c283264261e59d8628f606345134de0e1f344ba9c98

SHA512
0edb79ddcf2be55b0d6fd09f0a1a3c71ceb1dfd462bac293295b7ec05a1e2cf39aea1437c6a509d47ebfeed03ffdccaa00720acb404fcc59d9bba7f9778626f4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
9f5c0ef446e195e9285257835563befd

SHA1
da751511b78f9a30e69c94c5933b5f5ae5fb89a5

SHA256
2d581c2860ddf4e9185d55062c3401e5b7167deaedb34e8c121100286d8e2e7a

SHA512
8d55181d2db16ceb3929d1dee81f952e87c9e72c0488637c7d46981b9bdcf787af03ef7a5888be250b6cd3cdcfc2c406852b4767d7a03cf125cb6d1953269591

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
bc1bbb40609ddf2b8ca4deed66cbb43e

SHA1
6555606646696d793712d86ab6b08cab0d530a4f

SHA256
08047326c7481f3e93c2bf537a652b5cc21f78b742d36a4f11dab624fbb056e6

SHA512
1b61e12196b5552e0ca1d8c2adde91f95abf1fbdea9cdb9149767c02e89ee28bfe8daaf8277a812f681c556c6cd89a4a8c854caeb6e53d14ce5758f0d41e3608

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
1f20080849d827bd5398fa7edcf66439

SHA1
08b179b26a5f4d4e19bff74a388245287920411c

SHA256
9d7ecc448f96bb9bf87b616c65a92f30b636e5f1c2d2dcae05b7a6a288345001

SHA512
fabd41fdb0b53d00e397010f777c2af31300e720e35114898d0149451d6518acde8c14b17cff3f48b95052869af47bca969f3a69e21e1e878afddada9bc9fc90

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
b807cf52c511a363f80859a2c90648da

SHA1
ce5543bd34262d84eb3c8e4cbfa83f8f38e6e0b8

SHA256
c8e5066e04c25983d25920ce46713c2c75daee9ab6724218c363599465c2b14f

SHA512
8290da93fb2e25e42fe3ed0e2770af04ede6b87e07fec01f394a644a05466e628691790a878b10b722b5a230561553b4028bb1ebcd59cabfa1ab1ae6f5753db8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
24883735d2f3fdb7e18ad42e74aa4f62

SHA1
7bc9ff7e6e226d714decfc60a41d3ce5c55437ed

SHA256
d22a84fcf057e07ec3f123895753cc847e8990a04c3f20d98da4b6dd5434d7b7

SHA512
1a575c76621794e6f8e94bc2aab5624e08823d2ca855a5a25bffcc9e54d606c7735b16c15da9d52c6c18f49591e572840bdd17936dd664bac4199685f6300b8b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
960e7b763e67dd2ef34669c661112e7c

SHA1
3feb6ab6ea0fc9ddf352950a7e33e80a8974e83f

SHA256
1866ce4ddc702d4764f2faeb854d6f54f762edb1e83336edc613fa7bc4eec9ef

SHA512
246ac98da1fad74fd69b0fa228dd4ff38cf6071a10c007c8dd6fd6000f966163571b4800e2d85b2853ba3ddbd81c6bd7ee99b8800721d96f5e83fc5da8c58305

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
4c8987e647ad856df57f8a533f1b80c5

SHA1
d4c36cd9475a2d844f8803b06c68576a97e4493e

SHA256
f3830c6efe1a10fe02d3421476fb44dbfe7fd0648c54c9c6d959f70ee8b1954f

SHA512
48e2081a6acbae5eb7c3252e3ffcc24a8ada13b62f5cf35421117b131d70fde8f17f432505d0930def32bd52e75ea45811a184fbb8a8ebc454ebf6c63985281f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
8dec9283908639a60e656f4b20e92fe2

SHA1
2935e86db43d331bc6ab8df246153590308aa470

SHA256
95a3212f8fc4458d180af318d136ec865452dd01f50b9a824a8aa558b0d26e96

SHA512
b59f0027ee2bf0b9b68351cef8753792566f00a9252192de2f993776a969dae0d9bd85e26e144fb6623dece2ad19ef4f4b366c9dd5fb05dbae07dcbb6b714925

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.4MB

MD5
905f049e0a72a042845d02b8f60ad241

SHA1
c130691d2ac4486e3782d35537aebb8a7272b1fc

SHA256
eb4c4a888679f5ae673cad2f799483d7b8ed7fb2a8212b9abf07fa0e52b2a769

SHA512
b01d5e627128a21cb250388869f0799abdeee1a78ceec0e7be8430188e8df42eb4678e6b0468fcf0f426c1da5b6e0b5a24e01243540af83e6b64a557854b6db7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
d47dc68c3537e49e4e2079dc5ab1e184

SHA1
bdda3e46ce66d4b93c2dedc9828938a20855ca75

SHA256
5f829e50ac8ec5ce2eeaf5e3690f4facf63e944d668a1c4f70ed95dae201fd37

SHA512
b5c9c63340304c3e7a6d94334a9f0a952ea6a72e928807db59e386f90c5fdf7b6b29b42bcdcbb69ecacee484dcb240093b13e745df23cfeb80ed17b7d480a873

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.7MB

MD5
4ab933837cf9ea287f38529e725f9fc4

SHA1
8cc4a8954982b579ae1be7a59a158c82842866f1

SHA256
51890664b53780fed2ae917e0d7ba9c78c3ea1b0036d746f69497b797c00f98b

SHA512
9c5a79d767ff505c98b83e766c5a13c0954c107bb275af83fa7f927a320aa26bd4cc85b9ee825596a83f6ad6dde45cc31d0b8a7d492f2e053ce5469c9729ee6f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
d696241956507f99c127deb405ad6987

SHA1
96e6da3c325e205a9d7fc1a1c18a4fb6445200a3

SHA256
9e136328ec97d8fede5aff385c3faadffe205a9be0ee3cdffb75a4fb1f7b17b1

SHA512
ff13485bdb50de286ea6bfcefece64d63d95e8097c76e115d01e2a9d67fe1585af0dc63291c78cc9986197d6bbc1ca83dcd7ce13db051e901440c960d0cc9bb5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
290405087459535eaf98bcebc16678d3

SHA1
6ce2c54baaf3c560a98084864d070e112d688563

SHA256
0bab395b50a359ad448bb2af071a9324cd750f6cccdc13902666538d232cd914

SHA512
d01ee611bad3f2ccd3e112549d3294ddea0d387863ecab23037ddeaca352d4da85a56625eb297a7f45c42b891e6960935a020d2970748a965b56e231f7f8e353

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
f93885f9faa020f8a7062d83c06a809e

SHA1
86577c9fe2f37363c23431eacd963cd8dab90278

SHA256
b8ad35962bf827a497b3a8bf85263896d9d9f6d4dd4e4a79ed2dea2205b418ab

SHA512
1be700c3a264509e0bce1cd48e73e6f9603b7151e32b698670d6cf69831e4d9bbd9493ffe5497f47c10956d32f5f30126ad09cea6e9a35c84c8e41b44a51d7cc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.2MB

MD5
e55c61d21545f98cb8d63f830f03c90a

SHA1
b479698e41d7aa36bccaff2444404e061f664610

SHA256
aa345ddd1a6bf8876ef0a9941a7bcb252edcb552fde1d0eb67a20233c9c71774

SHA512
44b0504f18d838482d325f8439540c70d7e306b4cb0a766b6db35ab51783122431bbb2c889bac24e9b7e2b3a74d1cd631a4645ac0002f45f776d953a0d07a76f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.2MB

MD5
5073418e01c576e6b8e83004b478b282

SHA1
7f73bbcd8067e192eb38740115d9ec1d802c3eaf

SHA256
9bbb99e530e36da08af2062f3a02273960a746852cf8e47065cf9fd6a7d1c55b

SHA512
eeb7493a9115756dc25a2c816a98754a3b832ff4d54d52dd4febbfd8085a097ee6b03c6507e07bc1f475ac40cbbddccd3895716dbe8251a8f8bedd1f82fa7b1a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.2MB

MD5
806e2074c429de7ea798570593a1073c

SHA1
28e0394d93cf97b9004c7ae07d60dc8c7fbc961c

SHA256
071171c2f619cede094f204ac747b0fbc881e35e92d7ec3a0793244fe6fcd1b5

SHA512
8c4179d25181f51598ff90a915d8644c062d9bdc6cbfe222eeb238626cd5852d24d37f175d874cbae9d6ad6357668bec1833a196a36cf818f6578b99a3bc7c52

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
1.2MB

MD5
578fcc34509d03127be1a9483d40e133

SHA1
7cfc495acbbc9f62270633b72fe2cbe86cae88d7

SHA256
59a2fd6b10e770a442d28113afee5a7ca3c01a82324b51d04f794f97d2572c94

SHA512
3d6a83a0a81eedc841b1be00ec414d42b8076385da7f0d2a34add35c51ae6d1df3256ed328cb74b8f0bfa853714994fc3bb85a3ea01014be77c13f4f818370dd

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
b79c59a83c3597cb3e8355bf6233a2fa

SHA1
99295031acc8b2beb7cb1f49efc9cf8d7d92a7fc

SHA256
3b163f2099ff8bef5d00fdbf8c7f26245cd1ab2e88ece37cdfe512c3dd97c5eb

SHA512
17747684f1b1585ea3a29b6ed1e9dc4021944ee1150246ffeb551a80552d69b436155882349ca453a741ed0470f6876390029961e90119468d0e9d24e3a058f9

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
9e14f779af4fa6b3505dc558ce761753

SHA1
acd0c3f5749f681697d82edbccbb453a3fba4f21

SHA256
20a1c25e5235c0fd5e7b1e991b7612efce9f5f0a0a73f916b64db82258d0eb78

SHA512
899ced14c5d84ef7bdc5f88190afb930f366006de5156e47cfd05a0fd745903b97b2438c9533eaeca510490a6fc2a33406ade818add034f732ac1dcb98814150

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
6b78c1224cc5778b9e6caf410a3f5c23

SHA1
f349a960ca020191a9530cefa172a45424e513b3

SHA256
85f94b169372a3eb5b0060c469ee234b620d1b089b5dfe3dec656a097e8fac98

SHA512
80f13bf67ef4dbe22f56d046aded1c7715dbeecee149aad115bbaee791f8ce858ea017d661101ff3a91e81ada33b13e09e30b86d66187fff2bad76b0704bb37f

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
bb0d82412a5ab87087bcc4268b53555e

SHA1
7d004bdd9ebeafea510139cc301d4bbcabcac8c3

SHA256
6b0f5f01f6d310c766cb142399fac271190f3534db3b224bc0baa9df578ecd6a

SHA512
932bc6dfdf148400bc832e0653bbe5f4796658ea7b708e047a778c36408551343b5dd335fb5977cfeeae225cea1cf91a21543fc594a6cca1167c6fe2c9ade1ef

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
42e96d8877e7792f333a0058b8131dbe

SHA1
b5c447dbb9269eccfc70069d122bc370ef1b2e28

SHA256
1755e73ae3b1fa1b72ad301b04120fbd7f938625040f2318563bf52e182d067d

SHA512
cf4378cec4fd718fa8664b9e84626a1c9b1e762a984aa0a4b8764166f3491f43d79db609b9b7adceaca9b9c35bb44e8d53162dafa0050e9e18d1ec9c405034e9

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
de49dffaa648ed1459b86fc10392fd24

SHA1
87e2a75778b7e50db7d8e3e530be22c5a22fecb9

SHA256
a7ceea117a74b23ea809101b16cd60a6625df79f536fffd7e53456e6fc0cf1e0

SHA512
6623d963e062651090850655bcbc40f3aad53f94b7f5dbb9569738194628e7d6bb2db6455219ab68ab4f4fbc20b710ae59c9c6189c93c16fd90689a66bf8447b

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
e99b4e957c9f4674efc36486ddcfd910

SHA1
0d6be588d49e6f7d3fa79dc93353d11789827865

SHA256
13894800320747ac62d2054a0cba31c1d013122ec3bad0c4551a085b704218f3

SHA512
dfa8e043f2cd717d55b7f7928e26b40305db644f79261ac3c72d5f6eda68e09b785371efa680988e75d3a1107e9352b3e2cd770ca9345dac417c5d5dad6f17e4

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
ec23456c33ca3d19e6c81a705a27c4e8

SHA1
43c1011aa9dbb52128577cb13f778c26a0274e67

SHA256
011daefec00b4f9984fd3028cf9e2f72d0f3649c32a8d4da87a58b10594bbc3e

SHA512
8854ebfbb800db973ec5f91efa2899286ead1c313e2ac219eec2a89aa3e3d71bc1120056cdc42aa895dcb13d6326aa6112c914878d38abd647429310188d01f0

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
a85c23d769b95400c04c8b57ce71463d

SHA1
6b1ca2004345696bd394687513cfc1a375d2fb97

SHA256
eed01b0b5fa8d77766b11b70560d0f370ec85281a29ab2f53cf90f0b2b85adfa

SHA512
c976e6cb069cc47bf648b125b3eff3c2e07e8f107eb2c561590504054f1eb9fbd5944e6b605cda486e3128087caddf2538455efafcb0d7b2fd5778634aaddb43

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
af84d7a2da2b56385b8929177328e04a

SHA1
5dc13038fc5e2eb7ec8de3821a652a63ce04ce0e

SHA256
135f699da91c36d19363e48f296aff3a5f0b02d5e002b39abb64abc386eb5f6d

SHA512
283608e888ee883d7a270db1b9fe62e21610a7131f935487cbe8e208bbe216e0997260783c0d985385fa2f2092f3c25bad34a6d8a51975c34451baf47690e2b0

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
ba7dcb5926c54359dd72f3dd7acc22a5

SHA1
b42772b72105481a66279576bbebd8f7b88db416

SHA256
aaa8a6c0984431fe2bdc901ea5e3200fd1f900c52539e0cf2367a7bd742d2eb2

SHA512
944539d3eb367a1f8a93985506959d8f1223bc4d66cf91a0b1132fd5c126464c65a9cba3c86eeb3114fc4fde1510684bc224ba534994ae28f1d3928eecf2ef86

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
4b34566aed1841c4e140af145d004967

SHA1
279f0ac4fee6cfe26df5874e77565fe97e62ce54

SHA256
f4237c48909ac0c4d14b3fc39306fd7195024b755a3395b0f1adafcc450e628a

SHA512
fec98be13f3d2014e18c077ccaba1c4614cb39dcce97c172e179a979bc35591b1092347c008322b0249c8850f42d4e8c4ee519d1d9e65da431b6e83d09487b05

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
9f2bc2fc49d42b745802e6e02ce4ea78

SHA1
c1fddcf7d80ba2b1079d17db117b098dd9f56d3e

SHA256
f9c62535d61c6dfcfc971037516276ef7645d6102f26b5d6c2d046f65f91cd71

SHA512
6ae1a27117eb4f8e37355db83d80967540c13960adb74a273b991b1c55437f2591fe163ba9f120fd34d678541880358cef013962deb8da129b8ea20cdb260dc6

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
ff8239bc24f6f15fd69e1050d73379b9

SHA1
8b213bd9c6e376521e2d0eae81b7abf89b2a0802

SHA256
e45733e2e8a690f2ad92a92ae2f7a5c0bd5fd7afe46f76bc09ccea5b905357dc

SHA512
54deb1ca7f31d73c79e21774b609960cb08c65f321357e66ec2d00a50b9ab4e3087cbcb6f47e0cb8ac89d65a358afbf444d86cef9b185130e8145a1417a87ace

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
0004fb3d79cfe7d58cb27c8a7d92de1f

SHA1
b9b94692e7b7717b0a921fcdf9194e082abe49ba

SHA256
102ad3961c114e410f4789822bb50f42896cdaa83a5535d5be45b549e854bfc4

SHA512
010e14dea67ded9982c95feeb0d225a966e7cdfa2e69cb075592d7c7ade34dbd86c306900dae29db684b91f55270fce79acf94af4988b26cac74492dce8804a4

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
127f6ac07636cf6d9324ffe880237f99

SHA1
da490d55cca2ed5b70feef3bba44096392146dba

SHA256
5d4076dc506801ce529df810934ec3d1f640c1a01f1fdc5f8501d09c817d3149

SHA512
86cf68ebfc98d8b572428f1b0d48e884bc61ae0aa62299032b9ab27873445c658c5d7271cbc7a704923a985b9a11ed6422f7b444d625d3969317c11431e9065a

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
de2af36c8eb654ce253182dd6a0921df

SHA1
4cf71f3753167a9de4c4545ef25e5348d2d856e0

SHA256
0b83716c052e4be5fbcc8b2f81f3d282eba249d00a3cfc17b73ee73c505615c3

SHA512
234b77f86daeb64dfcad998f0cf4dabacfceb5f1d69cd8cf50ba3acf332d98eac0d4c5d0b643222266906addc354a8b80e549c92a4178b7a7fd1975ba75b0282

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
81e9f2f963d8640806aa033a4d4fb77e

SHA1
87a12cee29a48d4f5a19c3d6650303a29e08d681

SHA256
4e274eb6eabfcc4c11dbb1a08cbca450e72abc9303ed454d25ff7e5feb6a4d24

SHA512
f250e31ebf77c7f60c7a6e6db1f5c13d60bf3f16c5579fdc01469d9b540e6bde24baa79b58ff1a191a9d94cbba8fae6046c36150eb357f41a6b3f5f3f4a72dbd

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
7766670e88249f78ef78ccc29c9b1a14

SHA1
a0aa8904661afbae35b005a288d3c93d5a15a12d

SHA256
b73549e8cb0262eee832c0f46db8fb1c0a5c59e93320591dad2fc695cf38a08c

SHA512
e738fdc743b11864e28e8ce7e175baa02d4855705fe42039271d596280ebea8ac24b7f6048da31f47ce73a7b81d89cfed2127887dc3a89e0cd110ff9e09202cd

Download Submit
memory/444-26-0x0000000000400000-0x00000000005B1000-memory.dmp

Filesize
1.7MB

Download
memory/444-0-0x0000000000400000-0x00000000005B1000-memory.dmp

Filesize
1.7MB

Download
memory/444-8-0x0000000000710000-0x0000000000776000-memory.dmp

Filesize
408KB

Download
memory/444-1-0x0000000000710000-0x0000000000776000-memory.dmp

Filesize
408KB

Download
memory/552-278-0x0000000140000000-0x0000000140165000-memory.dmp

Filesize
1.4MB

Download
memory/1040-559-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1040-339-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1088-246-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/1088-365-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/1088-247-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1088-253-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1176-666-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1176-415-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1604-668-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1604-440-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2024-342-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2024-656-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2248-665-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2248-403-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2484-374-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2484-661-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2564-427-0x0000000140000000-0x0000000140172000-memory.dmp

Filesize
1.4MB

Download
memory/2564-667-0x0000000140000000-0x0000000140172000-memory.dmp

Filesize
1.4MB

Download
memory/2760-377-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2760-389-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2800-241-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2800-50-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2800-44-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2800-63-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2828-18-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/2828-237-0x0000000140000000-0x0000000140156000-memory.dmp

Filesize
1.3MB

Download
memory/2828-27-0x0000000140000000-0x0000000140156000-memory.dmp

Filesize
1.3MB

Download
memory/2828-28-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/3116-240-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3116-40-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3116-32-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/3116-41-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/3440-660-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/3440-354-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/3564-414-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/3564-298-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/3700-258-0x0000000000A30000-0x0000000000A90000-memory.dmp

Filesize
384KB

Download
memory/3700-282-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3700-257-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4104-65-0x0000000140000000-0x000000014017B000-memory.dmp

Filesize
1.5MB

Download
memory/4104-78-0x0000000140000000-0x000000014017B000-memory.dmp

Filesize
1.5MB

Download
memory/4104-75-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/4104-54-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/4104-60-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/4184-292-0x0000000140000000-0x0000000140157000-memory.dmp

Filesize
1.3MB

Download
memory/4184-402-0x0000000140000000-0x0000000140157000-memory.dmp

Filesize
1.3MB

Download
memory/4528-73-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/4528-77-0x0000000140000000-0x000000014017C000-memory.dmp

Filesize
1.5MB

Download
memory/4528-67-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/4556-391-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4556-664-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4792-319-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4792-659-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4792-439-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5056-308-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/5056-426-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download