a82fb5ccc833c44520ccf82c97bad1143440986fce4cfe4c1aa70f93589274cd

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 16:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_f58ea20adb7e834d1b0a8dbc284c18ff_avoslocker.exe
Size

1.3MB
MD5

f58ea20adb7e834d1b0a8dbc284c18ff
SHA1

efca8304d907ed9b23e3cb8b5e96251c9df0224f
SHA256

a82fb5ccc833c44520ccf82c97bad1143440986fce4cfe4c1aa70f93589274cd
SHA512

5419266b0ef663a1baa1ccbecff7b4e69dee6d2ea9511e56b02ca05ff315d9cd9892ac7c9062d48313798abe11201c854e3d7fd5bb49863f27d38a31ec718875
SSDEEP

24576:v2zEYytjjqNSlhvpfQiIhKPtehfQ7r9qySkbged7TNjx+mZCkt76f/24pN+XNqNl:vPtjtQiIhUyQd1SkFdHf9Ckt7c20+9qT

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEDiagnosticsHub.StandardCollector.Service.exefxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
3652	alg.exe
3512	elevation_service.exe
3204	elevation_service.exe
2304	maintenanceservice.exe
1892	OSE.EXE
3172	DiagnosticsHub.StandardCollector.Service.exe
1056	fxssvc.exe
4708	msdtc.exe
3852	PerceptionSimulationService.exe
1680	perfhost.exe
1552	locator.exe
1584	SensorDataService.exe
1876	snmptrap.exe
3636	spectrum.exe
1000	ssh-agent.exe
2860	TieringEngineService.exe
4696	AgentService.exe
4456	vds.exe
1928	vssvc.exe
4688	wbengine.exe
208	WmiApSrv.exe
4424	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

Processes:

elevation_service.exe2024-05-24_f58ea20adb7e834d1b0a8dbc284c18ff_avoslocker.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_f58ea20adb7e834d1b0a8dbc284c18ff_avoslocker.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b6de65eb1ed82f9f.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exeelevation_service.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_107921\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_107921\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{38ACDD0D-FF02-4A34-B36C-7A103582B8C1}\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe

Drops file in Windows directory 2 IoCs

Processes:

elevation_service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchFilterHost.exeSearchIndexer.exeSearchProtocolHost.exefxssvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000190099fcf5adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000da629bfcf5adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000068b6d3fdf5adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000036bb76fdf5adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000087bd8fdf5adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

elevation_service.exe

pid	process
3512	elevation_service.exe
3512	elevation_service.exe
3512	elevation_service.exe
3512	elevation_service.exe
3512	elevation_service.exe
3512	elevation_service.exe
3512	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

2024-05-24_f58ea20adb7e834d1b0a8dbc284c18ff_avoslocker.exealg.exeelevation_service.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3208	2024-05-24_f58ea20adb7e834d1b0a8dbc284c18ff_avoslocker.exe
Token: SeDebugPrivilege	3652	alg.exe
Token: SeDebugPrivilege	3652	alg.exe
Token: SeDebugPrivilege	3652	alg.exe
Token: SeTakeOwnershipPrivilege	3512	elevation_service.exe
Token: SeAuditPrivilege	1056	fxssvc.exe
Token: SeRestorePrivilege	2860	TieringEngineService.exe
Token: SeManageVolumePrivilege	2860	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4696	AgentService.exe
Token: SeBackupPrivilege	1928	vssvc.exe
Token: SeRestorePrivilege	1928	vssvc.exe
Token: SeAuditPrivilege	1928	vssvc.exe
Token: SeBackupPrivilege	4688	wbengine.exe
Token: SeRestorePrivilege	4688	wbengine.exe
Token: SeSecurityPrivilege	4688	wbengine.exe
Token: 33	4424	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeDebugPrivilege	3512	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 4424 wrote to memory of 4276	4424	SearchIndexer.exe	SearchProtocolHost.exe
PID 4424 wrote to memory of 4276	4424	SearchIndexer.exe	SearchProtocolHost.exe
PID 4424 wrote to memory of 4136	4424	SearchIndexer.exe	SearchFilterHost.exe
PID 4424 wrote to memory of 4136	4424	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_f58ea20adb7e834d1b0a8dbc284c18ff_avoslocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_f58ea20adb7e834d1b0a8dbc284c18ff_avoslocker.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3208

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3652

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3512

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3204

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2304

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1892

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3172

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:212

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1056

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4708

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3852

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1680

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1552

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1584

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1876

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3636

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1000

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2076

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2860

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4696

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4456

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1928

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4688

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:208

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4424

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:4276

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:4136

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
16f0bc958efba0dd0bcaabf6ac6411a5

SHA1
14cfd2bb63f5c9da6ed23f0673e94d4912fcadf3

SHA256
bd0b5b93031f16701bcad2b5c5d532de2373f9fd173c6ac25da9b1c757654acd

SHA512
70c10be0c08fed7f55ac51729ee146e458a4c91732311d9373badf331a9e63472d26925d05c00b2e39213d4611698b993de4da524b517659a0b9e416c3928d43

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.7MB

MD5
b196669ef22dc9e718d757f770127028

SHA1
32d9cb8ec7364ff775b0145aa6d0ad09436b5041

SHA256
5e7e10248c174fdd1a36572f283d8ede0d540e95c0228108b67d8a417f975f5c

SHA512
1d23e1ce247a87a32963b4bfc303c3567eabf2f3d7672cfd5368e3ac2cf17db62ed3a1d0b6bdfd608d1cfd9ac52547ae3ea16c937a4e69bcb8c9463029b604b0

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
2.0MB

MD5
0fd9a5b7dba46488c3e5c4f00cdbb016

SHA1
dbdc76cabe4c03bca6a1c9bb677ccc509824860d

SHA256
8cea581bf1cfebedbd4369b124738d9c39fe3e24aa793398c3dc2aabd8d9cc04

SHA512
ac0f121986be0fe0aad4db7c9bc46a69eff56822a8ae3d3cb26c8d3ec782310d5b3c56bf94a2baae345b57c22c94f3a180bd3a94b2bea7070f075565eb9249a7

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
15c4fe8769ba14003128bcb277fb65a1

SHA1
83e9ff6836d1b1ce34573425a0e8a04fc5975f4d

SHA256
5efcefd76bf87596a04ccf7a72cfc26433e5b8e35296dea6901beed51c50f115

SHA512
88cf7ecba149052220018ee7673f96da6c85ade3e3664196f734f02d884b493d785ee117af4899c182f414cca1c7d1aec1039e420b778712ddc419557091cc7c

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
33a564c424ab3280f7e4ab812de982fc

SHA1
60c2a40c4ea1b3dc3b733ed28ee88c8b78067896

SHA256
a4d94cc094b4e6d107143fcde653d257af0cc7aae9e107e50a63364d19d3f110

SHA512
688d7a78844f85b6ac817b4aa5dac1cce67851fef20aede691800a83dbf987d68ea183f7a20f4e9f124fb6483022aa2984b1a814b889e9b061488d6ffe4744ec

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.4MB

MD5
d30622af38f91b40fb0c31942966f78f

SHA1
7e68aacc87856d2066156522373d7337a9b8b5fe

SHA256
b5eabc6c4a8b6166893e736e4ae6efaf2fc9e2bd61315cc5ed03c0d4b8723719

SHA512
f02f2caed50515d4ea97e1d019d4e14700a763f2831852ca12a76f7ce76b7853c138372b06c104dc823fe009ee8f652b72f4e1796dec2931e723a96f0aaf82ff

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.7MB

MD5
83d0e4b6c0f2744c70399510a910982c

SHA1
cb9e7fc5bd8afbc408c1b7b34604d8d53d02dffc

SHA256
99429a4b17e0514ecbf1f0e4765f667fbe151caba0d481cdc77093772e292916

SHA512
832a73d0c02bf70130b78a51cc0766a27fa980bf52c626064a80360d2918c00fae0c022a52c9c57066664d7c0b26b7b76b42efb32f3094da7563ed30646e38af

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
bcaaf2c766f89ad95950d19a186ef516

SHA1
8b389108cce2f194b8873dce95f9b293a832fd68

SHA256
c268656acb0c7c93c272b4b8a6b415f8e4f1dc665eff26c1be439bdd3784e7fe

SHA512
0229c5a83834c4a8e9bc93cfed5100f117987f96abcf741a54374ca4c81e04d5d60e7b9f26c8d0f3b11e3f61b4a9d2c5c95fcebdafc9b422e93eda0a23958272

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.8MB

MD5
f08cacfa1df4eaf2cfe15c966c5564b0

SHA1
4f14d7a1a8defbaca2aeae7f1951648ff42713dc

SHA256
65369941b8a7287a9ec1ff5e8dbfdfc744cec3e45a7fc4545c869a285dc2821e

SHA512
dcccb9cf08179a9018a2124a2a69bd88bb5e3b91833c1c147103b06a1e0c61772138d0dd3390fe59bd3e07126bcd98e8d0747bb1744b0c282554d73142bb157d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
dc12ded5b98700edad1443be3942943c

SHA1
5c95459f2e9566cc2919991a951735713540be06

SHA256
6f0786f8db25c5be0a931fce46d26b67acda82e71e6165fa0195152a4a5aaf4e

SHA512
1ee5f91fff74d7cd6dc67c8dbb3a4d4b405fbae688693fd2dbd4fcde12b40f27f06b6cc7e8a66a8db76b2489383fa7aeeb822b570f5bcc8b63c3cf941cf15cd7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
3c6236aa1dab14ebafcd54dd23bb4f43

SHA1
2159e202eec19009cc61351914e0b90a0204c2f1

SHA256
05552076fc9104cbf2d2a677079f6f970479ec455756a166a8ae43ca1a4b45c0

SHA512
08373be7dd28d78f663d26641d8abeadb2eaad2c6c8e40901073e54bad67cb18757832d0a4baa86a54ed45c3cc9b629900b08a62c5d5571f5f40b8f5c75c8807

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
6adbb768fc33d4ee991dd9c1f4897f44

SHA1
15ce4357cc54555785da061a039e82f8dcffbf8b

SHA256
a8ed3403f454e22a440f49c66de88c536e6d17563993d7f50c2a6025756573f1

SHA512
032d8c7b87484fafcf121831cc6e06d6e216640de9c68a6f1c7e8f5175824c106bb18620bb4c5d8905d1c7ebf8078e2ad011ffaff460b87d7e3317050c048d3a

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.7MB

MD5
6382375601a42ad4e39ce78d0ab3d311

SHA1
bd829662a5438435c4dd35ef7332eb9fb0cdae91

SHA256
625e35acf1fa3370731942fdc10c0f2eb2ceaea08c3ccf35dd1dc3a1288149f2

SHA512
689fed434ea7c5d405c354e4bb1a75dd94a05578b72f18ffb637f3437cd5611bdd34e9ba2271ce379d05211c3eb431617671d0903010f956d26cf438dd21887c

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.5MB

MD5
d471ae21eb84d49693fcaa2e8315d1c3

SHA1
18393d9b995ed1ed56eabbed0cc72998fe0e163d

SHA256
a3b7ddefe93bd2e4853ae9a7933af79b8c7c7c980f265734b4ac13ed13e2e645

SHA512
ef173e8f78680a9b1d46132df36548229d1cd8c51f484af598d53916d1e80b1c9752f439b8a9c0f2fcaea57c695d911ccc0962bfc02bc6170125ec3aacebf476

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
6b39335d9b3374ab7c7b408d0cad7417

SHA1
41742aff9c2b5248238f9819852b84b1af7f147e

SHA256
4fd233f7bc259151cf8e81170c0101c265a23702b42332c848bc4774eb92cc48

SHA512
6bc0552858be446aedbbc9e20bc69752f151b1328574aaaf1ba9f717a721e3d4d56df481e8d630bdcbacb1c04458aeec50a44e37b9389b1b77f408f1f725c725

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
6623fe25c91b2eb496e2f30d002e85be

SHA1
141c64e4d80b91637d3e7b9889d8f199d13fb2aa

SHA256
940783a9fa02f333ee4311286a71a47a4d4615d0cfd4df55eaf23d90aeeeb644

SHA512
fd11bbc70d83e056e37bd7a166360986cb682f9c7d71be454ac05fe8e0ccbbcfd0bc91a192ca4e1d3779f97ea27b81d643e4854a055514912fccead813e47418

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
cb2b0dcbf200f8e6dc359179001ecef4

SHA1
eae2609125d8aa1e6f3cdaf4b5e090064d83d622

SHA256
95e470331fafe5cce8ca697ce9344618e2c5885eb20ae872d16de9e4a413cd35

SHA512
27d4d6ad121e711e3d8e8fc19b115345c4a2126bac43cf8dfc2d33e7bf617fc39a322790d54e69570e1859a3fa4517e4ab8f4fac67eb8d171484ea09b39fbc54

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
c221425a263a41388d4bef6b3715b87e

SHA1
d812b3ff28eac259d16b9334bf6594c99bf8cf2e

SHA256
fcd8e3aaf9097244d30be5db3723d18ad7727ea32ce48f6353bdc25b3d302302

SHA512
b7fbfb1f60be15340d70b3a08cb87c59ffea2ce7675124378182fb1cb725932d44591974b03b701512da6d295ef3f974e110949fb744108680adbccff4995419

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
b76da0327490aad2ce0800be5526e680

SHA1
da0220ea20cffd111da2fb0f7b54c71ba3583b17

SHA256
26284aeaebd9a925cd12c611e521ab82e0d70687aa3d5b3f4f4980c12f6fcb94

SHA512
fdca0b8273cbe196ee243f6c05da7a704ca1d0f895e9209dc0a2e94e8dfa479d4ea1dffda1104ed3c7e3c870080884e76aea283c5d7045a0d45e1d3442fbdd13

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
83c479f7620509891a35346104d35c3c

SHA1
09f74cde4856213e90ad7a99c1a558d3e07609cf

SHA256
358e528f454afc11bf165cce4cc2db912e50c7b1dbfabd62baeecaa0e995890a

SHA512
0cef9b5b1379dea09f1f88a8c6d5da533642be1ec1940ab71e30d9c391d624f49bc09ca350b1a896ec396c4e88be72e18d9f0c2d4d0c435ff604de494b11baa8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.4MB

MD5
5fd4b306ab8b71b41fd5318e2f6e8673

SHA1
5d32260aed1c2f83e6a003423d6e92874309ed33

SHA256
f8c4db561cdc42bfe91814a826596e18f16cb7fa305dce3e5eea747e19248526

SHA512
ea293bd654673a0c434ae938dfa2ef9d86647ae4f6f14bab3679b19084a39fabfa06fe56f9ecdd8437385c77d55a0f36041510b88172926c508fa73ec3d92de7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.4MB

MD5
e421dcd5fca0312c2772017475f087e0

SHA1
eaf50440889236f883928370edceeba18f5c1c19

SHA256
52810d1d40b2b039a3813d3ce61929ca58825ac9977fc74f9b6dfb65dc52b743

SHA512
f7f09209a64d92182c963fe01da9e9542e4d3b44c379b95038ef023cde434ddafc8540f09c0a1e6c4f7badcf5bdadd09ade34ec3acc32f29252f9a5cbf87fe72

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.4MB

MD5
c0cf9bf5849751fdec741d8bf4c0def1

SHA1
b503e701427e556fb23b0cf1c15fa7dca6f8fe74

SHA256
b74515e85b21b02b8d8cc46091047ecdf2ebe873f5c7f19f545d643308c954b1

SHA512
93a97f877eb7ad3713c57894c18fdc6f441dd77657782cb78e15b1023c49dea5aed40779ed5d2aca999d5a87929ba6db14ffaedc92d74722b895e790fb5c505e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.5MB

MD5
259df96a3c3632e049dc975113a44871

SHA1
016b6e457f054701167ca4ee2c40694a91d26d30

SHA256
0f0c0b16742b2804fa0b92d2a82cc96c55987e19e3fea5327cbbf055e27ef84e

SHA512
372146c7f5ccf239b44edf5980a6665406cb1669e00e14e19e953220ffead8c5d6b0d5f41c4725034301c2d8fc2ca97dd4f1d1a41985c6b2ce4195d49a3810fb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.4MB

MD5
35d44994d63966d43a75d8cde30dcc23

SHA1
441b5a9803aa12613ff23f3417cf6c234afb4c72

SHA256
5353b11348fa6418e73f98a81a11673cc6d1902e1af6cdd6bfac4dc1db59302f

SHA512
c630e73c074a34178292a2550f1290f7df892e167479956d41f1a6cb98f95aa182469daca65473891668abbaba8c197680dc2d29927b006b6b39ceb628faf299

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.4MB

MD5
d46b530bd1282bea01c65ee87084120a

SHA1
f0c40928267e45440ced92f7e09f81cae70e3993

SHA256
0c96271203ff0a49b019e5f4f7b6c2745ae9fc8086fe96c645fe74d64c3d7392

SHA512
30577ed6759717b9987c7f075a6f7ae3a6fbc312a7a584c83831fd48cf057dfe80f5f0199f3d809fc8df231633dc685119a8b2db6c9fb05844c06a9d436ea27e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.4MB

MD5
5cdd0ed9f09d42b44959bbf67dfa7680

SHA1
f459d23630bdbc1a4d283806bde2a41eb124a5cf

SHA256
35f51a1662c266ef833d20126a7997a914f190f128559b4916c9bb23aef4452c

SHA512
f0687158b54446a1216b6fd5e16600630bf34e2ef098f288986ada32048e65494350e9e98251ba710f45d28668bdd2ea1e5cb4e62d806f64d8860319d6ca8fe5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.7MB

MD5
f311174273591dc58db5ae2e210cd69f

SHA1
553f3393c51889f302f6c5dea5c620d217ab26e2

SHA256
66c8059243391d5b81dee82e501cda0cfe3fe4f4f503428ac5b798d5f0e37979

SHA512
496fbaad2e891060e84386b7ff3fa0e359f4f21b98a7a361b8b1f89f630abdfd50fa90e162aacf9d26257a4e594aab0d5ece930b773f3a761545550877a3dc93

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.4MB

MD5
1e146b9b350e934903940408a55b85f7

SHA1
28504b07cdfa1b28e3c50996706b894b4e4c4af7

SHA256
273c7ceb7f209360153642db060130c6a873a29dd9179a20957801776caecc53

SHA512
4d796a4af093da36be628740b4d882ce5fc60e65563dd09dc565802e9aed9bfb5374ac97538aca6a8fd8c459f7ea3539565c53b49a94aa23d8cc739dea8765f2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.4MB

MD5
8fdb4dd3898de586cb8eb2e459acef6d

SHA1
57fb122e8a9fa4d2786c8479835a8321b0a85793

SHA256
88b96c5f0d4701e1f53ac5dfb7b3e97607601ec0d896109ce3748a8909e76d3a

SHA512
3ba5b9a23c91935cf658c80fc4a6f91ed17dd56e6a3cf2792f61dea0cdbb5036b1c8e76b74beec3ce36aa88642d972c8b91935297401021dacdb021e1d0cbdfc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.6MB

MD5
c4836154f0e2089496fa86e5b3262a9f

SHA1
d5c9097795d85f2ec44a2b3cf1ba28f35184882e

SHA256
22d998d9e65c6f49b903921282ac855dd611fd623772fc435ade3cdcd8e48946

SHA512
64a675ed239fad67ee76435d928a6f54613d0123000bb8a01099f19d21ea8d257c46f9ae96ef8a2521f89de2711f0ed7cb43cde3767b7f22a993373de897a55f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.4MB

MD5
f90a3cde21bc8146df40b70b278fe090

SHA1
0113ef3e4449d670d01a0eeb821819d766c088d9

SHA256
30f392bfc0746ec311486003b27631a4bebcb89c9ce008c5c5ec5f1466943e0a

SHA512
e4620eb056da91a24a26c95ce9f010be7795ab1202514011d273f29427c59fd3a7b9c2ee9871c7e8ef7ce5e657a88323deb8d48704368ab2408c5697cc15d9bb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.4MB

MD5
4e7b7c78eb8c5484ecddaff57f1ff0bb

SHA1
f3482921acc42b3a2d66fe11df68ee790e463a74

SHA256
40e97c1189fd1db30aeee0aa8a70a8ed2e588fb812eaf3d7835985c067e67841

SHA512
abed6e67dc10436167517ecb63e3f5f5acba308858d58a47779daa6c8795f2438a843f1369b9d1e9028d01a4dc6f0f34ceba20fb8b81f8c4af97d29250946ba5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.6MB

MD5
501262503a60f1dad3059bb27335baea

SHA1
d6fa38b66e70645487dabac0355615e7eb36dfa9

SHA256
ede459ab6d764026781d5476ba99da403028d053a6906ec19397a5f6fdd35357

SHA512
b51fadef4217878460579c8794f3feb44800b04bfbd54b928d0594d2a2eeebed1782e65b53aca52b6973d1c9a12f0293c01cb37a795c89681acb837a1d465621

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.7MB

MD5
86521adb2c024a2bf82ad4181c850d22

SHA1
57cbfadb8b6b62b191aaa6ae2dc6f51989856510

SHA256
3933616e53208785e59b9760cc1bbb75f6e10eafb2207c8ed3bc3eed2eea4fe9

SHA512
e5ed70fe68c1800f1442e8c52eda5169c273a9db4e7d6c9508c35b7bfe9673b6fe6f638b1ed825f6a4341d2f5f4f3376868770877d144e23455f951286284c46

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1.9MB

MD5
5f5ed1efc68991d55549342d42e0fe39

SHA1
2c4e72dba0f2c54bf2c3f243fc25f610a1d76128

SHA256
528a1586d17228272926a0c5d939a5a05e67c078f448d0f96a3600cbf854c736

SHA512
276dac0bb891aa3022901550d2489babebc810d0bd6b0da6231307d0bc53fbadc3859c3edc6398a8cc4b314f4dd2cc352358d2b689745a7ad7e8209bc77117b0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
1.4MB

MD5
d4284aa1d35618d3203d3011db7742fa

SHA1
1004b3d6a15d59c39692c3f42b15596ef6b38868

SHA256
b2b70f62fe4725268c5ee6baa5cee8931ffe6883bd21fba1f9bc26285a9cb1f2

SHA512
8405e5556e979632c1b2816c2483865b4388ec0cafa5a520124a7324f99dd815d09283c38a363756f828c3e4f8d586ca5ec845d7c46e7749643d01bf08681fde

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe
Filesize
1.4MB

MD5
195f2d2352758c259cebe655fa15e0bf

SHA1
3d00804981ef0f8421543117ff9a330e03572aa7

SHA256
15494f8c00dc6033d50db3b876f439840d4c6fc460435511cb1227c6a85aa00f

SHA512
cc43921d38683564d16ec25309dc1fca048beffe979a35e61300e7d1d464d2b111cb53dcf215a59c076426d7bb3f080ea7ba16645dbcd2d77bcbc8a75cc78ed3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe
Filesize
1.4MB

MD5
6409e16e78d9a7126cdaf92b09342262

SHA1
9bad2db89a59fd8536016fe32c3f15d43f30ccc2

SHA256
3eb9f0650f9c18550031bf1c051ca5039b93c717434985fa582b5e17e6389315

SHA512
129e6f59630cc14817edb43f80c07177f2edfaa449880db822e40afd558e045728ffa129305478f3d0873c130ad9799803ac5e55e5195ece9e468b1fa1a50da0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe
Filesize
1.4MB

MD5
b40f354122b27c744fd8d4400e7ed5e3

SHA1
ad53c2685a68f6564e1fa6f44da5f330c8a67dfe

SHA256
8cbfa445a59dc2ece7db46c0749c0e279abb6a5b35352642580f179b7876e04a

SHA512
640a1dfb70cfded20525c4378f89c33bf075fe01af25136532cbb2ecdd44e53ef5d41dac7c7de8322393f69d513e3b37014d3cd03226fba962e9b0ede059e5d3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe
Filesize
1.4MB

MD5
d2b0999f4bd6efb0fc3d3283e0304a48

SHA1
33ba3d68c44290c62380754eb626aff2486e0ba0

SHA256
7d8ce7a0d9a8320a9facb3c68360ff7e056d2e90fcf71140e486fdb7b3ae4c9c

SHA512
b54fb088bb0e3afca836e0efe2ca48dc8faec1483bac91f526ed12e904975d4ded523f1aa0ac0cf634ad03e401346ed9ad6e660c4d66d685248774d2f7e1bd16

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe
Filesize
1.4MB

MD5
cca25ee1fe9a74603fe7503ff4df6e55

SHA1
0eb05b2d5e39f257f245962bc7ae8e3e28ab8fc2

SHA256
7a29adc33289c29188d359499d6c19ef9f190b5e093ee54213e64b65ef91ea76

SHA512
83b367cc61a7f08ff9aae3b6fed50d36261d966a76b1655ff43cdbd2fd2ba0cad0659a9de2546aa05adb8226f0762a58155b52876ccde206506bd1d89c91b8aa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe
Filesize
1.4MB

MD5
36fb36ce983a9e9312ae1e26f8963989

SHA1
90b606b070454718ba0199cc85d125c6b3815c30

SHA256
7e5f6e647bc37358618cde14a2208618d52cc284c1971bb3d87572fb361be9cd

SHA512
105c5a6544b83adc4a26cade29dbcd932290a5cb73f39457d1b44c421539073cb4292ed0a15430cc40adc46c71a7a19999ccfbae82b1da1e67a2d6c64ba734a4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jmap.exe
Filesize
1.4MB

MD5
f8e3a37279cea6503c58c43db1b8d82c

SHA1
34ea93f1ae784e1d3028bf8a73f116c9b5453430

SHA256
0d3af41985bf75d960893a0645f483fd6ee5a9417c46851679d1294c4e7c40a3

SHA512
cd7bc989b3b36b949ad52721e5c34705076ddb1769c3b2fb0f6f702da4c03a7ffeb94f9e22e4670ad78d06f23f6a49f6554d1206546bc004695aff2e07a0194a

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.6MB

MD5
e4caa2da3c4a1e8bf8c2e2130ba6f094

SHA1
ca758b1b253c8ee149e4e1def6d94252f8571547

SHA256
3cb8d202ecf41ffa2ef899bd4d82839ba7d0849ef09e5d30ab882eecd020030d

SHA512
27de917a4cbea1733ed3b619f49f485cfbb521e1d21d568d8607dd7eff2bfea47d1bde38c6a9845870bb1dcdf40fb06f0e7172032193375f6d906497245c3c12

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.4MB

MD5
d75e1f1c8608c2c0647c96612cb9e55f

SHA1
525252cb842e9c3fd0cf1106d0eefd4cb26b75c6

SHA256
3cf551e4d75d41302356543b63b7bd65a4df78a4fbf0684e883a70c5f05d45d9

SHA512
9146c48c629e33d34d53fc67b653ff6f2155d13cb47c8c076236c387056e10f4fe7ab0569a1c7caaf941c4200b5c2be572d6ee06fcb2804fd7ca103ce0ab4de8

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
b74504a71e2472d958e7c77d6f06d020

SHA1
4e07ecba7b28d52d9778643e58ba04ede8a266eb

SHA256
8712f73f378049edf0353db6f2172f9ebf9db0cc39992aece1c809d497c556c7

SHA512
4358942d470cefb1cd2cf9362f684df25824dde58d4ad4d112394ca86d9fc688accf697031bfca2c4ac9cdfa9f0e89dbbef2e23bc4b215094cc7f0941de0a5a1

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.5MB

MD5
46d7470c0edc1437c827fefb6312e7d1

SHA1
36005bc8f3dbad8b9873905e7aa82afb86930e47

SHA256
7b56f11d1126d5778113cb5c1f071f64ef21ad34a901f1acc9b6ddb948fb6b03

SHA512
a15a27071486bc4bd3669f5dfd05fb600baa6260c1a163e59a3d0e89456e9a700e1abd29f34984b929527fd79f4b218713233445039a3b168c47fb1a0c501950

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
d0ac081551a1bd868b3da7623b24e89c

SHA1
1321fdd4e12ef9d0d1fc0f554a2e1494dbf63135

SHA256
eadd128f7f49dbfe0ba42a505fe122bb95495333917864357f024aa736f3ff5e

SHA512
384d53c385b380beea8ec6a28fe90ac063d4471d2d29082167022dce00ddece752acf86b083cf7838daa99dad3b487c936b783f54f33253b0171facca5ce4f06

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.4MB

MD5
5e300da141143af1646a4af1e2fb58f2

SHA1
c4369788308872a083e7b30750794a224d2b7a83

SHA256
019a338bbf53b96ec42c00540bb71e1707051b4270bbbbcc02611237441780ae

SHA512
df076a5bda71302b3a23aec1c4b2137e7553cf28ef18e4e38894a9c09b8ddf3b1e0cc82be42a3898142edb9fcef431444d6f78cbd41ea68e64df92fab74f486c

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.8MB

MD5
9f8aa6d8d5202b9c7be017c72bdd1e34

SHA1
c8d9adaa86338a5b8fac333fdab430bc5b05157a

SHA256
a44d15935758774bfdd531ba63fecc2b585fb20d745e8d143bd05818b04ae050

SHA512
55dcaba58b0ac419e677c5e3149d34b8070e288636907046bd77a5869a2d714c1590ee33bdca5ca6ff35813d80ff31c8853278d00bc81d2ce915ef3d7c570dc7

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.5MB

MD5
4c976d2cd3a6c1e35455ccd35d2ec60d

SHA1
79edb6a255d957b6e48918b434a39d5bbe058f28

SHA256
85f8c358644b115f7c0d37e2e13993729185f5cef9ad23310612d84148607899

SHA512
3b446375a1cce02e04549c3d0318875d445967f0127302ba841bc64ed0378770f0e3cb9efecc97180871fdf3509dd0c794e159627d6982c8dbb585cb455c9667

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
917f124257b77a6419ecea9aadb57b78

SHA1
b171ca60968762c6ce8eda6c9e18acf24cfc8590

SHA256
b8b0ced2e8ca73047e0a47595ad5fa86931f10bc81f3e91417cebb615a4d9da4

SHA512
01ec0ffb01db9c15787b2762ac89a30616afc15d1e49bf1b5906205bda7581333707482b9567df6cd6ef1c31c44dbe794cd9685d7108c8a3f819c75462262836

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
9034f6419236feaf10c5014eed49ebac

SHA1
0948902dadc2e68b8dad86c5dfc0242585f514a9

SHA256
ae90dcd56932ef9315e35faa6573d7722e608214275ad2b9dc1cfa2349cafae7

SHA512
87ebdc0234fc97f35d658ff44ceda4fa1f7f9a0a00cd6fbd9313ae3f78e591b4b9cd0e6b941c051aaae6e3e22bded64d2ee7b9b21631c90629d49a205a417b8b

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
ab6d08c5da23ffa443c12f122c06ae3e

SHA1
d8df84b0e153043b20d875edeed64ffcc35704cf

SHA256
f8824675089cff302bfaa6f7e1398d70a058e06a6172438e786d35c2e33f7d93

SHA512
8457cb513ddc388b57d393c5faa2215e58b679f22ff58876cda50d82acd7d2339c37c1764f179ea9a0e516738669f7b230e8a69431a0f72d3afea88930fa803e

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.7MB

MD5
27f697179e0a6b509c68543c2d64f6e8

SHA1
4335ffae8c292d85c5e864428856bd63753945d5

SHA256
15168e9648fa53c4f933e179b4f7b3eca3639808e8c88767476ae36d18afdddd

SHA512
f56fa83180164d3ba164f36ca1831483674dd0c24c40f9565d1de60c11d581e17832db8cf3229378481cf22333416d50c07d083f8bfffe3e4c84bef10981cf53

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
dfc833c893f7c8ed151ae4c33334eee8

SHA1
8f8f64e6fcb5d52781d4b6ec8a97b52c2667704e

SHA256
1b791d21f008d2fafb667fa99ec3b8c4fc2e50e449e7789923bdac5dab5fbc3b

SHA512
f57d9fb713ed426bda370def0b31316802f8f7fa198885a4671d4ad688cc2efcb6edf02e9e9bf21dbe0381e53292029d10ffd50cbf311bb68bcc071bfd4442b0

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.5MB

MD5
d4d183af9ed38dbd6d6ad8c0fbd3cc3c

SHA1
7918ab7d067930fd38a92ef3535bf7e18ea674e9

SHA256
100b93066e982b84ba68212b2029b566ffe57ecaaad3fc66dfa57717ba57718d

SHA512
73a4a2bb0366d77d117780e0782b2e6b2235d4b007ed5d2d0a7c17cba4d5a65051b3217a14f3a41520e55bb27aa3ae393ee73b65ff8cfb086b15cf576c9c2b96

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.6MB

MD5
58be22a957630323f813e9f78a0ec84a

SHA1
1651b28971881d2358529d7530a96d000b890948

SHA256
77d919863988c030d4d7be7bf9ec99bb881d8342efa2d1165ae83d7b9b41bba8

SHA512
86e59472466a9976c7e4bceca9f6957521f7291ed5b691d456e2e0f8e196ca79d9017797cbd095c98a9d5c338d2db4d986d313d1158db85a75e39234d6f321fd

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.4MB

MD5
1b7a198922c1d8e272e62cd00710278a

SHA1
5fe8d2157f5134d2be4aafa3162875ae38117ffd

SHA256
a126c084aafafea31306fcabb62d53581be541dc7f96c32b8bf2145fb911065c

SHA512
8dd87ecc5a076d23e0b7b249944898a5d127e86fc7c20f3a2ccb5d06a435e4749001034824cd5d86d47cce4a66cf36389758adaaead6ec9f073aa759747aaf17

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
4e4b23601f095904726f23e4c9469c25

SHA1
9102df5323c71b3b926146d84ef38710567e173f

SHA256
92592d3a38ec78b6bb9d6ed1a0961159c915e586679310cd538925501b07dd1e

SHA512
1f5dfa864a50cb5b4b06245317dea414b0edfefe3016e56fc1e3095d48db2ea15feab9a6dee8e84e6d0ccc98ae1d0feef97b999d2bc61706af2a862e43b2293f

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.6MB

MD5
8f1a789518c0cb4b8aafcab5cc5efc16

SHA1
8dfeac5c6523b509465086678c503dde8dfad26b

SHA256
400972609437a61d4b51469ae0d7477f2780c97ddad0f5250bb8ff3d6aa5635d

SHA512
b6883fd245d80d5e8e09d825f1527017fa3066e96b4fcd915d03822c91796cba766bdc7cf68337fa02b3a0a2a0075da10ce6ff68a237f99393899ff540c14eff

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
b37c1e19fc399d9bd5b83b3c16cf9389

SHA1
a8b348c43aa7c5377af8e96a878721027c6f1b4c

SHA256
29a05717048a9fc164244adf8e05522abfad9346ee40b2e3718da37f35dd7742

SHA512
4ce565444e1129cef0a5a4bcb5fa8e5950d683bf8899354c703d6363bcff08d75f6e284bf5fbf411ec89364ea0143fa746a4bcf949777c42be3e66b2fba3499f

Download Submit
memory/208-412-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/208-630-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/1000-621-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/1000-344-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/1056-255-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/1056-263-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1056-268-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1552-300-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/1552-411-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/1584-614-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1584-424-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1584-310-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1680-399-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/1680-296-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/1876-611-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/1876-322-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/1892-74-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/1892-73-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1892-239-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1892-67-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/1928-388-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1928-626-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2304-63-0x0000000001690000-0x00000000016F0000-memory.dmp

Filesize
384KB

Download
memory/2304-65-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/2304-53-0x0000000001690000-0x00000000016F0000-memory.dmp

Filesize
384KB

Download
memory/2304-59-0x0000000001690000-0x00000000016F0000-memory.dmp

Filesize
384KB

Download
memory/2304-52-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/2860-358-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/2860-624-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/3172-250-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/3172-244-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/3172-349-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3172-252-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3204-41-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3204-238-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3204-47-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3204-49-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3208-1-0x00000000021D0000-0x0000000002237000-memory.dmp

Filesize
412KB

Download
memory/3208-6-0x00000000021D0000-0x0000000002237000-memory.dmp

Filesize
412KB

Download
memory/3208-16-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/3208-0-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/3512-31-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/3512-30-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3512-235-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3512-37-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/3636-620-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3636-333-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3652-234-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3652-27-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3652-18-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3652-24-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3852-387-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/3852-293-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/4424-631-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4424-425-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4456-376-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4456-625-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4688-400-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4688-627-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4696-361-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4696-373-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4708-375-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4708-270-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download