1448f9c2be1766a5d0de189c07315fefb086079005b3215734cdf562a8e8fad7

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28/05/2024, 16:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-28_17eb0d58bfe6db693f15626d933fab60_avoslocker.exe
Size

1.3MB
MD5

17eb0d58bfe6db693f15626d933fab60
SHA1

65c5930166205b9f3beed12f8a96c074ddbd0c4b
SHA256

1448f9c2be1766a5d0de189c07315fefb086079005b3215734cdf562a8e8fad7
SHA512

6ce989a8744fa35a96b193e85550407f50ed907560c20e5d951c83b211ea91fe65a63704743828fc1f5760c52c650f68449879190e250ab3caf8e146b6e0fc12
SSDEEP

24576:t2zEYytjjqNSlhvpfQiIhKPtehfQ7r9qySkbgedJUOoTqy8QCYrLLeYKUML:tPtjtQiIhUyQd1SkFdJ/ouy8grLLesK

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3940	alg.exe
4548	elevation_service.exe
3340	elevation_service.exe
3192	maintenanceservice.exe
4292	OSE.EXE
1712	DiagnosticsHub.StandardCollector.Service.exe
2564	fxssvc.exe
3092	msdtc.exe
2080	PerceptionSimulationService.exe
760	perfhost.exe
1388	locator.exe
688	SensorDataService.exe
3888	snmptrap.exe
1664	spectrum.exe
1452	ssh-agent.exe
1456	TieringEngineService.exe
4164	AgentService.exe
5104	vds.exe
3532	vssvc.exe
1240	wbengine.exe
5032	WmiApSrv.exe
2524	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-28_17eb0d58bfe6db693f15626d933fab60_avoslocker.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\dc572f11e703f493.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	elevation_service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_110750\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_110750\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_110750\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d52619ef1eb1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002f64f5ee1eb1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f9fb4fef1eb1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000030c516ef1eb1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003c8c1bef1eb1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000072538ef1eb1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4548	elevation_service.exe
4548	elevation_service.exe
4548	elevation_service.exe
4548	elevation_service.exe
4548	elevation_service.exe
4548	elevation_service.exe
4548	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	648	2024-05-28_17eb0d58bfe6db693f15626d933fab60_avoslocker.exe
Token: SeDebugPrivilege	3940	alg.exe
Token: SeDebugPrivilege	3940	alg.exe
Token: SeDebugPrivilege	3940	alg.exe
Token: SeTakeOwnershipPrivilege	4548	elevation_service.exe
Token: SeAuditPrivilege	2564	fxssvc.exe
Token: SeRestorePrivilege	1456	TieringEngineService.exe
Token: SeManageVolumePrivilege	1456	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4164	AgentService.exe
Token: SeBackupPrivilege	3532	vssvc.exe
Token: SeRestorePrivilege	3532	vssvc.exe
Token: SeAuditPrivilege	3532	vssvc.exe
Token: SeBackupPrivilege	1240	wbengine.exe
Token: SeRestorePrivilege	1240	wbengine.exe
Token: SeSecurityPrivilege	1240	wbengine.exe
Token: 33	2524	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2524	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2524	SearchIndexer.exe
Token: SeDebugPrivilege	4548	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 820	2524	SearchIndexer.exe	119
PID 2524 wrote to memory of 820	2524	SearchIndexer.exe	119
PID 2524 wrote to memory of 3048	2524	SearchIndexer.exe	120
PID 2524 wrote to memory of 3048	2524	SearchIndexer.exe	120

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-28_17eb0d58bfe6db693f15626d933fab60_avoslocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-28_17eb0d58bfe6db693f15626d933fab60_avoslocker.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:648

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3940

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4548

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3340

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3192

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4292

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1712

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2856

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2564

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3092

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2080

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:760

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1388

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:688

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3888

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1664

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3892

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1456

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4164

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5104

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3532

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1240

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5032

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:820
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 900
  2⤵
  - Modifies data under HKEY_USERS
  PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
47160ddfd843e55c2e274d42981f5c78

SHA1
262b8deca225b82237a80d7cc152a8d0dd06c63d

SHA256
8c67e2e7c37b65bf8b5248dde7568a357e840bea28efb46a7bf370a5c78eb6ab

SHA512
2fb04183d00114e89a895a073dc52ce58a5e8b25fc5bd876977e219a7a97fb3ffb117761a03d441a116a73e82ea14e0b8c5957ab18d4425d87f310b34f07e3d1

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
a52fda8ff858c5da758b54df43f41d82

SHA1
7bce15074a5dcdd4f0b80626db8faf3efb45c42a

SHA256
6e46d4de10484d50eb0fc57e327539766976efda3c3867cb6f163deecdbaebc8

SHA512
bbe5cbb04cc0ab4d5a2ced4a86f068c053ca9451b635aca8ede40d4de79be1e70963967ca79904a33ad94195e64c59d911e6c7864b37964badc1a8c0a5f48047

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
d9e007659b288ede5d842da8fc9503d8

SHA1
6b0376c2c4ec49ed5e28164391864be6575d4389

SHA256
414c0e50ce5b9c15cc3e50cefead5e4c627bee159e92758fa11c0cd4c20c6ce3

SHA512
dbab05ba860fa39378b6b79a995f66fcdb3f2773f2d224d6ab216c5dc755118278684de12db61cf00db38138252ce50ab63e13a139599130b067b5c34bc7d8d6

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
060b9699bb38927baafdedb2a41369dd

SHA1
773c6b15ec86410ee0b6b75efaa8365d225cc0b5

SHA256
fbefaf643b1f3d83dd49dfe460ba6e406c12f132e94346557d18bbc3fec820f0

SHA512
daecd1d5b84e6620c3a327ebe02c9870ce7c86fbc91fc9a38fb9dfde97c3012db473af92dc831e9aab11aa164c36717840546c281a22a7cca15869d8ab95590f

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
e3843612db1143a0a221f3d81b76789a

SHA1
3df69a12ec63f2fd496f414d1205b4150ecde7b8

SHA256
43206556ee340abdaf35d94c89c90d575646ac727ef315ce8c4beb989776b813

SHA512
b970cbba9bd80c2fd9857ae5e200f52f15a45b5fa45dbb94dd04f9a21c837f898302582c128e7eb63dd2fbd3cb5836114addcf977945a83121ae746f17ffc294

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
9effb7904499b5d158d33f4ed57363a7

SHA1
50bd162fc0f3ddd3837c0d25a9300d0141f6fac5

SHA256
a7be0558248a43630690b3b10ca8c11539fcac9e36d16517c1426d2123df6139

SHA512
207587a531dd8c662025a1c391c716c720a1466fd2d6b5946f6418f6e2d3c5b3011e4e62dad67f9971dca1a60508e1be61eab802687d0f170110ab1871dd7d0d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
a08965ad267d825ea6ef1d33d5c79887

SHA1
da69bbe617ada8e57ce09c76c90d08a7590361b8

SHA256
37f34bf1765ac939b2bb45a850ce3df1edeef1315a0a4d4a9ede6b3301532fc0

SHA512
9e0fc0a37e92b8ab8efb9b490d14e6e317c06c59d4de827a6e59e37388f2e0335d13d7bc09af11a8c73ba8d05ca63ed2b4c3a8842bff54bfb42a9de1f9c983e2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
995d67eb1684314a2fd0ca57a824d61c

SHA1
8a05e154281cf4839de4e83206621511a7319a4c

SHA256
be0d8a07cda2dac54d2aa6ca4e833f943b709e03dbad5f5bafe49e5a97e9a29c

SHA512
b0166049d2636acb34c2956e7e9f6670f06247c54d4c52ff4246f49bd61d9811edac02e3b13601cc69aa5e225eb93df90a23a17cf54ccd4b868dfc929164de0f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
5a8b1952f1440de5ab188b6a3a04adaa

SHA1
946ef8455fa90a9dad8e60fc08eda393cc45245d

SHA256
4da8a9c556b440cc03f5e9ab377e5097c1693997825ccc628cd6c75d507f3f24

SHA512
21d44bbe50ca35bccc85fba9801670b42c1a8ef75063796d383f6a2d8900b1debf580aa708d57ff2e264db05a4be0a35a7702a1b6f633f2e6956c82fb9572226

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
08fdb98b2354945eb2a36e7659bef6b1

SHA1
b5a2a548389df6279ee549118e9e06f8dbc1b7e9

SHA256
fbd155c774660a515c140d4132ecd8f68d851b0909849561c634af2b4379edf8

SHA512
23514351faf35a4efa6f59c1e87d87ebfe1532988d26bb19f93d74f535b6b31ba06c3988f9b59d652c477553874591cb4d7f0b2c3b62d32cca855a53f5580b0b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
d74f7c06d36318c4e7b8fe97a7924a23

SHA1
50b0070fb4468148a0cc41a2b74e98b242e50800

SHA256
f4c9471df7b0e3371cbb83397cd068d90eb8dbd3b00c16a17b2e2e43aa9f10d4

SHA512
5a4ee4f6c412da132a52be0c24b417c773cb4f1f71acdf4b38da0e894e315125b151d3578b1e9acc4455b2735852a0b1c85f0b51d34457d1e98547ad6e8668e4

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
f8af3ca5f59e642c643025005401cbcf

SHA1
9d95853f5dcc6c5969acd44811a30e9b8ad51f0e

SHA256
04f8816f7ffc0fd1cf39db3ab0c39d5835db92325cbd6172e650457831146db6

SHA512
9d87a7219af2f6df78ce3e17e30d5e5048a66a11ccc0e5f64f1f9e178dd1e948cea51f78680eb5d5746cea5913356b2543e77cebdd0e9c60053a8a3e68ce2c59

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
0bf1e38ad776b721002c5f2e2ec3935f

SHA1
f15f2f5d7a654fa36c671d037434087b1b73a033

SHA256
ec8424c25596c0c814475c39256036f82ba9d668ef8437785a291a461eb067fa

SHA512
9e3a93384b04b427ce730b20185da1ab800e4546690fb88226cb93a57a5fed8c6cfec2de8aa4ccf54a86ede2226cf5220bd0a6a22c8f4de8994a03a3fd88e466

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
77da710a97fde2d34bbc7cae35f55c95

SHA1
cda4e8db350585fb542ad94b84b149fe27eb1c56

SHA256
44551b47b76ee65643a55dbafcc947a9b5c59c7f9b587bb4540b6e1e1252092e

SHA512
2594f77a180dc87bfe1af3dff52e7f1a2c3514b7f4d1047645055d3e2d405d5b10f78b77ed1e8845a65fda5e47c7ff843fbbb26e0125c80d060c26418f000335

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
cfa84dcf988c255dda382b48adf549b9

SHA1
53afc3c0ba78030a95082f215f874ecf45988d02

SHA256
1ec9cc7a69aed997c0039d1ccd147aad55f0a50509389058ea27318899b7eb5d

SHA512
6a6b52eb866d224f8fa2eaa02e98fab4dfeaeae860e5884f715a42f082edba6938d793249b5d5ae7b6be4522fce772402899c5cb8b059f0daebb9934486ea1b6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
f697b95854b93a0fa4ef1db104e28e78

SHA1
091256f38cf05aa4e0144edadcf6079f38cb57c4

SHA256
4f033ff44ba79330c5c6538aacb056e04fcb19304ef804a4f576a87f314cacec

SHA512
51953c6bd5528c62c2752090fcf107f9afbccd7d18d393ebd408dfece44ebfb9ef0def72a9b581521c23856ea0d496b76188bc29f382d51ff24b172b43fe1428

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
9436e9438a881abfa5f15b1442fc054c

SHA1
5303dbccd7ba2c26684b2cc16af6982fae4cf66d

SHA256
c07550e760b6cc551ac33030c2eed08abe527363f7d3c25f58d6ee090a75c795

SHA512
d5b386a3c44dbf14a38650376021a235e57b5b09fec60cacbf39545f2e04934d85b7484a259b1e2c771e31643769ee0fe882e65ac1fdef53d5d7d1a548980716

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
523345747c2b026269d8986ed0bea1fe

SHA1
f8f792a00a3ee87116fd7e307a826ff66d4fbc82

SHA256
41f9d31f4c879726c67b4bde406f44191dbbc10856fd5528b4bae79045ef7e37

SHA512
421b05f017389a888e36df338e54d6bd575495d9dec8b1b25273c55f2ed3c331acc82b7924645e12372d5f9c03468e57d1c12314c7282b87a655cdfef5bac335

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
6923d72eb6c04fad4e593e8060c6f47f

SHA1
d953f743e066f008fabf99cb0e4ad39b46ea748b

SHA256
372fd46a71547199995ef3d1730fdca4d7319fab4205ff498c70c9ac954ed980

SHA512
5fe0a98c4d36e4c2a1aaf4815a812cc4aaa4a537c60f0ddab73a4aafde94d5ec57da5a6bbb49c975f96e2f36c56ff49b6ba74d9e2667ddf771240d7ac61759d5

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
49d67b5faeb860c851464aed7d16c17b

SHA1
8c2b499eeaf1049903678b8bed35b6eb91d429aa

SHA256
e4e7a141bff8141adf31ab8eb97fe92fbab6739530a05f956fefd93f7a63f63c

SHA512
43db2ea9eb36d826ae03f054fcfda844968af40c3ab174eac31e81be2228370394e8059ddf8745f8ac3a8901fcbf0d186d9f573bba65842e92897009bf38cdcf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
c3e635c2daaf0cf83163fdc2edb1c767

SHA1
6f5c25aae502af2dc7af142ea9683c01ba627a3b

SHA256
55e1af4820476bc8bff1aff3a5a9e77b29b607a7ced2878e44eb5a01cc73162f

SHA512
8e176fef131437576642caec8806cd3c981b41935d9c4f28fc6916fa6a80dc00af4cfcfd3c6fab75cf491a06259556b9608965b2647a1919a6698d3aadb326d3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
80d41f321b458aee4a5b0c9f35d8a895

SHA1
07de1537d4b36bf3238606f8b0877025e206998a

SHA256
f5decd8e9512504249ed7354396dc194e3689f8ad36f88c6946465632ac09c2b

SHA512
21829d5e2df5d269fb6e42ac307954e8cb747bd02dfadedb5d5bf325f34306c17eff7bea46c73ebd5d8b9c82e4f40206262d115fbf9192bbdd55dda28e8a0178

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
5d19b6ee842c34ffbd4935d1715a69f2

SHA1
91ec67758436c6742e7936046a1a34611c9aa6a5

SHA256
4d868634e5cb2d82a42a0b9b4bcfae1aff0ceac4f64a7d388ea394c48e6e2f8b

SHA512
a51fa69fcd5dca61e2621574a3e210923633fbafb2acb06516b30996284ce12e5be17b764c812a4f66063772d61b9b46b61f0cd2ae8ed30a7db38400ff2fc6a7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
a6650d4da94d17811da38d33d43f203b

SHA1
477baba6875d1bee871a6a4897049c86a63b058e

SHA256
1f7c9e5cb3806331698966d19f7203c49a3ea3e4873c37ab6f42fd0a2e8282f7

SHA512
7746708b29660f93ebc0a67cf7918192dd5d58af75e86afe3def426284b845d98af85d052df482c278ff46d569b80698eaf2921b116664aecd176160220793c6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
04de964d4a693e283f13928b783a8d03

SHA1
4b4628ed36fd882c7d19349bf52dbd4b87430b7e

SHA256
d6a9ba29b5d158d5078e09df425be9a9350a202686182b88aae1a4b19ad9297d

SHA512
099b2b28a97c8190f898894ada5dc20c3388fe92544c339af6a4c7d8897b0e4904f1bdf583df7dc27b01a6c15b90ddd232329ef62578040d3e589ba4f6a152e0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
e15455c23c52ddcf47c01215b0eba9df

SHA1
485087f59288d28e1b5410ac142e67785ef22cd0

SHA256
3f66b554b19f135187f3d60b2213a74a58bebe3ffede5086ec872850443319c1

SHA512
368955f603a655a2f3b4086808e17357ae3df3161acfdc08ccb6c491634da14735c9080b4f237e59b152dfa5acc13f7dc94c49d6a4ab477c85cf724d51559b9a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
b5822a51a20e510f531b5c810298d560

SHA1
09aef9e29e7f3780d65508f535a590229c579cfd

SHA256
44f017385cbc0f6a998c0174e6b5534a3fb30aa96ea5a859d39b0d239b9e0595

SHA512
a9f88d0ce32d27a1805fcf52760b2c429189d9fb27699686e9ad4ea6f36e75ffea8dafb716141a33c98d6ee231835f387a29f8dc84a42e8417e1311c019f2e56

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
bd17ef5931e3a21f9c6bb061bbd0a561

SHA1
8b7866d13211f7f76f2f78d71caead918ed9ce37

SHA256
f7e1340a906c404e6b63da0e49761dad62c01c11f2f166cff078f03574aa3dbe

SHA512
a2646abe47bf758b1836708590e5f8dff6982493f86760ff9788ed508f73948a219dff43a2bbd9c39de0cb11dbc7cac5d240a1764258f5a81faeb927327c79c9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
194d531f755ccdeb0c6010044c812329

SHA1
4c09a148083a364456227162d3b16a8bcd0632cc

SHA256
5d59bb1299c8d8ea8bd9a6492f25f9e057109ce307c966abe0a317e0cfacfcc5

SHA512
2379784e76d21c89fa142c80a44456485e708d8e3a0d1796bab9ff3fcdb6b46e519d9ff9d7098b35241d7901d92536f899b420ee82207502a42b696ed5cada6b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
aa79630bc7ccb59996c068a87eee4d47

SHA1
141d87d2db63e41517e38bc6990e90f71263f2fa

SHA256
fe32c1119d40e66f5891dd9a06ab54151582af193b01f5bf6851e4e0327dc4fb

SHA512
2d0e84b3f3b6315f8445f0ac41dd81ea7f7d6877c08eba7575c1dfe4e58ed4912a82f30c41f30c7eda863608c46da02856b1d8b815de1e22978125cfd224bb47

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
fb6cfce455b8ace738aa3e89147a2dc5

SHA1
920cad0468c363f209502f7aae8e04f93b7c9342

SHA256
cbafd9c4d878e43086c83e545c0e1d7b9079c2d4b908a8271eb0973abc7aec0d

SHA512
368ce3111cf6926951e9f16db36400dbaed6801de6114a54b5b3ff82e03ec6def2342601c1106edc56923702e7c7d8004f7ed743f1c053052efa4399c30d0aa9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
23aeff36ff377d6705de0571b484fb52

SHA1
ff3101a839c76ef0e619370f86a7d76bc530acde

SHA256
cd30306c1f08fe589267cf7686aaeee4877efdb1a6ad40898e25bec97cc40b68

SHA512
803ac6cac85ce8965d734130f904f3ffa88754d254c70b6ae34a13f603296c1e8a93284fdd54195b3b0e9db922481de3a579ef182a46a197cd9ad0ea885aa480

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
9181dd06d7d4cecabdcf7ffd925efbf8

SHA1
66530247b10594339e3a2ce75211dafe4c6591fa

SHA256
5a3bc32acd65c7744df0b2d5196187b8dbdfbb0a2a777636691379b544878fad

SHA512
75bcf27233d0e75307cd768565253985bf6f2c41b05a26ddee53bbf0e125840a645ad189defa4f37f79989a7e05c3281b218e2de87ce27276ab3b97142108bab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
17997ddaeffd04c0292a81d8c65cc59f

SHA1
7f6e22f2d27269fbb9062cba75eef4c75b411d9d

SHA256
2172a9882b52d8a7a1cd97f6f0391b891440c55218ca0f1f32d4c3c4969b3aee

SHA512
8b83c5f0baca299f1ee79f63de3849f687314868b817058f75428292eb8f9236675b908721362c2513280648422be800e44942591ffbefae66291dad6a198a9d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
b881bb8e75fa2a1fd8acd16cc44c2aa2

SHA1
300cad34745b9dc4911d7e5f2f98a301cddbd378

SHA256
f6278622f0c52df8c209a63726a6b1e62f60329691325f665f9801e5207c981a

SHA512
4b9922e64e1d6e4197fa3cc36f4245ab81b732b53f7a467395fdea461910152c05d5ea02d5420cd196b2afb1976eedfe48f749b8e1a4ebeebf3e084b47e3e325

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
b8fb6282f88aeb0b6318542c2e93214f

SHA1
ca5c597f90ff12b8927d5f1b43b94dfe58a0e5c9

SHA256
dcf903404fc86db9849cfc0bce5f82345588328aeccb5656fc65acd1479fced5

SHA512
8d7fd967ded782f51a3c763bd0ae3e78e97dc66c5b41f03188899e34cefce972dfa8d1972ad15a352c80079d9bc67f348a57b336e0284c3a8af50e1591989c6a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
5d8bb05f159d50fa7839ca3354190090

SHA1
6bcc46fb5b942b7a4276fac3fd9790c984641e9c

SHA256
2b55502b7a5ea10b999ed0e30623005be698588b6ca4833892b60da9ece46d8a

SHA512
9515e8474f31aca9adf95ab1b0147484c241a3da403a7718637c2b0232c48b196c4c64aa82de3478e45816b5f64629c9509445290ae88cae5aedcd93395202af

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
46aefa7388942012bc123ab57839daf5

SHA1
a6b3e00961f14dd25fd650de3674c7d212957a08

SHA256
78d2ec96df432c194816227462b5a5a80832c7e0a97efe522d258d23f1c63849

SHA512
f0100ec7dbed7445764ddcb5eb1c0531d5556836b5224fc7dcf5da269358fe7c4d34398ff2776b2136a61d7da7b8aa7211cc56a99481f629bf2538a7d5809f56

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
ef046a58666c61456a37490939eae624

SHA1
e5b6c49c374db51a1169e005e9a1aecb7f6a7a8f

SHA256
69ee6786a6a1fe841864630c026cefb7041681b8c9a8cddaabbf5660410a61fe

SHA512
3d3db94334c8d9a62ca34b694c657aa3e9f06b236d8be4525640a4f8c9b875a754110bc9788bb9874e338fb7b32ef03607e5cf08e4d6f0ac3eb8888534d03c87

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.2MB

MD5
8a835224ddeeddbae0b69a8f8061135a

SHA1
9a68ce4dd98ce835f82fe15bf43ecfbe2f6e9996

SHA256
6d76801d87f050200af14d21c641e7542ec0ff9b9b6faf02a1aa7d438af8d66c

SHA512
55455dec1acf532d5dd12df8330f2898b8acb55696cfbe5de5f91fc143d42c3b3ead95706dcd3117bc10c09a39c93ee9c081ecc79fa5177b18603cc3afff8b3d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.2MB

MD5
e779eaf7bc34d9388f3128cbafc4c9e4

SHA1
98b3d9462a392dae631b60f3acad1e29942b2b52

SHA256
cab4034aaeafa0cd6214ef1fca20a7267b8ac6e7f75833150b0ab212c1a1227a

SHA512
6bdec190659a8978ce919bef063e85fd283eb19307da37729e2e744947b69f8500e8700eb54a7b637f9cdcb382fbf18f279bf03c4bfdbc2012a49ac1c318a40a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.2MB

MD5
9b79e0f06b636be41dc8a5a81e73f253

SHA1
97c2ff59a076dc22c3c197e63afdb01d273ad1a3

SHA256
db9c7d28d6877cf19a67a65d5590dadc7f1b3b64ee694e268217ac47e68365a1

SHA512
4973fe2def4aa022befa012ad04ada3b1f278d30dfe310ac222ded640c73cb3ca8833e6cf4d0ba4166ebf27eb315be7943ca9ae29c830b8ea712df8066d11cd4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
1.2MB

MD5
de1fe38ba0dfd8d8dd1aaedc86e547c2

SHA1
ef5bc64e0844f998887ebd14d4fc6e569a812f99

SHA256
f23be4f0d8da66e73306f8335fde5299063c35c9a6e9d3012194508a207c33b3

SHA512
3e11f40fe2681974aa8f424b86c780a9aef804f232d90c0bf5c0eed2e22615d8fe8150593100cc039117a08fa74609555857db76dbf0a2af47658bd78762a863

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
d596ec09bc34e953a121e9d6d0fdc939

SHA1
e24df6b80a91e1e6e17fbd2c2cc04e558353e10f

SHA256
733091a9782de9a45471f8b817f313a512acf4002fe808981b7d542fc3f8c582

SHA512
c545ad6093fd0e513b6c6e1226a672d515a755082437b95a91efe0ca1d4f80aaec5d39ecb79d397ae97e1781f17789a8172401e7ba03d9b1a4b43cb6f7f1a5d5

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
481f4f4544011dba4d28c3b1f3df3bf7

SHA1
7fd7210311e143f564352ec65a38c0943a2480c5

SHA256
26ef7638a2722a31a962596490c1511126a9c2b4673660b83a54b14d48a3b350

SHA512
416889b03cf9755b25e435ecf2f290578a0468000c22ddbb128f3de6797516cb4b56251074b7c3fb2ad86ddfd03d875d8022185ef2971daa7157965e193880be

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
722bf5df41ba4f8009909fee0b8c52b7

SHA1
499a201b96c2db61d72b7e86b006f5df093b1729

SHA256
2240b26a37048e75ae754cf7459780c0a44a3b9b68d149e118e9a04f12b1f502

SHA512
2e7e519b31c531aa61927a1695e27467797f799bd457eb20f081bd66fe340c00917311c982aebcb912bf8a3d733717b65f5a029b013648d92b562b9975e8df56

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
5bfe04561668aa866a776b281c62b4e5

SHA1
761357ba4be43cb6688ed8812b11a14ab2809f4a

SHA256
6fb57e692e501192268fe349d37c8e2c04a10b8cc359e07225378162f486a003

SHA512
6e689bf8dfef10b6565952ab64ea4d2e7e414d9ea8637518baaa8cba12775d7344d6d9ec373e16f841e36842207451a4dcc12c3be51a3475d2bb7057ada33645

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
2d700c7bc4a81854d7e6eb3232b3fbfb

SHA1
026b25bc61a96b4e88b964033a6ada4af0746c96

SHA256
ca618cda59040fdfbe2236bb36bddec909d8bb20413be52f6bcc8b296893b214

SHA512
72412adc5a544a1ad323d89e27746045330d9a2df715e406b32ad445cbcae5130c44751c668da236d9b6f694d8d33451185008fc2d6b783c6affb1f1ad51a103

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
040a7b6974a8d9124b59990fd86e3daa

SHA1
0fde71ca862b83a15322601c3c7ef6554970f344

SHA256
3ea1cd62177aee1bbf212a87e19b766fb81128ebede03a2535da9f05794dabc9

SHA512
394ada75308b7a996506d433ed28f4f350817710ec15a5447c6ef4c33f9e8357244a28b268063daedfec17dffff0a9c824cbf3d9bf3b8ba99b5248cc09e5e9da

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
aeaf175b73315aa219062fa9bc769067

SHA1
80a0e8de592126c695bf0a2bc70d4816f5171163

SHA256
ad4cdc3ff12e74b46e1ff91a3fb52da37d7df6aa494d2dee9e9730469d6780de

SHA512
7f8c4271eabcc541d1d5cc1fa80cb5153726bea49c7e6ef422f86fa67442f184c119892b726e013f07bd17ff1f2858cce8a59637fa27948dd64989c15dca4cf2

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
a311fa297c4fdf91a39add24a3b4c251

SHA1
e4aee876694210e5d0a3423d38519dcdea774058

SHA256
82c5e3c322b912158f82d0382809341a4e3faa7d216ea81021e5404c62c9c40a

SHA512
cf3218c30d6e8f287ea9a8f557cffab062650bed54101e1de19dc04a5551d2e05f40fcc837c931e386061f17ccd7ec628262f9056fbd1017577a360915cebf1e

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
af0157c825475d7f02bc10b09856f0cd

SHA1
0300a157298ebd2fdf88b9c11c004520d4e8e56d

SHA256
5af6e0b64944ea45656e4dc7129ed2c0d2cfa0424321b01d1a1b282ee24e49ca

SHA512
aedb1ee3aeec81861ce0b453839f57e2e9ccf02f37f32728648f8f95dcf8eb5fcf412d30a370ed6d1f3c994a899e06e6306d79da7c2c2e80a162d241cf12665b

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
da237f11631b46b6974125f856e07b03

SHA1
3443cead17249cb6097da489829566e2359e58ed

SHA256
23761dc270ab99a5c002677a4cbbf895326345c10164d9b20c1fce9a87f1e4b6

SHA512
9b1890d09cfa3d082ecbd000f102d1f933dcee65271b1d7e089a4afdfd77e273c3a79db3ab18d4c2e29707c2893a22bdf652165acfe7d317b63fc729ed36da4b

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
a6921df0f8377e4acafb8a220dfd6e9d

SHA1
4e92550541a734036f2035ed2013867f1714484d

SHA256
8c800d32fa80d9bfdc20e1a8c24e3b478f66c1f935ca3c74837a77f62f966913

SHA512
cb3b0672d40aee9d8d09482830cf354df25b88e09b18ac8aae3f5a84a6684cbdbf18ba458b8124ea381ff64b97d3e899acaf5521fbb4c7fffb50851a315e54bc

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
09d651efaf16e516fcec2d15f71fa5c1

SHA1
7c3f1888ec6a5ba40bac4f0a42029745c6b690c4

SHA256
c1c6b77128e7000f54837c3bf991874787eb762cae241369a459501e322dc79c

SHA512
effea80c04e75c5c6d2049891aeb5489299cc786014633dd2ede921c35bc5f6e23bf1db9bbbf2eaff804b0f33ae546205c5c03efca8f22b06ad1d44ebcecb691

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
f85d89943b2d9046be96d1b3c8c1cb4a

SHA1
78d2b11ca97007fc2111da093fdee729718e27f0

SHA256
41cd14cc45135a1b3db7dca9e5882f1be67b588a8ecff10efcac8d81d6911689

SHA512
e78a40f2ea201eec905a29f6ae940c655b665191efd91b42dcedd321c7067835e2ed72b6c81bf4aef2a864ade3e5c32a693a2f64899c809ceb2ad5e82069d058

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
6bb3d3fd0ee7cb557ee820a1260054a5

SHA1
70f780e8ef34dc91d793d224add4737a34b64f35

SHA256
074d4d31694736754215fcbd5af1b5de9995486e10ef903bc1516edc163dd709

SHA512
96919deefc218ba434bd7f5c3bd4c0d1e41948b9f26fafb9fc0629955c41c8a0662f4a71572bfaf644563a425b865463ba18aedb88538b9270066ee8c50447be

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
78dbbf49546fc25bedf4fe47d5c6d3e9

SHA1
7ff30209055d7cfd92b3f63f855755fc90e282c3

SHA256
aa1732976d59a1b95a68670677a6b39e03f622e0be99d89aad6fa2a608bd18be

SHA512
44e759d65f06a24ba3fa8e0c89a98bcfe46d95fa16aee7dd58234fcf5a6953c4fc49751dfaab4b0fb018a2a4e8a07c6237f8b9b85b361886045083db00352437

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
d908b2370efd877a3b59d27f196d478d

SHA1
1a573eafc48cf6507838f974e5770bf5346cdc17

SHA256
cdeaae1aa4d3b1b5a2e9e5641fb84952086ca4bc93dabd2f4cfe8d1b1574f628

SHA512
2a519cbde4e00fa0851f8e4b44f4f1ac1df60e3ca1386f55ff7453dede643c117bda594c71180578e18d52f9503cfaa74f8153d0b031f02d72b111a647db02e2

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
20ce3eb87878a9dc17335c5d326c8c2d

SHA1
d07eac633d8d88d496c4189b4706e14bd70db33a

SHA256
65013ddb184e60fcba6663aaf82c6d9aa04aa4475d45d547c62193d25dc7f458

SHA512
b88915e685ef4652f46cd546043ae52553805be9137cf6b207ee25dc06b322f8914d12f24941844a7b96eca6bd006f1d03e0157613218b611932e6c964d18478

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
78ed525f52b64850247f3ac56cae0ca3

SHA1
abce307d5a324ccf1ed21087da831da812be798b

SHA256
e56034fc6a9496445510cb5dc6786c1fe49153f49e4b66a011507f3615062130

SHA512
60d47653315a87a3105d286b8fc0b7ef25e07ee48638a828c06cfb78c17c908dd30608f2213e520396a36a8422ad95b27eb522be967759006b337e876f263944

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
d9535877d725f500ff65b221ae6894bf

SHA1
edc84b24a2c649da6aaee0b097e152a5a445b788

SHA256
a99f18f30d591097738977a3a53786cd9c82621b94f3e977ea9a25666e6a06ad

SHA512
359eb1a4846d88518f009be4f50a861284107e9008194dfb81453a32473ba193bcc25c45036eaf5e3d44c4d4d99131d4b3cb23142b7ff2e76c1caed6b1ff1576

Download Submit
memory/648-8-0x0000000002270000-0x00000000022D7000-memory.dmp

Filesize
412KB

Download
memory/648-1-0x0000000002270000-0x00000000022D7000-memory.dmp

Filesize
412KB

Download
memory/648-17-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/648-0-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/688-319-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/688-447-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/688-576-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/760-420-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/760-302-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/1240-423-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1240-586-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1388-426-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/1388-308-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/1452-353-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/1452-580-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/1456-374-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1456-581-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1664-350-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1664-577-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1712-252-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1712-254-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1712-246-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2080-402-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/2080-293-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/2524-454-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2524-588-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2564-257-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2564-258-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/2564-271-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3092-272-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/3092-390-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/3192-67-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3192-65-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/3192-54-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/3192-60-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/3192-62-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3340-43-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3340-52-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3340-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3340-240-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3532-403-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3532-585-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3888-339-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/3888-525-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/3940-19-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3940-28-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3940-27-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3940-236-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4164-376-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4164-388-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4292-241-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4292-69-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4292-75-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4292-76-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4548-32-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4548-40-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4548-38-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4548-237-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/5032-427-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/5032-587-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/5104-391-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5104-584-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download