a236b4069a356f04b203b41dbc60d6b21ad8f60667ebfd6570b0fba6b3326c5e

Analysis

max time kernel
146s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2024 03:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-15_fbdb9ffdc2ca6098c5f315868be8d4f1_avoslocker.exe
Size

1.3MB
MD5

fbdb9ffdc2ca6098c5f315868be8d4f1
SHA1

22eadd5bde1c5901cfa79cc87bdf2525de483190
SHA256

a236b4069a356f04b203b41dbc60d6b21ad8f60667ebfd6570b0fba6b3326c5e
SHA512

ae91110da5aaa090e77f0420e21530da1d37cf8e26f72e0744c01aa105842047dd795c252b63fba124cfc0b49dd8811c0756518e1088bc40f39e67cc8e8ef0cd
SSDEEP

24576:U2zEYytjjqNSlhvpfQiIhKPtehfQ7r9qySkbgedQTNjx+mZCkt76f/24pN+XNqNl:UPtjtQiIhUyQd1SkFdof9Ckt7c20+9qT

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1144	alg.exe
3436	elevation_service.exe
4864	elevation_service.exe
3340	maintenanceservice.exe
2592	OSE.EXE
2712	DiagnosticsHub.StandardCollector.Service.exe
1436	fxssvc.exe
3960	msdtc.exe
4144	PerceptionSimulationService.exe
1012	perfhost.exe
3200	locator.exe
4048	SensorDataService.exe
4356	snmptrap.exe
5000	spectrum.exe
4280	ssh-agent.exe
5080	TieringEngineService.exe
800	AgentService.exe
3804	vds.exe
4740	vssvc.exe
2540	wbengine.exe
2892	WmiApSrv.exe
3896	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\11e2fa69293b476c.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-15_fbdb9ffdc2ca6098c5f315868be8d4f1_avoslocker.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{878BCDD2-1ABC-4948-8DA1-C8645DF0F833}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	elevation_service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008ef512e5d6beda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a79a75e4d6beda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007deb45e4d6beda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009c6eeae4d6beda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003b8943e4d6beda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000025e7a2e4d6beda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000001c35de4d6beda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000656c09e5d6beda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000428b24e4d6beda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004c35b1e4d6beda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3436	elevation_service.exe
3436	elevation_service.exe
3436	elevation_service.exe
3436	elevation_service.exe
3436	elevation_service.exe
3436	elevation_service.exe
3436	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4720	2024-06-15_fbdb9ffdc2ca6098c5f315868be8d4f1_avoslocker.exe
Token: SeDebugPrivilege	1144	alg.exe
Token: SeDebugPrivilege	1144	alg.exe
Token: SeDebugPrivilege	1144	alg.exe
Token: SeTakeOwnershipPrivilege	3436	elevation_service.exe
Token: SeAuditPrivilege	1436	fxssvc.exe
Token: SeRestorePrivilege	5080	TieringEngineService.exe
Token: SeManageVolumePrivilege	5080	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	800	AgentService.exe
Token: SeBackupPrivilege	4740	vssvc.exe
Token: SeRestorePrivilege	4740	vssvc.exe
Token: SeAuditPrivilege	4740	vssvc.exe
Token: SeBackupPrivilege	2540	wbengine.exe
Token: SeRestorePrivilege	2540	wbengine.exe
Token: SeSecurityPrivilege	2540	wbengine.exe
Token: 33	3896	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3896	SearchIndexer.exe
Token: SeDebugPrivilege	3436	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3896 wrote to memory of 4504	3896	SearchIndexer.exe	118
PID 3896 wrote to memory of 4504	3896	SearchIndexer.exe	118
PID 3896 wrote to memory of 4368	3896	SearchIndexer.exe	119
PID 3896 wrote to memory of 4368	3896	SearchIndexer.exe	119

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-15_fbdb9ffdc2ca6098c5f315868be8d4f1_avoslocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-15_fbdb9ffdc2ca6098c5f315868be8d4f1_avoslocker.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4720

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1144

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3436

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4864

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3340

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2592

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2712

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3580

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1436

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3960

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4144

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1012

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3200

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4048

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4356

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5000

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4916

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5080

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:800

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3804

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4740

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2540

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2892

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3896
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4504
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
64fa0c198b37970cb7d41f0c0454382e

SHA1
22299113e181accddd49f34631a056627c65cd36

SHA256
534632da77df4dbc25cc1632f36413aeb23edc1b5b7e4c19269c48ee78af2033

SHA512
686d5b7a736a49cf88c2d7305e04c63207a94f139cc12ea145489dc63e48e88534f0628329459581b2b56e7eb4ef0be8a134e35522d75b0ea4e3bf3b251455f0

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
0c128d1d70ad2cbb7902c4a039b9b43d

SHA1
8814cbd125b27a69c30ee021c0514e661dbcdc6d

SHA256
a188b7b17b915d4be01a011fb51766acb2e548b501250f26ca9f30ed45188bd2

SHA512
17e1a5cd04c941b1487c08a7d8bbea0d2bf654e578dfab2079a970b1e0dcc7cb61e068f083608cec60855c88eab623be97efc971cdfff4c046bd4081c57e90e2

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
6ee9a17f7429ea9bc99049c490eab22c

SHA1
4a2a5fa95bf2eae622ac9a28dc92ef569f53eff1

SHA256
619492e8d092d310b9f067fdb25d8e971ea44664b27474715a69317aa907cf59

SHA512
fdc05117efa721f63ca6211db0b2a2949151b6e527ec4a861f2445efbefff204812d8df14ba1937655aca4f86264ea8e13125ec9839966cb75764433897902bb

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
68b17e6993f2381edc90bb3424a80750

SHA1
c13136d5397bd5912e5836dc88a6045ebbaff732

SHA256
9b374e95c69de8de48a62390d1723731988d861ea115f65185955dc09402da3a

SHA512
9ca4f1b6f44ce2ace87ff6c91c71eb6c590395e9f68d14510e8bd88b58b961658aa864e76aca2a70b897a454f4bf3c0902b70ab05ee480bb0fc22c9413e3fedc

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
546faccdd51f9759382642b01124fb0c

SHA1
5023acb4e4aa06ac7eaefa74b03e9f74db476114

SHA256
0aa2f3826d2461d6eaeafe031a1aab7a2155e366b448f4f9b4539a9f002a91f2

SHA512
66cfe9eb3025922a31f03f174961844202a90e00b465963395c2f10800c119d0ea8fd70abf9c64e89299d93bcc8ee517959e7da785233d1ebc34537e5935e988

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
c455f24b4222fb1b115ab43789f5c65f

SHA1
75a75b10a9928cbd0e5b2894c94931d949db5478

SHA256
8eff5c3819724ed57383ec37a31a6e663871977ef0488cdc737dd31f556819e8

SHA512
f7a34c1d0cfa9c5a275297bd63779aab00a91e6d4649f0663bf3177c34a28caf1173fd3202d6b02cae1735b32571fe5e45efe006e126ad91469552917fdd56da

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
db47a0757ff926874899ab6059ba18ad

SHA1
375d486f8f14b207d1dd6c6d6d4c167d2bc57474

SHA256
ab4da9a77c43de59dbdec5eaadff145e646205b50c7b2c4f34d0389f84ca5d9a

SHA512
89b490fc8aeafedca93de601bfb673d2767fb384616a517e20819d58a727c03659df0b8bc8a4bb5108ce41a24fed3a84d0cb17d517261b795ac2910233cf0069

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
169a5b3a4e22025fe640d9691d79fc38

SHA1
2a441c31d81c37c0fda2f771bcb745e5bb15d61b

SHA256
3355a2e5f6b96df49265e9eb0ffaa906653cbd70d2f92ff4378bdf937b49585d

SHA512
ee2b5ea9140128656e86761d505209877e661354fb2720148e555005939902621a39d4260e62b667977de2aca9e3bbdf27c3b6fcd1fc01f5a3ef45c6fb1c6aa6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
d39145ff3aa462beede4b63647d847e8

SHA1
da240904cb532fa923aca102a1112491deda89ce

SHA256
403277c7cd424f8ba54d8c71ef7cf1d360e9dc4394cceedbc0286a59554e1bc2

SHA512
1ad3518c4cd16bf8a33f2635c90f7b4fe855c41e3341f4b306c57f859cb558ef797d8d760d407fac882e8b91dd597db889de49e699f9a51033b86b767fa5d2a5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
ee9bcbe8730fefcf306e9b5fe0230b02

SHA1
fb335e3e1ad9a4afaa5522af25a8e54254cef1f6

SHA256
ea6e45a44dfdae07bdd15e06ead03a0e1c56e3b45603a117412ff5e70e7959f8

SHA512
daf7169070faf2c26296681c6f7b3b1320235d4db1611f79aabc7edf1f8e0e9431b4b196db330d2473c9665a00d02d159b233c81c7544d891ec4e03d00437f13

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
becfbb95be85cea6faf5a78fb559dfd1

SHA1
05259ed7494c9ee276b30ba542e9ab134622e745

SHA256
3a6e5002d9203b46fe9638ea09c6e5f45867aa780989e88a7bfb18642517adf6

SHA512
c8b94aef9f12ad7982e8568dd2752cbe18fa31cc9de62a8980d522d2379c7810846a43c6d570a0b213ab2acc41c7ba74acc040ce49aabe94c4dd8f61631a1258

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
33b5dc0b5658b8bbf639741f5801e946

SHA1
dd10ad0d414ccf72fba0e4b3ea905b2c53f55e47

SHA256
ee330ae05e382fe7e6800e4bd3a8feffbd8b53f811a5b19e47ee0642655d9af1

SHA512
05a427934081f09127d9b1e622f7143b0e4d168724adc3371838da6365ccff03bf338ff981bb9b5f626d8237983a72bc6d5a51b8c90963897882494cf335e67b

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
ea1265d0b03164ed2369e1fb8c07eaff

SHA1
5be756cdd2452e70b8ca229ec76e30b080f932ed

SHA256
ff40fd24c97ff0f7981fe48740e9c4d8f44177ae2b5188f5f67eaa602b5964c3

SHA512
9bc6615f364d3f58bf09a34fb15adbab6b6837535f69ad9bcc9320786572f59115b23bdb21120f96b01fbee7e0ccc0368d01ffeff3cfe21dd76d025f3a4c3646

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
2976769aedd6a707ef3becc75b2eb591

SHA1
95cbea4cd334f2c070084ab5a1528abfef6eccc5

SHA256
b7cc364d2949b4ebe7b033bcadfb46bb78488d5c9797dc6cbc353060a6dea50a

SHA512
8865b75ad2092920d1b5798a06463446be8f411a2d759a76a2600e084e719541a308969f78c076b3a71acae428a600b7fc59121b068559dad152b909fe763bd6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
1913cd2431ae48d1e9c7e1bf8d278a0f

SHA1
952de21e130ef36dc9d47b5448f7149dadd8c6bb

SHA256
25a49ea24394f8a6c6f5df2aaf4d5947927087c69b2b1512ccd9ad1724534e18

SHA512
b06353fc138d1875945c193773e34ee786329091b50fb17f6a571c816e905f76d2b5c18f58dc4a6eaf80dfc909e94e834b77652404253136efe70fc60166af69

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
c18e274a26f2cbb34b4b41aab3fe48fb

SHA1
31900e7e2603ced60cce5cb6994b28d587e93b69

SHA256
2dd2508280f7fe07f3264a6d6893d5ae9597bc48e8011ba9e7602948f4a4944b

SHA512
74c7f232260bf27f3828468531e55ff287a5138fb843ce522a7e957601ae705b362ffb7610c8a01161d7886feb787b7d585fb20a110c006009b65f51ad1ffbbf

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
24069f7006ee316274a43e506a3ca6cd

SHA1
5652f0c2d573df7e2a84bfc98414b1fcec882e9a

SHA256
2f83d132d57c28190ffce1146744a093b9ada515979702f9abfbdffad4999a86

SHA512
812aa93d4a1eb8f417a4e075d586548db6217fe48e45c25fa93e5d922d429a1a62218c71df74dfcf7f09b17c8f61c3102c47457d1b0aaf686618414df4a66e7e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
a624cee8f0dc602180020a0739a188b4

SHA1
9d1a6cc616e021a5ada7d68e019b55f147af71ef

SHA256
df24709c67e7329f9900fdb9e25cfe6ca6bde0937e7157976f8662b232cb06d0

SHA512
d2eec442877f3f4d0344612b75f6b961177ffe630b3ac1999fd0a69805f6e48bfba2f7bec65e343824437f6258880ed698031587206386727bb569da86beb411

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
88db3a04b0501a9220a4857fe0cd403a

SHA1
77d3512623122a1c25c1d4ed20475f0c22354c48

SHA256
42ad0ccaec15cdf8d3b4b87eb43c320d56f6c3b26d7cdf5d6d68ccec3f14c76d

SHA512
77e576656abeb0244bca0e959c46dfe7982f8dcd6a23cd1a098dd3cc8e1516ab9f298a3d0cc484fa4651a9df17d28a807fd37172c607c347a84ece8d3d920838

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
efb6c8959046f48228b11625ee1cdc38

SHA1
261eb485a7119249da8a8fb509c62f22f3818d85

SHA256
15cc073f5be9de3c79906236d196b8b4b69ad30b160816a468d8a33ee70978ff

SHA512
fe00d544cd7357d8a5baa18d1166353af37caeb0e31de7cdbac4892cb2d019542b83438f5a5cccd3fee5373d7c2a204a5f4b77dfd990991e5463dfc279c27bb0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
a130cd63ef0a80be8401e4e51890d6d8

SHA1
98fcaee033d3849bbd223f68e6e3b2da42594bd6

SHA256
376956b10ff1e8537de2a47ee7c623c3fe636f4750c3cc54b31cadc341558217

SHA512
efd7159a71be86dc372a76ae7fce59a71aab4a8cf0b2240ef8618d1755a2e2f057394a227fe15523da46bcc22c786acc2e51bd7cd7834c99e45d86b00f81cfda

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
57e63e2bb9e475aa19f3fbcd6c600346

SHA1
5e56787b0c3945988180f40ac6f68aa3c907644b

SHA256
5647dd1af1ba4fc8a50bcc737364e27517565ecc5fdb510a381a116d1adb354b

SHA512
c2fc16f6501513a6d488ba76427cf7979c4215bf14f7f8a9b156b424373eb1dfdf181f3fc7789582ad7dffdab9fa479103f1668eddca590192d709abfdaaca8e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
abcf4cde4910dc83c268f4e06e396310

SHA1
97bc6e1fe399891fee2d922116a639616cc69877

SHA256
a3351fa6cb1b4e09efea82c93924fd6564d8e89379bef46a31e200fea4591688

SHA512
32f6b13250055cb61d04b5c9c62f7ef93c494d6b4747d92ab3da144f14ab657fa2f03fd4140d67d567dd30b74272f49fbfd23bebaa9cac0e45b75b36b1bbb2aa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
6550af89eea6603c861e5b30bc5930d6

SHA1
7730c24766c49299816b970a0b54097e7c9cacce

SHA256
2a8619766b096bb3ae342d4f6a89af1ecf72401f4566ee5bcde8e265e67cd8f8

SHA512
92dd3c5314ab6373cba91a45f3fdfdd8c1c897f095197296527836140a972e549f6b381ee0623cbce3a8b3bfbf26798051a45d546c3072ce3dc7f734ff89b4db

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
e5d3a1331c6248710dcf8b90278b0453

SHA1
4e07dc3f071c5408921e6b8e35e5cab385a9858f

SHA256
22472a99c37b70a4f1e10a3afe3f4e98ca650696c26a90382a1e59156c3c64ec

SHA512
27041df67880a28c44493453d27896959b4758c9f04a33e8447a12af1509f643e7503c9bc614f08cc8a451fbd8e295e22b8264596b128dbaccf978df105122e9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
5be3d8d34ec183780468d698c6654dbf

SHA1
3a6288abd048f5866553514c291e2c1f1e667914

SHA256
ab62b89a87e099894fabe8bc4170b6b9c8c77fd3d9d68ba0731294658359f682

SHA512
169a73fe91831e845a8630dd50dffe77cb614edf344d13c743766e78140d122c0d3df064ca462fe0bb753565364f1607e103c85105f28c69ba00203fef78507d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
93c4f1305cc4c9cffd84dc7213a83491

SHA1
47882d356cbf1572ba327f7b2408ba42f4d9ff07

SHA256
e8e7c4ccc328fe48ae8010cd84fc0f9a4ce82620f1c40e7ba979c8a85923930e

SHA512
a87b887554b5b799a724024fe7f00d7ea512cb5cf8a3785aaffd9d79ace71098223edf944dec498cdc9512dd333c9908848e0936f5e2495de44372574b374a86

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
d596c3d627c681649ca8adbde047a6bb

SHA1
a2a2fb2856003c7e929267c1589bae826e607549

SHA256
e6c1d8a23d6f6f124d6f2c0849587ae22decbce59e39606d68a93fd86b4c6706

SHA512
8a78dfc3a4656148ea1b0d1f20f05c9f60043a29b5c4306549bb4dd3f64fc76f9e31baf5cfaf69b88f83c8a376eff851102956d8a31677c86af045d2bcf61416

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
b8b98eb550a8e26b5c4ca51525d6b31b

SHA1
ebeccefa57eadafd526fabd59d4e35a75777d75a

SHA256
7ba5fa6e4a5a66e184e01a7b8ff96134ff0fbedbd5b392a9424e316bd0d11f84

SHA512
1688693c6115abb7e1d8c0e7b0d67b3df6cab2cf03b8829ef87267aa6779989ab989457f1474ba9c5fe0c153e2df46407117a27187e895a518e1454a5d249861

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
eafe032d84702368d3e599386963b03c

SHA1
aa7cb2cf0cfcd7580c0160e55e327fefb6679842

SHA256
f000f01f2b527a2f1cf566e9cea5965b9e265774914b7359970f1d0660275127

SHA512
71bae5a7f0e26cccd23a5b5c6f2d474d87062aefd29e967e85ef24e8e576968847ca6c37c3d5b77783e4190dccb3e9aca3b0be21128506fac5d3f75ec804081a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
62a9a06f28083b7f935b3dcfc3a495e4

SHA1
f32bb6f27513b47237838ab2c7e0cfb0ee16be05

SHA256
461f161986cb0689023eb99cba8415e4b3fbb7c0c614d2215df6c198ea209705

SHA512
fa7122838cbc6594973e99321b1b377e56c38c7e32bf7a1f6099689bdf56a9ec9f13a9ca962df782fceb6d09600f5d306bb7c33b2e760eb587a58fe65f0f92d6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
87caa5bf82ef4e3c8681a0ce28ac325e

SHA1
60f793efc3781cd7be37b95056473260436af903

SHA256
e51f10c8e45fce381c557cc7a9008022510e805ae38dbcd9a3e969eb3b6ebc8e

SHA512
10b492138381c069c7dcbf88696d4c5de78f365d37ff1ed83131a460d1398d1ae955de5483689e7d069f873f50091863ad66c6780c8e2944752dc2c74143a90b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
7b08c69c2f199b6b8d5b39f22c2cead4

SHA1
1a93321339a2f62f43c554913a106ae0293932b4

SHA256
57e8acc37baff2f2b28dd693670b6c80005e02a645d52c2cfd726e0b1c217c32

SHA512
027dd63425c40ae28cdabaeee5e39185f06afc347e121bdadbc41bdd3edc9f3f94a691561d1e07c7c34a6277449961562b43b7a5588f015594d8d4f617db5a4b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
2ff5dcd0284d7963972009388f05d4e0

SHA1
080479fee0c70a2d36710a564f7fe82f37fd3930

SHA256
37b939df4f2f0304e3423e7b94bae14ad0e9b6d7f4e9ea480c107c5ac43fcf04

SHA512
1b134888bfa41b50500939f5582f3243e7c48c531e678c4f7f9b64f30704e726faaa12922e904569a38e2595b276f311ac07aafedf77f5c6d2efc80b41db3376

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
dc9d66a511e4a0ee6ed908df38aac0dd

SHA1
606140f0063aadf1ccfb94309458ec5bd91dc2d2

SHA256
8fd7a4ad6d69ddd279a4964fa785cf66a3c9882391505c5a3a4b773a07e4c06f

SHA512
e853d3ab3a10df463fb21f6b8208055a6374c2ea9e36846938cb631c6ab71e479897a9629403944e8874344c06a61253ba99457e63f3c6a7848300200d905e73

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
a3734a70dd6772c89ff8455952c96778

SHA1
67a8e01d85c640f34426dde6e92b061a4dbfa384

SHA256
debc8a3d3f3e1f4da4421eeab90a7c5cef4194614d0fe197bbfe5f469f2e8f64

SHA512
0c05f5c1ffd64198e24a51f6ab33135d064ddad91a06ccbe3d396ac51914d3f4b6f3385ea4db013df25b00b2bb46b2d9d952b39f4d899145b7c5720199e26a62

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
1e927a475f77d6b019fbdb0875ffe238

SHA1
cfc4e6293dc70414b0c438c3643eb732504b71c3

SHA256
eb9dab04682b3e51466f7ec400940bfa5da7899364892aadff89489b35080944

SHA512
45ed8ea41f4ffff0898a26f62d00fb035d98ebceae17ef3270dd027ecfcee79e15ea1654fee83758ac98de70c10a02d39abd819f3aafb4e754ea6fc0f229c696

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
e4f9357aebf4a9de21d4db6a63336046

SHA1
c013571a5cd3dcdcac932e6819f5d31d3dfb58ff

SHA256
5c3239f717948a93ded02bedc302c893863e0c400c0aa960f338d287ca4502b0

SHA512
6ff414a7c1ca6a4707e46b471b22ffd1915dbdc15b912d428a42b5cbc9379086073ea2f776a136bc3842329a63558ecb0c6b4a644ae16ae90505300fa0372068

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
ecc09dec23c6157e7fb40e3cf4369b4a

SHA1
b120774bf50b3ec497ca078f142ca5bd2e9d0b10

SHA256
320822180b9e82b790ebea8513cd91010e5e4db27fb2d238127ee6cfe803d270

SHA512
362f0aa8401cf220af114d26aef7208a463ac814a1c557530c4a7b277d87a542d0591e8ec4a7f1033f016ecc348b78332f5ed7bb7ba710d542c09d67127fa043

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
a7be5af8071cfbf5e1eb92c5b8b5d88e

SHA1
a6263071b1dddf457c9e22deba5a5672d1a3b9f1

SHA256
54813ed37b8330e6a663e64a378d12dc5e315e25fa530062fc6d4dee58bf8372

SHA512
760bcf03c9988da1cee823fd9d6b7fd6ba2e49f1d16d56a24b15c023484bd9a9b5fd6c4639565cc60040b8be91a34b545d453e899991f3de4c42836377a00dc2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
8a970298faf8568e4e320e34d71b5fa6

SHA1
02f18035d638260d650c66d17c05de184394b872

SHA256
96e506a9546031223f458a3f7b4c9a0f18fe141ff55c275b3e6157ad573bae63

SHA512
48e3d7688efd3f094ad839a2171785637f7ee387e9a5e5a6c0e39e9f891d459fd620c4da6f250435d94370b0b5139c8d7d765dd1647d1d4047e6cf290c8c4123

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
581KB

MD5
088889a0c89dea08e97b0a671ac8c681

SHA1
4cbf8ff867b5904c8fae3ac9e2aef5f8bc67d46d

SHA256
be7cb935d9230abaff9146b368752bdd77958895e2b2a0dc8fe064b511fa7afc

SHA512
b65cec0f212293b22a1f239eb7bf9d57a313034caa8ced30e9849173db758bb7624d56ac637f7156a681cc1ceb68b634a91f71d87a1186c953bd79d80529ccdf

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
c9ac194a5d4228ea6f7b2b8ccff91dd5

SHA1
08a72c667a499adc9c115ebb4184bfd642ce69a4

SHA256
a388fe5834cff8797f5fabf730dd3ec1967922414bbd5ed5c8abc9974364c461

SHA512
ffc60887b32bf95a6ebbd6013cf4c8029a10fb0b586e0e8e713b7ba23aaa277d78856164d6143008b3d3a65e01c8ecf742bcd1b3f3ccb3c229c6968192289a77

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
c8cb1559c8da62c1d7dd855e5e35c8c7

SHA1
c26d22988e8c2457bc3f3682288b277dc79e5e39

SHA256
c0da29424f89d87ebea333e2ee26fb095ff726099593963f5a57c59c04a187f0

SHA512
836381ef2f04bcf0fae6477022d646acac63f7fd7bdca0544574eaef936e41629ea44914a70ea50fe10445abe0ed404f1544a3652c930d807ba6fdcaa77aeb0c

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
6a007da7bd26d26dac05c74b5550efa5

SHA1
b921e0105e3ec198009a2e0f3464097b7a14362f

SHA256
b805e722bc7e96d4bbfd679e15797de6a8f64345dff6ffaf57cfd98c19d026a6

SHA512
58a07981e72c5847f8fff16da25600c7258f6e2fd9aea2fd64750980e2699df2fee775376a7a018ff727fc818eb3349e354c3067a44f05aac2331c78eb76ac60

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
364cc0bdbeed50ea685d15b2ed5740d1

SHA1
61bd73bb070e3c9c49f3e8f7d29601ecdcc29773

SHA256
698af67098d008a6123294223e287a3f1cb66ad7653ce1bb1a9a44224a0b0991

SHA512
94ceeb446d86061421288f4ad769f711aa6f68b69d720450f92c0af9d62ba0b1e4701ec539aaabfb0ffaa557ea36cd3c9850b7c3599c2008768fc32d360c1fb2

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
43051b9daee76202f8379ccc793e9adc

SHA1
38cdf96eb61fecc070d00e48b61249ac75f54560

SHA256
0a8ddba0bcb8d871ba6fb2ed1abed155d5600d2288cff9c3687137fa29d1df8a

SHA512
0c97bb589f047f9f6cd701a8150a80e9954e586f037664e2250a12c0aac2b59a6a6ee5fdc75c70f7fefe6fbb6a7784f21934806df2335d3d8e7968593840229c

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
c0d51d5e86778accc97b43847bba6d0b

SHA1
c5c6ed0e0b9832013947c8184b1f87bc2eeca577

SHA256
0c7b0143ac8f74c031ea96d45276261525d016400dbb939097f71e0dbffc9d45

SHA512
296a4a808c2af2c29134719d5455336593ffadcea223c5224d175190653d8c4458b646cb14474ac28b94dd8bafc221954ad02b2c7a84862dc8d5dfcc811e3520

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
3c4c333f563eefe8b7b9bba95ce2a5be

SHA1
77fe289cab174d9615c2e4b23cbb319b3f840eb4

SHA256
7ddde0b094981e08d7ebeac3a7c9de5c72c5a6f2f797c869621a6afacf023a55

SHA512
7cbed221872e191cb03ca07ec9bea30c286bfb4e0e74b5e7fcb63e8c8ffa1e0815ab0544a28620ef41b224f1da2ef53cb66c7c36c9a316a28b304532742dfc9a

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
7b95375b7edc38d7f1d6a63979019a25

SHA1
f8c41cf2983bf52235d0fcacdbedac344735d893

SHA256
545b238805be4dfeb9469440f8f7cbe9458ae67e2f81afec9e08552cf88f5c73

SHA512
e7f3226ac133c86514c7894509c5789b019ddc97f6606b7ad065efb9f41834fd8f59d65a73d8138736457bcd6aae0595d276ca1bdbe6655e93236c00cd6f621f

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
b3a1dd9fe0cb94fd8c13a1be8fb6e2a9

SHA1
b31a0ba8ee174cb298fbe3b1bb68749a771b2c2d

SHA256
3ee47a34f6ab4e2242eee60d8ed82de5af2e39e21f8ec9dadf638433f4746676

SHA512
25240d77ebae18883a1b318577a75eed55cec2344d7b6703186027f299fcdb598059c74c38f2839f8c0119b13bb9f93bd781c507fd71373a6a63c7dcf86d0dcf

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
a6fed494effcbd262695a6775398b019

SHA1
6b45f6067563a6f87b9b5758e657c83bb42fdbdb

SHA256
99cffe62a176d381c944c8678ffb3f47aa5638aa3c660eedd3d2606cb2ab146b

SHA512
bb8b03c271997ce4b4fbf96c98f8cd49bff0082b441651a3423661fbde6d40e14bbbad233a0fd4867459948fb302c5759f82cff363cb5eeccf7bf5529aee369a

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
cbd34dd158c685464bb80ae70213b114

SHA1
8872ec257282270afdd637d5333d08e05e7281fd

SHA256
6062de1af8ffa408d7cd3af896326ff070baf2ed61a05558d69f0244d67e6f23

SHA512
b0ba0eb0949bdff80d8136a89d16c1d02eb60390f5d4bbce7136c8a89e160dc36bb9bb8fc4664933aca798a6e462aaf66839604ee07dde77076a88077fcaff5e

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
07b7f8816dbdf96d45c0e5819ac1e302

SHA1
ab1102dcbc9d93e37b1ac66dd2cc365a855ad1d7

SHA256
1ae6b98c0df52f67306308d2df22fea6706ceabba613a001b038caff5627063d

SHA512
df8c70e12e036ba34e858b79cf7186e3202b9c5510b15832325d558d4a17bc9be280e2a9e66e8653ef4756df5d4f615c15726e5bc06a16a4d2529153038f90ee

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
8f63f3d9b8ccd94f64c212bc30b2ca53

SHA1
91081c3c46389fca3fd8e420657db75caea8f8a4

SHA256
2543e4d9a2528e73f2531a2bb8b1de7ec538e3d37e1c86556d2390d19277be33

SHA512
88a73fe45e2f4a1f42867803dcb4ccf43843937ff33af8a3396f79b2f00e392d52d15be9468493d4f2e2e7aabd88814496980330611d2e51302633a2d467b1c9

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
b087a135b738b682d7584ebd1feac99c

SHA1
43190ae552ebef818fdb1f129430911695aa108a

SHA256
b6ebee3de01ce9aa03cbb0fd0fb771284a5261ab812a5c773e37830ead9a6218

SHA512
718424be9d3aaba50c683ebc9dae7b8edf0759ee4aa674b12f9ea168715ed74b92822f4be0403db92d0be7e0152d75244636ebc68abb68e9fe9daeb73d560c25

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
89ac89d5b299f6cfec900cde3128e471

SHA1
607defb9863ba51c9ba577879a6cf932444184f8

SHA256
3e907679f8785ca992623cf0b81fd6b376205146363edfe4774cd0841e361925

SHA512
9f94d428c797f987f5bb6ee1d158899a1859130d6e1da3e251afb6fbd003ff5e3d2ac6a714d54af1c00aac5b4e6245dea559e2ddb158079086942220cc0bda28

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
b30fb01d86a3a8450ff30d8ee1bef3e7

SHA1
b16baaec5c549e5eaaa1dfab7cf1f6aa1fd94964

SHA256
ee2d203609042b8d7743cade1d6fb8a976982d8972eeb8b1dd00543b0ed8b5e0

SHA512
1baaf0821d4c60e86784b37c90e24c5fda1b146cf2559b0752aadf8f42e0e52c4d251a55e9f178db3b450320785eeaf79f8e161222ed00d0eb98c8d7cd745781

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
3783408166e2c6649ced0e442326cba4

SHA1
cf2c6bf77ab64291bc09453151e6ff09ee8f8885

SHA256
14607680dc434ad37e75f33fe313eb2e214ffe78994c05a9c9b1086bde41c1cf

SHA512
9d3d6140b7933d03c87c5c8e8af30d8725d16c7199a94532d23397dd56be370f239f1a489cf549795130be7f9a0eeb72ba164a2f107015c09def3e5486b598bc

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
4f058e1a1552c61e835d6ca6fe71e72a

SHA1
0b907f56b5f7d9cc2bf7b9430f91a9d1235a8506

SHA256
359eb98f911b99da3d9b5c0599091dc80d30b83dd3052114bdee6357f4af7f30

SHA512
f64a9703ab62760cf576ed9752b3a7b89589a3168d82962b757e2c6e2997bf38d52a778dd3700c5611464ba11205be75e30b77e9114333d9e3c53faec4ff5c05

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
ff16624e17041dacf96d0829acac4655

SHA1
16cb77e2aea2e2c797cde30d2b381179c051da82

SHA256
47cd1750c1be2e2fbded144f0ff622f18770b3ccd7d2066d730ea98aea95520b

SHA512
61a64082dc61adfcd39fc60cd0db2ede50ea1339c58c798e681fc4807882ce6490096e67ce68ec337b18efb1c555b553fca918b728a97e7bfe959361a9e2416a

Download Submit
memory/800-370-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/800-382-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1012-408-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1012-298-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1144-19-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/1144-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1144-236-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1144-13-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/1436-257-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1436-258-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/1436-270-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2540-417-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2540-646-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2592-77-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2592-69-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/2592-241-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2592-75-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/2712-246-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2712-358-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2712-247-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2712-253-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2892-421-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2892-647-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3200-301-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3200-420-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3340-60-0x0000000000D30000-0x0000000000D90000-memory.dmp

Filesize
384KB

Download
memory/3340-62-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3340-54-0x0000000000D30000-0x0000000000D90000-memory.dmp

Filesize
384KB

Download
memory/3340-65-0x0000000000D30000-0x0000000000D90000-memory.dmp

Filesize
384KB

Download
memory/3340-68-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3436-237-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3436-37-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3436-31-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3436-40-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3804-643-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3804-385-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3896-434-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3896-649-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3960-384-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3960-272-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4048-635-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4048-312-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4048-433-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4144-396-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4144-293-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4280-638-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4280-347-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4356-535-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4356-330-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4720-29-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/4720-0-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/4720-2-0x0000000002160000-0x00000000021C7000-memory.dmp

Filesize
412KB

Download
memory/4720-8-0x0000000002160000-0x00000000021C7000-memory.dmp

Filesize
412KB

Download
memory/4740-644-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4740-397-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4864-240-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4864-51-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4864-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4864-43-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5000-632-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5000-335-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5080-640-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5080-367-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download