3636e4dd4ead51ab7370f57a94975777a7457cb23eef5501d7cd6339c9cc70f7

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
07/06/2024, 20:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-06-07_c4717a249ddec7504000e02edcf54a8a_avoslocker.exe
Size

1.3MB
MD5

c4717a249ddec7504000e02edcf54a8a
SHA1

f0eb798799e5a7305e3792047b811473da84c858
SHA256

3636e4dd4ead51ab7370f57a94975777a7457cb23eef5501d7cd6339c9cc70f7
SHA512

f3f6ed67649fd606f2c0310a1dc8c9cf2ae78c0d0e58845603252544c40d8c4c8bd0a3a121b04708e9dde43365f257d9ebbf22275f9eee1ad3d0ba8583eaf52a
SSDEEP

24576:i2zEYytjjqNSlhvpfQiIhKPtehfQ7r9qySkbgedcmaouGSPGM9ZQ8GYelhwOXGEI:iPtjtQiIhUyQd1SkFdcdPGM7nmoOl

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1288	alg.exe
2864	elevation_service.exe
3096	elevation_service.exe
4552	maintenanceservice.exe
988	OSE.EXE
3212	DiagnosticsHub.StandardCollector.Service.exe
4792	fxssvc.exe
4520	msdtc.exe
236	PerceptionSimulationService.exe
1368	perfhost.exe
3512	locator.exe
2316	SensorDataService.exe
2432	snmptrap.exe
3532	spectrum.exe
3220	ssh-agent.exe
3704	TieringEngineService.exe
2888	AgentService.exe
2588	vds.exe
4212	vssvc.exe
1592	wbengine.exe
2940	WmiApSrv.exe
904	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-07_c4717a249ddec7504000e02edcf54a8a_avoslocker.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\244080d293b476c.bin	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{878BCDD2-1ABC-4948-8DA1-C8645DF0F833}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	elevation_service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c46972721ab9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e8d1f8711ab9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000541d45721ab9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e0aaf1711ab9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d07c85721ab9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a7951c721ab9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c5f8ff711ab9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004696fd711ab9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000e8eb7721ab9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000094925a721ab9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2864	elevation_service.exe
2864	elevation_service.exe
2864	elevation_service.exe
2864	elevation_service.exe
2864	elevation_service.exe
2864	elevation_service.exe
2864	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
648	Process not Found
648	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3432	2024-06-07_c4717a249ddec7504000e02edcf54a8a_avoslocker.exe
Token: SeDebugPrivilege	1288	alg.exe
Token: SeDebugPrivilege	1288	alg.exe
Token: SeDebugPrivilege	1288	alg.exe
Token: SeTakeOwnershipPrivilege	2864	elevation_service.exe
Token: SeAuditPrivilege	4792	fxssvc.exe
Token: SeRestorePrivilege	3704	TieringEngineService.exe
Token: SeManageVolumePrivilege	3704	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2888	AgentService.exe
Token: SeBackupPrivilege	4212	vssvc.exe
Token: SeRestorePrivilege	4212	vssvc.exe
Token: SeAuditPrivilege	4212	vssvc.exe
Token: SeBackupPrivilege	1592	wbengine.exe
Token: SeRestorePrivilege	1592	wbengine.exe
Token: SeSecurityPrivilege	1592	wbengine.exe
Token: 33	904	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	904	SearchIndexer.exe
Token: SeDebugPrivilege	2864	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 904 wrote to memory of 1544	904	SearchIndexer.exe	120
PID 904 wrote to memory of 1544	904	SearchIndexer.exe	120
PID 904 wrote to memory of 432	904	SearchIndexer.exe	121
PID 904 wrote to memory of 432	904	SearchIndexer.exe	121

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-07_c4717a249ddec7504000e02edcf54a8a_avoslocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-07_c4717a249ddec7504000e02edcf54a8a_avoslocker.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3432

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1288

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2864

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3096

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4552

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:988

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3212

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3296

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4792

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4520

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:236

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1368

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3512

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2316

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2432

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3532

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3220

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3160

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3704

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2888

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2588

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4212

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1592

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2940

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:904
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1544
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 900
  2⤵
  - Modifies data under HKEY_USERS
  PID:432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
eb08f7c63c1163a3b9a9ca92724d8897

SHA1
91cab758990d00b5dfe2d2a3b4347eb7c0fe8774

SHA256
5bc39477bbc8882e7faadfd48875c0fcf7d706f780de38e51370e02242e0020d

SHA512
c25e76bbeb2d6dfc641a87181191bcebd85bc91aa47c0c5b15d09d62d34f8d1ebe5edcaa2e248e5efd703a233cd2e27ab424caa72cb47035a1f07947001de4ab

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
256454f3778bfceb071732be1f446dea

SHA1
9b7cdd6249b8f3d9ab68ccda272ef9ca806eff96

SHA256
0515916ccb5a391b29128ee1f46451701c6d6e45472ce1798132ebe7f17eb1aa

SHA512
66bc0c6c76cab17ca3725bbfb58582c52a3507c65c7bb90cd7bee23b9548b19c7160c522f7f9e78bb3dd6074c29a4fd9dd8a589e00163ade02d11e720064cc0f

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
d2ff861410edf9af0fd6f058065babc2

SHA1
d1e2ecea2d63aa22e8c41b95a9c306cc0cddac77

SHA256
8d3e780f79769f83f1da7e3854e67150a30bc48df96064fcc7bf202a83a5aa62

SHA512
bfa496285727c053b9b82d230f9dc2982697a700eb76b041109480c42e40623e7a3e0cd3ead2eaab71ee2a84ed67021b4d3a59c4049310516ffb3fbc2724acc9

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
d86831b37bbf5d7eafa03c1ccfe540c4

SHA1
1c59b7dab7e02e1470c5f8b0c14499caa620d3fb

SHA256
dccc7021514d25d0a95bc43cd94c20430aff6bc5785b0bc0f5f463ac4a88b097

SHA512
87e26dfa8b8fcbff4c4611665c538dc395af3c6308a92ce9293b4cc3dd4cf022ca59c11d6ce746dc4d640e4b0fd3e6685a79a60c88127a8400431acdbd907475

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
3d79d3b0ca13098be94a64997f9eb6bb

SHA1
d98f95dd2f13bbb71349e7cd7b4b85343e507345

SHA256
e4d2995bf66a99aac396365356bc261dece7f03a7baf5357f57637567119d7f9

SHA512
058ae6cb6680a9645cdb138ec9dee0cc1898b17581ad1b5e696cb78555d1db7cc5bacf5e5e8a0deb568f0e1fa0b20d5d39e03d4698fbd65da39b031763c5b41f

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
eda7b9b8b4659985f9c21a71d76aa905

SHA1
bd89371b050a68807e75d2ecfdfd7afb4578a880

SHA256
4a07bc0e6e39307554da54921e40c5eb40c15bfdd689517f6d794da57f539fbc

SHA512
f3fa692dbd1d73ef3e415a5492a6127727dc4c1955693efe3b6b43bd0a21f177ac9bcda9f962d1328370827decdcece02fc3f977c17b4e12dd03c1043a3044ce

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
999af1f8dae012e90700d29600073fc0

SHA1
86ea0d9ce616918385745467e43ee7bad5f19ed6

SHA256
ece2c4db53875cb2370f63f608549e5469ab5bd938e657d1d8b51c3c00801ef6

SHA512
bc758aa911d6e71614f65c97860ca6c3111349a949d9b69305cbe03da542d6c078918907d44303b4282661323c1fb8fbb69a1716199b906d9577e635d54f671a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
317fade5455a810fde7dbf08ad15a880

SHA1
210fbfc4e10d94d15d240021e867d1fcdcc39ca4

SHA256
17a2f9f8e5557e2a3b83cd688207b40bd2cea2d1391bb2dcfb736ed651234a5c

SHA512
0e19700d29e3d89d04913b8160b1def3ee4f712d80e58b6b86aa9df3a8486d171f56ba58532b8266922bfb0de713cbaa75ba0199ec9bf9469734dc019b3c4a0f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
fae47b5b89d503cfd36cd3501832dc21

SHA1
5cad0ec366a51d545cd5d135e9cc99e0f7a95396

SHA256
4cca0de177ea20dcd6d34f1b0df0c53fffeb8090e10fefa4c14dc29b03b85329

SHA512
cbb9ab0075afc7b406df2a9a6f53c493645be22418a5ffad0bb6a1983d45029bd63777b4c0b69e3d67c1163dbfb5f5d9bae6b63ebd0a26e74d145693041e6403

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
354cf50dfe43e98e87668e2be29b4ceb

SHA1
c4f27f558b534306e871800ee6a5ca002ba33632

SHA256
63bf73a9b430d50959ba259e2493e02fdc6944413de10196ce8da842d490ac31

SHA512
98d901cb00fdc51448b1ff78252a50dcc645f880b7f1acc5e7e19a1058fdd8b748a49d8695db51d8901b71036af118ec7a6175c77ac427eab1fabe7dc063a26b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
d79678651f5bf1c3fd6c2beeb5a0037d

SHA1
631336ca6667d6296ee9a4adb8b458252b2966b1

SHA256
ab9d64e666dd2f6366fcf3dc717b3488063a5ca9e8423c77fe096ab4ee294bf2

SHA512
4494b4b0b952d8106b8bcb8398e14f8112485758ccd3f2702885ad14b453d1393de7fb91daf0a325208ceff48faecbfa366fa1c6d13d12af90237541e29b872a

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
f9f411d36ef28435644b596ea7e3aec1

SHA1
2393c44f624f179f12b32c47bb6875bb2df7be1e

SHA256
871cbf6eb92f81b75dfe39603c2eeece5341a299aff9c3060873cb59b4d5dc96

SHA512
412aa74bf5a28388e2b4cbde3a08870203600f780eb6a3670146050a7fcb775f8bb41243c2325f12b59d95ed6927c309b07077de97fe18545e5af53494cbf470

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
a66483bcf115600cda3cf6934a288192

SHA1
e9cfd3f6e058e2e33c2536b69f98598130f6bc69

SHA256
f6316139391772d6429d6b2a535c938816bbd7da231b4b818380a6c8ab843133

SHA512
a362e3abcec982e29de7a650ff92ea2f17422d167e04a1289e9445d729b5afcad829d499922f1d1f42947b7cb511351ee6e585527147bcf8701a677eab9c6db1

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
6d63044d374de2283347a627aa8f8ef6

SHA1
5c260fb56119a4339fc85dee23d2ce540a4f5929

SHA256
1db1fa8f6f89f746f04621b442fcdbafd7dc5497fd2735e304552e9365d88eb3

SHA512
6bf5004871e0193b8522941139337236b188cfb1e6aa188430c5b6376bf15732a06f5d947661bb0a31546f2609f32b68eb9fe708059f63adf11849f367f072e1

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
972411ca3bc0619d2f3724cc7fec3c4a

SHA1
6021d070772def6de00de9d661a02e7982b03be8

SHA256
8f50e27cf62d6513b692452ffcd22f1a6da6ec946487a7468364833a71341d0e

SHA512
ee15ba1a813a779b6bfdb7968eac5c7217f48fa5741305990e857d4261b87de248474284ddd017a71f5acabb3360658f20ae0db2a17b7039bbe48aa1463ebe87

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
5e88d5681d2729a635e3f40a9bd4b560

SHA1
b9a56fe3d0c63f7d3a7f6b401332641a2d868a6e

SHA256
7ef828735ea2a8cbeccf5e726d46f8ee9f4f1f9733d4694122e7cb14b08e3a3d

SHA512
2211d2bd5742cad9dffb1648b472bea7108e456ea5d3c938b703b6e84efea4c878340adda7b6cfb34f01282a4454279804f7486b6522b0bca8a07692fac843ae

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
fcb5b14cb64cdfe687c2a7e40e7b72b2

SHA1
4eab48e4466d59a578872cffeaff9a5510268fb9

SHA256
38e705ede4ca21def0a73dfac040d4e81f60601e5b48960ff1fa6c87fbd135b5

SHA512
020342172c3f145684d5509c2528b9470cefd3696d36bea19bdb7585f958729b452bd8499d579358ab0d1ea7449626af486027e615b98f2fba151fd0f41363b7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
ddb7fa7e50984bb595eb5ea1825dfd27

SHA1
7048b826f774361adc6c7bb0a4eafd76bf1a6b17

SHA256
af2d7325104cee7d41c1cd83c6877af7393fd1a731a0379e6eea17b84557069f

SHA512
7a93c03f536e01e69b192a7c3d8a753f3ed7d1cf9b802cde12cf3cde472e8b73eeac3ea1f436ece8aed653c2c646c19001345908231f0eb1a4950d4d8f1a2303

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
b010987b2945cd45e6f23d4e389f7615

SHA1
fa39164d0f16f9043eff4cdc00b96366f92b40fd

SHA256
a47f11e15eac6ee2f6e0d2d8a8055b203ee808e8a09a78185b3e85cc88f996d9

SHA512
0133a2b3a5228887ea7409240e782f59b363b44e4c7917644834c8e14eb316ff2cf296062968f2b55c1f4d60e0ce004043ff141c634f401a6227c183638318ed

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
27fea02e11aed9f06a615fb36e8a5f29

SHA1
3b70ce215a1eec6e35543e763d3f5a597aa97dd9

SHA256
77f22d39f9b3ca1a299cdb58f2541e2913ebc537cd2981495d820f7126ad203a

SHA512
304a0774a52f8e03eaaf08304715e6fa5eed40e3af102dc49f4c3714d6a7550f2c5a5fc09d6545f34a8912d7520543614f3a995666205d67860f90a4ce1558f9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
990e05560b0c3b30bd92a80c7d2c1328

SHA1
9ced57192f88daf40464270655c9fe084ca2d456

SHA256
cc6e6321a1bb7d0c6cef7c6def3b645190ce377bb05a7c32f5bc4145e6888381

SHA512
a69a0afc63025a724751665dab208e5359e22b3f0e42047b85479a208db8eb715a6029eae0ab2773afe381750690a53593593b9bd0737b72ae50ff1b01a87956

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
a3af3bf2e25d566650129852ef08b093

SHA1
78df0a3e93174c8135e8ed24f0b6acc55e6986fa

SHA256
61a4c2aba080986f93d50fbf0a1887a185d41ce28332294a594a3853eb13d348

SHA512
4ca7a7a8568bc37a5420a37e7f2b0c55a30da46b64f97981d2c8b4a3569aaf1985dcdb695f81ab1a288e5194617d15b62d2cf991e3691f731708d38c0f3867ce

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
3c91221e0195d2dce3e8962eccc42333

SHA1
18179aae96c3a734c92132d5efe1f0a63b1df41c

SHA256
6ca811bb1e1b2bad4c1b904515f8e812d3175d60095c0c4d70407160289b90ae

SHA512
016aa6dc7dd6e20d9f5c74ad95bee18fcbe4a6f00cb7eb3b138d6f3f595529ba7bb3487f47575e1f62ec8485a78c685bce3691c7cc3e5ec2987eb072b17a9a61

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
7f0d1503a6cf87b5fa9e9fb8d44a1a4a

SHA1
d7f9297c2fe343395dbfca47840984a127ad2a5d

SHA256
85f2880d3f19990cb85a69786f9208f1e3e6679f4c0a41a8a32dabed11ee1773

SHA512
0c4e984b18ef4e4c1ce453b8827598b4dba26b9f0336a2c9c754ff6c64753598512e5abf7ff1f6393622a0687bb8ca57310a7171c210e94a1215de29aa734936

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
a139b9dab77426ec4b62a5ad70057085

SHA1
e8135405257f92e3a81d483dddb61c0b47cb27ab

SHA256
d7543748959d9578a4c57e79bcf15c0b62442ab290c56a67061c5bafbd63c773

SHA512
79e9f56ee155ebd4e62b40e84597d7181c9455d3eee96b7d89e2aac81ada15cfdd2715eea17d3b2ceae01ae6a6536678f033634dca247d770afa386f308a814e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
ff544bedcb39e90190e9c88878bd3601

SHA1
44a37b96fdfce7a561579a51d4b2a5feaed06995

SHA256
dbf0573db36fda5ac03b68d1dd82537da31a53fd4bc09dc04a8c376ad9bab823

SHA512
30341f968f147554c7ce70f5a582f0005e9660e2101172073ac5246a5118f608cd02fadc2dd46e9475bd6ee8c44522d4a2938b8decc7c75b58e2a45bc13bb5c0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
0e9aa5cf66361d4bc57d14395fa17468

SHA1
538ad77e03e98fcf4ae53d21162cfa58bae4f4e9

SHA256
72f97d73443a12d74b11672bcf9b02f0b05b0bf0f536fc1e32ae36fb85327c4c

SHA512
41601b98b9c422d18581f0b341501f1ea7fde7aa3f19fe382b5c309c87dfb131ae9e60028fa3dd4e330252db85fccf11713f7b9102a48409a112418249095b6f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
00a1e07b15c9e8df7a4bb07d0632fef5

SHA1
c97b9670f947a709a76ba8d0645e29eeb403a9db

SHA256
f5e2d8fd15f5b1ee16c4e4acf22b6e960192a1a081a90eb15682e6f9cd8f9993

SHA512
3d977acf85118b70b1660356404ebbf7316c9799e2f3f370c535dbee0104a61d0cab9ca60a11a6285502a5e60c3c8aa8c5af382b674f57280d8714f556ae81a8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
229885519150b6c9aeb0fa8b97eb3370

SHA1
6d7066bf33309cde171df002741fe3ddaa8fbfed

SHA256
d960924c2d64e108f759468dbe0ac05062ef7c97e3bc9758fd154fd41a3aba7c

SHA512
8d6c4a942e7fa492efe3443a37f990db81a843bf457288cfefe45367322927371e503c07628a71317ceca8cfa623ae074dd4b8a5be1ab0bdaccde542938a75fe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
468891eb1ac5221d39a1a7ae4dbdb615

SHA1
030c60725df9de676bba651af400d05e9290fd94

SHA256
360122b2477d2d7d8ce5bab382d637a99bbd6693d1625052a81c3b8482b45394

SHA512
ec68f0bcf23434bc7801633ac6f444be58764c658ba735e01def72f156910b2371c52976b38260a633840dd44082bb87eab0d36c5a713f9a2f7dd5d93ad45db9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
71461231a121bfb15330c5774845ee32

SHA1
92a4a8697ccb06ff3d015904a8d9ba26b8faa630

SHA256
4863fa2603da2b6886d969169ffb80910e6b2f59903e93adf9711e8abab4f277

SHA512
8c4b57e78837a11320b77f35de17c6b44678bd808217b13c46f1c6c4f0dec007e6bae862085a99bffb92bf1b6081df0196d92f5c87430db1299be2717e01a566

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
78057fdad1a58c7214ac502588b0554b

SHA1
0083ca0aff10aab5876bcabe9e6db8a7cffba298

SHA256
ad57d370f2a760eac12cb90748cc141bc86b42d5c174f47682e3dde209634667

SHA512
4f8147fce61af2a8d964587f7a94eacfc070d728ad33e535acc3382e40f1a6a7845f25f475fd1c38ef5fb1739fdbe300f4741932106d6fef2dac7683ee7fe95c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
4c2c3fe7013f3fb7b35b322452f32294

SHA1
b8b0d1655d28e498aa57cd7a1e4b681c73ea0241

SHA256
d8b62440a5dfa0f48711e4174dcbca97dddad97fcc470f50334d9e710ef871ce

SHA512
bf7c78461899113e7092bd7c38ab330d5c3561a4076eb290ebd97cf9b60afa7d88847fc48ee0525b2776f04bd0a11329a4b417ceee4839f98a34f219d9190d9a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
a730111a5a2af04b68845af214ed0941

SHA1
e676ecaebbb3b4f9e6364032144f4cb8af626eb1

SHA256
c26d8d6ea6e999abd5a83b7f49eb643f5d23dd01da531ac5586944b7d24cb9e6

SHA512
3dc46c1693b54911a2b2a767a189acff5999c24b9f5f3eb92b2ece08626c4992aacb044cd018b1121523ccbf1e5a29567ee9490aa2f4c59b7ccafdf06e4a81e1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
9d1d2f4d591165005e1f785051abd23c

SHA1
3289f745e6bbb4b6b82e7eae9704ae83dd673f91

SHA256
e8899c2b94b7bc2a02b9ed31197dca0471749a75779eeb7e6c9197405a1a3df8

SHA512
266b50bcf9f2343166512ebb1bc7e525f3355161ed17aac9c14ad935cfd21ec2b00a5a2fb4468a1848df85759e5be87de5251e59f589608074d2bbf5c36aa8eb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
46b17891238ff7fc55f02b1a104fb005

SHA1
e1bc3650a7eccde05a4e4c7b2fd37ca4076b73b9

SHA256
b859d663ecae8972a99868b3c77e9687827f607e620ed3ba927b8b11ab7426ba

SHA512
0b1e4bbef39f28f47d67b255262c4aaa3bab91974b15fe832ba19a12a0b60c2888d312b2da086ea535dfc79e898aaa73f242ead8fd6d438519d1501003656da7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.4MB

MD5
9eb9268020e954f810c3ce141160446e

SHA1
8884770c7cad86fbaae0c2bc8e67ffc137371382

SHA256
89faf4f93569cd1d48e3cbab1fa4f11ae7903d958d8fe69037d627171b2ceba9

SHA512
e2f15f5afc3f762cc6ead0956a09690e1998512b6dda61e4c59fc3d5ea31bfcc6a900230613720fc2ea1c6dd4d986f1a7ab8802e1fdbac4d25f417f245fb3ac3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.4MB

MD5
db289a39776d10e19ade3b83ece2bade

SHA1
7d4a5469233fcbed66b46d082646233f986ddd5a

SHA256
d9de0151352fc01875a776d9f997419fc44c05ad939640d63211146314e707c3

SHA512
7112b5c46a47d4f43b53c069f5fac001614ac4301719c96c38098e66a31962b42dffac284cd9018c8c0ab54b70e6da040c0dcefc41ee0f8283cc20733e065be7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.4MB

MD5
5144501c76af21def1564fb8b6bb379a

SHA1
bdd24cd3f6754bf107558c99e4b5dc9a05ddb501

SHA256
5d0f5e325dcc0c1188f4a212a29ddee955e6f95644d82c6e51ac79ac450cf264

SHA512
b9aa8d65f9547e81539dc540d71c5fb2233a6e808d96cdec9966d656535c6fc57bbe07b509b9b337462507eb2d0cba0b41bdb22efbdb22cc2914f0aea19d7331

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.4MB

MD5
94ed55371aeac4df848dcd72dc41eb67

SHA1
4106b93726ec87ba9f8a070114a75ef73ae5f6ee

SHA256
f1690a40f66651571b02833e8ef98fcf05f3fe0187ad50483f7af39848d58b5e

SHA512
56691d06b124af453a5c5620b3536e8a87f1fa2301eff6fd12465ad81bb8cbff7fad5ab3c517abadaeb8e429dd3cabd9cde2d2c1bb920a752f7b83047e6192d3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.4MB

MD5
3648ee522b1f8f9b2632d73d2a57b497

SHA1
e5b55386c12a83b3a4572544e634b81bff7fbff6

SHA256
2ce797c18fca06c86437dff68d71bcf87810c172b5a33caba498e17f158037df

SHA512
c42d3d9e1e04ec444fcf19af24071c1583ce099b5529bfa42983a6cea58f5d8558d4c6eb9e4a42562592169e4f2e8ccfe4a9ff8dc57ea42155df81ab14edcb95

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.4MB

MD5
9d26f274c90a34c7c557ad326aa54fcc

SHA1
47d1a2c4a37730ff58a8e2837c0a9072a13ae8e4

SHA256
857d3ec31a83b08d04ffc83807b4fee4ea2ed61b138e1d1d1bf12ffcb963c026

SHA512
7d3fe018a2b6c1cc146a7f3e90d85953469e1697b0f3b3adc8e71cf0aa182358d062b94b1d39002a5561469106d57db8164573084ba16b50b432885f91884388

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
1.4MB

MD5
201d0cf60efe4bd11a3e370b578c9055

SHA1
75792a2b2cb3ef982bac1cb49a59f59fda1734ce

SHA256
e7fe9de4771ea61d9f47f514ecbf7dd9b2ec427b3d4822043b3332bfc57e5170

SHA512
0aacc3d6f9564ce974c31442590b1445b93eea2a79284956fdff92ce0dba21d9d9d97d811b1668abc61d0e124116529c57598ce4ec1edc7f234d17bf45485093

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
3476c3529e4ca364be782d73f35f7307

SHA1
56c8fb7db2a6a36f0826515bcb36739dcef9bb97

SHA256
3dd52681b064252fe75afa9d701a2e895552663beeea4926495e483d98824174

SHA512
9217fb5ef2499f8a07f83a26cae11df54a9db0c4da4e9f508c4ccd855c46abc21a1f2f064b14d1e4ccff075aaf48ac21de13d2fc19282796025f89c1f8bd7e38

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
fcffe38705ee180b1f3ef590d2330b1a

SHA1
128a772167f0af51b144f12018b5b3f5902f5639

SHA256
06f7fe79d8ea6d26b23c95052e95cd353a625488b8c797a5978aa0e947037be3

SHA512
a0b3f1bd8a156506d960c99005b63b681907855a4cd865543347d0e5c59bbe9cea665fcd14789e9d069bf64983db9b354776d60a9c4724514501dc3456231080

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
088519849b4e35f75f868bfbcc8eadbe

SHA1
875175a03b8a09a2ac676cf62252c8590687f287

SHA256
ccc0d52bf3b7018448104dff984f1123f82fdd46cfb249b5ba5cf0f3da4b923b

SHA512
e4de09d11ed65de06441beeeb4c8361f183e7926bddf177a75e3d059b8b9727ca037994def1b65e6998795e61fbd4904235cbcfa9519c239ff440e215fa37812

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
1196d00895958238288bbb782f7c2193

SHA1
0ba3d5f14e5db2f49bcc20b9e2a6851f98dea12f

SHA256
f67d45f7a6e56e7ff04bc6d313508a3236a6c3005bfbe96bd13dcf61ec818053

SHA512
8506f6a00a7f1eff280d816da9deb321c3d3f426c203ef3da9f7a3732f3ba686621d0c250b8ac6c81847ea196587424d3f3dffcaff698ac1a9ea13ba82cb2aa7

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
9039cd9e6a28a2b4c1675a065cd1ee9f

SHA1
f6a706dd1905e4b7aa59217b9ced72f790c66119

SHA256
e6a7e6c342ce9a09112f3d8eda2af65393bb18cad7d9733b002b4602e24b9fc0

SHA512
801d18d7f6d4538b48555483f1b1f81b1473366517b8f49e1fb973de9ea2f51ade9be260126d06d189cf9c2d6c67ae62f58c9721fce0c9ff0624cfb0e3f83f9e

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
5beaa35ed09ae68eb89598b5c31e78e5

SHA1
a00a6e4b043588eeb3af9782a46231ce70097d30

SHA256
949387329d4a9d32990adbcab4a6c93d6b12c92fb7f2e61ca2c6d153048d93c0

SHA512
f8b36f287170e8d14ab450a0b48c53ff08b5ad0b93ffe2c566b8d24415e665c8975941bca556344e7c139cc9f8ae651b32cd5f2722565553dc6a2b5676073f35

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
5a119ed03e44b36ec150dd5d606f3fac

SHA1
2ef2a802af1c3fce9e6c87d9272f92adc4b14735

SHA256
36327790720c07a6f1955e919aca67267f2f832743efdc8700f2267cc3d88504

SHA512
8426129eeca410874c175af130771ad331952d3bb2f60590b85684e4760bdc0037ea9aa5a27e04bf6f60d3b801e11fc14a2ee79a43ea097d66952f3752f52abf

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
6b4cedb9f8804607fe25f8c92458d904

SHA1
3e1c6fdc1b4e16e9b531609031910dfc436ed37b

SHA256
f9ee4c4082538b53dc4212593a40de27cd5ed6360bd2b685cb69fe36f32c5148

SHA512
f579de6327447d89e332b2b5af27045870d2038bf5cbb1873d026a4c9fae935c3d3ffeb99ee728684a76970001f0d152a4b85865bde04c841525be7c4daaf8cb

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
24a852fd6901ac7e251b4189ab360709

SHA1
c20cc01ab8871235f1fbfe956db9c98d4af80ce5

SHA256
18b5506fda4ca7e3fd086ac4f270c1e256b2c3d581330f52168e93c4fe886554

SHA512
874bd4c38d468eb35684ff2c42cd1b37b531f16d35b6fe791d174662dd40d9ae8259c0c09baf7dfd530affa6574b0877e3e9768fca2cc8ae2e216438386d8d42

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
28a84fc40acdbb9ba75d8f0a2f8aa05b

SHA1
c4b00ed92fecac7a2b41f9e3541cef9d84c9dc80

SHA256
72ed4fcbea402dc6949dd33c1c68867830707acb80f9236204ac402ee296ec8d

SHA512
1292f386de87e54e7eceff18777d5044836ee63d29bb446ffbd7437e3a1d97c4a5e3df63e56ba08edd9a714db0e11ce819ea9cb0d12946ff53d48e8db5cdc27b

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
86ac856d59cf0a7e07084a5a54f46cad

SHA1
62666b1c1906e215b4c30cf9196c91a3aeef63e8

SHA256
72903fcbf97098daecace841b3877c8be73af1dc2ab690d5559be881ceba5a36

SHA512
0676bc1e69113b2cadfe46a7d3b9db7c121a676ed02a48dfc8c10b52d9a465d3468a52e7a3c4e89a0f8225fe9d2b4bede3b74bc525ee65b0008aabf02a886b18

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
f035ac9398088e4f46fd2ecef781e056

SHA1
051f02bd8d7a2e6f1ad522f6e0b9f59af68b8426

SHA256
4ca291d2057f7b0fe126b00f3d9d840f45287d978088f23d22c448da6c0e2530

SHA512
ab65d0e5386a41c1f93a7bfe5b5cf175dc9eed94b3620342c5b6dfff1217f5a0705d158bcce06601ff692559da3b6b64c14797dd0e90f783cac7c0025cd5ac16

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
e7828a0a1cb4adb8021e4a71c565524a

SHA1
658a4f588bfa471e195f462f99db88f8043a9e4b

SHA256
d17eafa6f2615fffd23f5e3a9203d5da132ab34c32b2ca9c0e8128af9ec5b20c

SHA512
497bba7c44ad86c88e36ba04bccad62a948d0b52f5dc507fc4fd8a883620edfee509cc29264c038b63cdcaec3e5b718745e0eed13db53f6a1b8bb8ef203e3689

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
41931222fe712ea924746609000cb443

SHA1
64272e6ebb9f726f3c0ae87c510c7b1803d846de

SHA256
489f6493f6ec1f0ee5d6eb9b90604c3aaf351e17f7ce056881a7d569c34ade09

SHA512
b761c310e670ac432ff5d1066a6e8601e160000a0bf1cfce0ba152957f3a190a3fb827c02825fb195cdea20ef9a37c098cb629a6ebfc489e49583c100e22c1d2

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
9b427ee09f21c0b2b1af2ae86eb3ebdf

SHA1
2926a9aef2c6ab95da352bbcce5ea87d3694c07d

SHA256
2a70e759e138deca7bb1ed12de1bdd3b1da8970c5a202fa3dbb15d9ae19bbc2d

SHA512
8b18fb7c072d528acf9474035b7b9ac12e5249754eb3512f55880e4fc63a7a889c69427c4c58d45c2072ce9756d96ebd094aa48ac9dc352baa4fa05086a526c2

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
fee5d553bc6bf1aa3d1ebc8949709272

SHA1
53aefece58f73a2b6c851ba0ce96167308006ebe

SHA256
537c6182efd0ce524670e53ac130d4378a0fa8aa6f2e41f2f926d261c23cc89b

SHA512
5695cbca6aa1617fc0cfcbd69f2b362925da5ac0413d8ee8c7c7741e55516ee2174544e6d357988843a627e2b9bc2e3865c7e279c80856833b141575c9ef5c72

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
1f651808cc9e0ef9b8484d686612479e

SHA1
f1134ae61b166395ca221e0ce9d28b208b060f75

SHA256
abecf4bbf2920d6e895a5d01c94cc916593e039b546d043062f46dffba15fb0e

SHA512
31254dcd6f2c17d44d45c37e98e3ff4298b8e57b7ec72485440f9a949423e76bf45a248af36a7be0172396e45a99f8529ea341efc1607a5c28344734532c9600

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
bec066ca0881aa619e5047f14369551e

SHA1
7c7395d0c373ff57242613b37c416867f17d76be

SHA256
6e27498cfdd0a2226c7ca9524297a66e930447ed0d6bf7ce7134f49c3a24b623

SHA512
04e5b377bb7c902c78ab796d5eff6ff2461beeffcd0d0758b17f266a89e811a64396e701b74748b6853f996b7036b2521a70f051488a0d36a7a0eb9ff0622fb7

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
6d8da916cc5d60b4bf3f87209f90bbb9

SHA1
c6722833bffce80c51ec1908addd56b8fc3ac36c

SHA256
db37c1e01086c79cc50bd130ea898a416279145db4539cecc267075f37ed2ed8

SHA512
825bab7ff4813dd532d737d47f79ba5e95000f998da85c5cdb36d1e2afc17d1a77a93d55bde1382f1dd6159bdc2e8017d0051d39e6d89880fe98abfa8eb75408

Download Submit
memory/236-286-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/236-404-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/904-620-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/904-450-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/988-243-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/988-77-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/988-79-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/988-71-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1288-27-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1288-18-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/1288-28-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/1288-238-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1368-300-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/1368-416-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/1592-618-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1592-423-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2316-329-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2316-447-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2316-610-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2432-341-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/2432-607-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/2588-393-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2588-616-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2864-239-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2864-32-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2864-33-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/2864-41-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/2888-390-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2888-378-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2940-429-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/2940-619-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/3096-52-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3096-44-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3096-51-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3096-240-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3096-50-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3212-248-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3212-254-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3212-256-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3220-356-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/3220-612-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/3432-0-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/3432-8-0x00000000022B0000-0x0000000002317000-memory.dmp

Filesize
412KB

Download
memory/3432-1-0x00000000022B0000-0x0000000002317000-memory.dmp

Filesize
412KB

Download
memory/3432-26-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/3512-428-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/3512-316-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/3532-611-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3532-344-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3704-613-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/3704-375-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/4212-405-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4212-617-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4520-392-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4520-274-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4552-62-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/4552-64-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4552-56-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/4552-69-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4552-68-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/4792-259-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4792-260-0x0000000000B10000-0x0000000000B70000-memory.dmp

Filesize
384KB

Download
memory/4792-272-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download