5809bed5ff1b488415a64a2933c918f6008aa944925dccfd10ccd35d4d7e97fe

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
16-06-2024 15:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-16_e0189340b7cf6fceb691e3143a775fcc_avoslocker.exe
Size

1.3MB
MD5

e0189340b7cf6fceb691e3143a775fcc
SHA1

318c3668d17b68ed747abb2480fed6c1c28892df
SHA256

5809bed5ff1b488415a64a2933c918f6008aa944925dccfd10ccd35d4d7e97fe
SHA512

9b25a0edde92336ad5da75372f35b3dc5368d435092da7fe5ae683932acd941803c485e8f291eb5d807a0c1ab4497b86392ecaed5e8ff93be000a84d982b1094
SSDEEP

24576:d2zEYytjjqNSlhvpfQiIhKPtehfQ7r9qySkbgedTEpwsQNgcdAFeK+yI47Ga:dPtjtQiIhUyQd1SkFdTEysEVAFeVyd

Score

9^/10

spyware stealer

Malware Config

Signatures

Detects executables containing bas64 encoded gzip files 1 IoCs

resource	yara_rule
behavioral2/memory/208-237-0x0000000140000000-0x000000014024B000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File

Executes dropped EXE 22 IoCs

pid	Process
5008	alg.exe
208	elevation_service.exe
4948	elevation_service.exe
4452	maintenanceservice.exe
3872	OSE.EXE
2936	DiagnosticsHub.StandardCollector.Service.exe
3232	fxssvc.exe
1668	msdtc.exe
1728	PerceptionSimulationService.exe
4668	perfhost.exe
3976	locator.exe
4264	SensorDataService.exe
2164	snmptrap.exe
3476	spectrum.exe
4104	ssh-agent.exe
4788	TieringEngineService.exe
3792	AgentService.exe
3212	vds.exe
840	vssvc.exe
3200	wbengine.exe
1188	WmiApSrv.exe
3480	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\7546a7b185dff9a7.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-16_e0189340b7cf6fceb691e3143a775fcc_avoslocker.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95953\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\caps\hdpim.db-journal	2024-06-16_e0189340b7cf6fceb691e3143a775fcc_avoslocker.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95953\javaws.exe	elevation_service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{0F1D587F-0CD0-4502-B48A-EF0248B94ACE}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cabc9c49ffbfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a4bf5e49ffbfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000034058148ffbfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000aa75f348ffbfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000f09ca49ffbfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008c8e8a48ffbfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b6725049ffbfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000026838249ffbfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
208	elevation_service.exe
208	elevation_service.exe
208	elevation_service.exe
208	elevation_service.exe
208	elevation_service.exe
208	elevation_service.exe
208	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
648	Process not Found
648	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2880	2024-06-16_e0189340b7cf6fceb691e3143a775fcc_avoslocker.exe
Token: SeDebugPrivilege	5008	alg.exe
Token: SeDebugPrivilege	5008	alg.exe
Token: SeDebugPrivilege	5008	alg.exe
Token: SeTakeOwnershipPrivilege	208	elevation_service.exe
Token: SeAuditPrivilege	3232	fxssvc.exe
Token: SeRestorePrivilege	4788	TieringEngineService.exe
Token: SeManageVolumePrivilege	4788	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3792	AgentService.exe
Token: SeBackupPrivilege	840	vssvc.exe
Token: SeRestorePrivilege	840	vssvc.exe
Token: SeAuditPrivilege	840	vssvc.exe
Token: SeBackupPrivilege	3200	wbengine.exe
Token: SeRestorePrivilege	3200	wbengine.exe
Token: SeSecurityPrivilege	3200	wbengine.exe
Token: 33	3480	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3480	SearchIndexer.exe
Token: SeDebugPrivilege	208	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3480 wrote to memory of 216	3480	SearchIndexer.exe	122
PID 3480 wrote to memory of 216	3480	SearchIndexer.exe	122
PID 3480 wrote to memory of 5108	3480	SearchIndexer.exe	123
PID 3480 wrote to memory of 5108	3480	SearchIndexer.exe	123

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-16_e0189340b7cf6fceb691e3143a775fcc_avoslocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-16_e0189340b7cf6fceb691e3143a775fcc_avoslocker.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2880

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:5008

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:208

C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4948

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4452

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4296,i,3595107284059830391,18018199024659337217,262144 --variations-seed-version --mojo-platform-channel-handle=4112 /prefetch:8
1⤵
PID:2092

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2936

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2040

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3232

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1668

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1728

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4668

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3976

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4264

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2164

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3476

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4104

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1364

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4788

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3792

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3212

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:840

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3200

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1188

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3480
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:216
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\elevation_service.exe

Filesize
2.4MB

MD5
c56e08974f3ce4698eb2ac48421b3344

SHA1
3718d00ec957638ce106eda526f600e85602cc3f

SHA256
874eec459093d92849e6b59f2b3aa0c19327f6996cded1ead357ce73e1b3e5db

SHA512
73125885a1e55915031bd944c2627ef36299392b020dba17a003a370a99d57d1f4963620987be5134d927a5754ce7e20b88928e2c8fc10063074a7678c3593b3

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
861b3b07ad606126273f7bf8a55b8b50

SHA1
4f303fdbd93b45bf042cd026885f2791ded5ed1b

SHA256
80447f9eb7a10c51711c29a3af80a2a394de2a3b8060c5dbc9940123501031d4

SHA512
396c2443fd32f6e492d0bf524db95e418048891f6360506272d2652d8bff13e3cf679baf0c059ad6fb102c5a1fa50a639767eb7c79a4a7d2babe949f6fde40f6

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
c39967816f9d384198715f1f6dbbdab0

SHA1
1d0bce272607df95aba80feb2e7aa24c96c29c8b

SHA256
a31db30620745f42fda1cfedc279c58ada84145328f20068f2b56066d34ac879

SHA512
eb04b586d67acfebce04937118ab7f1617b6cded31f7a8edfa38c96e7a95d50db432435c4d0629ea20f6e47c019254d40f80554cb3bfa8232a497a7a617635d5

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
e0cfa082793301b438f68f7941adfcef

SHA1
317601f66110db7a0f1d102ff02db8d166a27bab

SHA256
288d8027fa1a92dae16d7b75b6f8af4a25df90ae2453d44138fd1c69992b7da1

SHA512
51d2bd4acca47ba198573c605a013038441a02594028b9820ca2577d311eb41d3b2b4d71288a40d1f7170ab649984299a1e9acfa9a771938f9906d62cade3ab4

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
cead8f158ae78382abbcbc80ccafb1e6

SHA1
b329671c0d0a64d3878a3b5f610ce02e8112d546

SHA256
2ef265065c18910aa6d4f36e4f1a421aaa10293457816e62406e6a48ca9d0c53

SHA512
bb4067bb03bf6eda660a40a9f71cdd45df1c1b778ad074c0de699184f533981aae758a926a6cc66908b18839eb71c7079f2fa4d5716656f58ef8e8fd5b6b06d2

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.5MB

MD5
978bcd264ad52ff93d7f46f7df371662

SHA1
62ec0132e4e7190a3820e043fdb9028731e16007

SHA256
6ceb8a8f4ed9a301814297eae705be3dd5cccc815016be8f7f6fbb8f6fcf7edf

SHA512
93cd059a24c154237feaf0182daa8b6b3ddb8f04703c0a3a09dc60ce1d14f8657cbbd463e4a85315fe263b34d19dbe506dbdf3ef44e56bbaaedee0a9703c6ff7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.8MB

MD5
5c836adc941e2b169626f0d97ecf74f5

SHA1
b45d61f40420b95a03410af2057ca0d53c0e1f37

SHA256
43f186a2a47b294e5be12119fc0a854aaa1ddc3daef8db7877d527e971ab8bcc

SHA512
afc1d2440161c192ceceb2d4effd22d256dd48c99ac3f30f66593ad238249068bb9c60af8c12acabea5b81c4b0afab92c066e6a9bd037510f2dd6596eee2e833

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
c2e86c958ff03de3d28da803fd807b4d

SHA1
03b88929da4b801beaa8eb5009efeb4f21b9a773

SHA256
59088f868e2d3b3459e7eb1da512f5c599a72ffdce2d5e9351e7175acda0dcf1

SHA512
c338195fc7961a6864623bba7408575f2fb7060ea5942af236703aeeffa3c69c163b70159a0e10801924e5fc60f7b4b572f24a84aed76ef43ee113f249160afd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
372a8a7dce1a9c6652faeb40fa16569b

SHA1
4652eded883d14a4c7ee0df13b984489ef24b1ef

SHA256
4c276e39313eea34947dbc6704f142408d827fc8c595902d06517f49649d5201

SHA512
2c10b9cd9ba9dbf967d3c5a76dbb7014a55d229aaa306c8b81ab55c0666311342eddc93737a2a2987f6eed7f82f9898492074c57c462b6615f642e1e826e14f3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
ad38a3fb6d017b3d61f3afb260718459

SHA1
037d38e3059695679d9bd090b2b04d4d2293067e

SHA256
6835f06669c6de845c7159641e088bf109f3884ec125b89caf375deeee28ac78

SHA512
6bb894d5c0e7959058c27d51cffc532c7954d6267cf49dad0c8e957a34dce6203c29766daded309be4a10b304208b20f22daddeee90de87afaeae137517802f3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
023f68f715d3d59655ae9cf9cd04464c

SHA1
2a7cfe692fcea40702c9a0d07a50f4d3bd19bca8

SHA256
6bfa7237844d82ac46f3919fd5959a9cda1bc02c6cc0ca5a7931146f0ebe507a

SHA512
3911dc5ddffef3a81b3488ef366369df6b054df083e8936abde8630a4fd2aecacd25ebecdd41066433f11e93d4b47b6fb66e4a3226faa5fd4d115a9aead2854d

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
33d71e9ac43f7fc5f57c84a0379bdfe1

SHA1
2e8df613e2f47db9976738fc4338742cc9c6c79c

SHA256
3247c5e2f9b495dd561df61e17e5b7413eca05fb85162261eddb5d493c4aca6c

SHA512
fba3fcd20b3a1f254810f457e593983e86e2a71cc39d6aca0341963131f73bd7ab97d99f03a8165d58978919b43b8f03d48668fbccc749071642a8325e124633

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
edbccc0fb15210870f4bf9a8b407d672

SHA1
61d8fbed45667694386062d268890893497e5142

SHA256
0be7b93a821beff5e5ee7a9e99bba06ac83a00f836079715ee9365b1ac59b677

SHA512
60b2e341299558375f795a344d335685298bd0e4d84d795c197eed62dc3a52917d798cdce09865a1ea4eaba48137df4399324667d1005504e5154ce8988558be

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.6MB

MD5
c934b2bb4ffd001a888305b3d072effe

SHA1
23d7d6d28c7e245e961bc313606c658d0f3c12fe

SHA256
62ed1a0fc8c327301d3168dc9339238b0151872ff0268d2838f9259a00501ef2

SHA512
bc06ae6b6dc3fa2286c1d7e3949d764320284b456c9a8ba83ed0bc08a810299ce52e417a69f12f6c97f04a724627046ee8ec01d9deea68f0d348155681c1aa18

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
018e6457ac22d8c59d2e8385d2786cbd

SHA1
ed64869af03a9960c0848a0297966eabb9575377

SHA256
289b2469bf8aa70ee3ea5fe325d4663b92c96612b80847726a8b7c9cd6ef9095

SHA512
0cb5c6348ce3972e591d4bcba1d43c3aeee441fc3d2ab13301d00953a933d2035cd8ce4638ae6c30a88192ce374638a08a4920d7e407415219e3e6de2a00fdea

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
a99813bb803e749efe26138ded61dc11

SHA1
7b8d762a345ce9ab2aebbec4fbd5919aa19e7048

SHA256
a83970e9bfa5a3d051e30876a6cd68b2b8c30825c77b5f78a7d1cd3d2d21244d

SHA512
01b709eb34bb8231624b30fda1cf984449dc038b3880df7ace7a98919d44814c44f2b7bdc465c137a1b2a5f656c21814e55371b9c3139c0975385f1407cec747

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
e87d52612e8c4e7e2288e7bb7ce8042e

SHA1
bd57823e6d8911cdd823ad136068706591fe1251

SHA256
91a2f4d98a2595e0a8b12bd14442fdf7825c62c61220945b5701412bfe448529

SHA512
d0bdb7e9f0493cc0f9e8b89ae4a9e88a6a98afaa7d595503ab4b5eb1de52e3b840717afb116fe34d12bc2ecdb858e298b7777b1e393102b2f1008c8e66296e5c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
47cee7e149e9c2d8aff05f9532845ed6

SHA1
1c368757804aa979150390da731ca286b583a810

SHA256
ce2568f8ad5db077f88dcbad390da6e3d724a15236f8b0c5d97091474e31d908

SHA512
bda8dbd1084eb7d8b2c598c01d9c4fddbb66f46176f257415accb0881f428a960e2bfb2f9c5e23fcbf3187e675a85072e4620ca958c9535cefdf8cd61c330e3e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
e5ac3a8f74553e35d6c0c6e50e40139a

SHA1
8724f990a6a8974afe10e79fc61c5f144772f145

SHA256
6517245859b2159e3eb2106e742fa52d68a631be4c550637c2a99168f3b40080

SHA512
33061d116e0b08527483b0c1862f2acc2d8a1da555f5152be7e4a8589f005cc840d0a8471d58e2be510191231ce4677e908d60499791b2be5ebc696f20b6be5f

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
fce652d134b48c12574181d85639a371

SHA1
722841514bfa3c07e86234b09ad9d658ba2ab792

SHA256
cee739367d08fefd66333e4e96269736ec73609c16f93def8e4b4e75271e27e4

SHA512
776c785d69896f003cbee822922ed18efc078f3b18f33f7b51f6123d8e64b0cafa4d46647cc0a574f417fced355af6c863abddeb123f85d10a958133d365be7c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.5MB

MD5
11c6710fa832211f8f08c5b31e7d67b9

SHA1
fd306ffbce5d49f919ddcab54d95e3492c10b292

SHA256
8303680109d970a6679075bf6d6b44eadfba1aaffc337915b36abf595f7e4938

SHA512
e2de4c092ff0b2a1f46753b137a1db93fb7674d3ef483d8d2a000f5cf5c30aa29427ef21043cc51b63cde1ec5340b3e7deeb6d02e810aa07871ce1927c49e12c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.5MB

MD5
67d564edfeb29cfc8025cbdff955e9e2

SHA1
69e91f52488ee5f2a0969cad80df876d5ace96a2

SHA256
a157a7c9bd1da2b5f0a88ad8f0386268599f700ccbf087b8ce988ed7609029b7

SHA512
d98dae0967699c8035c625c6b39eb9110ffb2ab8c24640f6c01b3a86d0199707d372e965965408de5f7995562b56a848625bd88cdd147de1a1d960eb0fb934fe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.5MB

MD5
56d6cd8c62ccbb29a2d6899351fbac38

SHA1
32d9c25df692632175eafd9d90ab368f023a9324

SHA256
8f85f5c82b459a85cf2d5d5a987b20b0e6d8406640f2509c56db8ba06db97d6a

SHA512
dbce4f6b342db04f07d9e3a538458220a8fbf078707c4948f6cd5aa308bbbb70b4daf704d300d7d60b9f282e510928bcd9857e7c0384e1f7c02c452657152fb7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
7107d0796547f7f0bc1e08b045588edc

SHA1
65c1e952f98f806c344d01481436405a42f5b70a

SHA256
14cbeb23b46ed3b25e386c059f3283c8f41fa644803e0751390674c2740d23d2

SHA512
444221a1f563079f003e82d3ba0c3420f29dc54b1a2048544ecd820f894ddee6c1124894ca8172c4b26e2a6e284d38a48387fe1be40d1a6d89d682baf1d4fe16

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.5MB

MD5
8c5f3e3d32d5d91eb147117203025283

SHA1
fb78a2e05374ce44f6288c635fc8e2723677d65d

SHA256
f1bd05479b571e1289c775ec98362feb2a982bdb7347334ca8b0a1cc63fbf54d

SHA512
04c8a0b66dad8868a12feb8e72f56677fc6c3870a39b8f06ba0bec9a2dbbf3f3d6205ae2d16780865e5affb1222387edd44cb3da25ef2a93fdfd482d9826dfdb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.5MB

MD5
ecc102814f4a5473bef068b7afe975ee

SHA1
4a684f2b2db2897476402b475388aff27dcd28d7

SHA256
b059de1c3cca53403dfae87e6a6592b727a1b0947fa976578102b58aa08f8894

SHA512
a569e5dfaa108dcb3f12d23d8e0d958f140c40a805f69fbe68ea849bc9078ca7b5b39d0998eb04dd175b95b12ddbd712ab6a28b0fb3b0c93e37fcdff3352a67e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.5MB

MD5
6f31e4579b1866d1733ead288f7942d6

SHA1
c26907f88500246be93cb69b0409b1243d683218

SHA256
5a764297c2a2e77a867954bb651c07c31ac90ed7a1b3d3a3ed995f99442a4684

SHA512
99bc2168b97a4979d73aaf59fc5644df1c5c0d804a259272a2ae0538841c1043c5ef4e3b3f5b7fc6e86a7f9abec15726d11d8fbe8723f6dcf4a12c9c80d0128c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.8MB

MD5
00bc542fb6df2dcb9bce6c919de56c16

SHA1
8d6cd3ef6b44711c30c1296d4ac686a8161abf4c

SHA256
10ce5d72eb023dabfea71acf658a982093daf255553f08ee3922302dc0997c23

SHA512
f6cf7a830b1a85adfe9020f5cd4e5d1ce50f0a6be045cba863b59f6281513d8eb3ad68d129ae63db18eb94f2a4d350befdf010fe8b7b9c743e754135ef66c86b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.5MB

MD5
93a87ce59d9d1ea7c5b7f24ce5434401

SHA1
86ce47a1837dd313cd5f54fea0405f6e6ad01fa0

SHA256
afbc8e4883490ea95d51652abca6e525ca3d5960038cb29954c3f94087a5fd93

SHA512
52c36feaef315c8760f37bbcbb1136c862d16db97a0e93bbde87283533a77a6b34549b01f2bf54f957bd4da15987d2af13b5a313e2a86ef96717bc2fd332769e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.5MB

MD5
5374e3358a9349603775997d353e632e

SHA1
2aff800bf9d225e8c80f2f6784d4eab9f9cbbb67

SHA256
e112ca80ae2d4041ded6b323e1c1f7baaaa1727e4f7f900bc9771654f36d4e76

SHA512
c737b1dc55b7b01f72c6275f8d790b8092d16a930c6d8885a4670adbb714a8a598bec533974a2e8f394831a0b2955b65f7347b9667267cdf4f464d6610394c71

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
030aa3f6a832cee3bd4c46d345b70b55

SHA1
47228be6f24f594a1d653dbc6590de3d2947b7da

SHA256
4ef0071b1acbb2a0fe30cee22a3aeefb20648a2f27eb386a844712c2195c1aa1

SHA512
4b29ab5014949181b977f93aea3c82eb23fd640a3bab54a0646bebe55851df163720ee59c061e0b32e33a4bccb6e0b84289fd190387d0ba45e1bdf7db587df12

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.5MB

MD5
242cbd0655723a8d8db270b4d79680b2

SHA1
6ccc7a8f181073d17c8d1811d9d0749ab91a2e7b

SHA256
7286fa135284422ddaab47adf49a9bc6bea1500247928789f04eb2e4f7aba3cf

SHA512
3a360e9c28808511675b443d8df4aee9b3b74ff0d3025746da83629fe3cf8cad1eb01ceae7c639dfb889db2418ef532bf9ee928efa8444ee8b64f6ca51ce9c19

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.5MB

MD5
07cea0471bd9958ae367eb22ec34ec77

SHA1
867412471d9fe7ba6f3583579d182cf3dee404e0

SHA256
5e703a28951cc858c2b7ffb1c9f2699433e295a42bcbde338547b8faf7501a5f

SHA512
ec5dcd2553efd11682066b94e75880788465290806f86305ae9d776312cc13b640b5769e46b6bfefc49160597145fe8d7ca2ea07037daefb886a035d8e264cc8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
b23c6e1e914f3ee8562eece6d4c0fe5f

SHA1
caaa65615ab8bce8e05aebf2759f6221c88a8bba

SHA256
a5613b8b8c83ae4c8b5d37b86ca507a534bf5028b70f0a200912a49cb6db7cb2

SHA512
ac116019070002a93a6a1e8726e0498b141b2b7b2be5d6ea9a06cdb0700e81061c0014250c6cac38bede2314617f2eb92c12805af4a26531a273424ecbc98091

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.8MB

MD5
a24ac4da26fd688d4dc58317948b59c5

SHA1
1d99a8a0ee9f6c6d79fb08bbef31a1610a165e2d

SHA256
114251a93ace8e03485f9c178b919c96a39568547b34f5458dd9b0c1ea1eeb86

SHA512
353eb77a61de276e89b5482a156ec88981330a7e82dfb683bbdbc93c28c8d609b89bff84516831a60cd7ef30e9e40864eb90b56fa3f54d5deb10504340736731

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
54ae9e29df1d9b1d797f6316b4f379e0

SHA1
d7f2727caeae8fa16f17ef4774a6ae4dd69fa7ef

SHA256
a7b4cc08160ade382d5f3ecbb033d923fee4a4d9a2b2454cd32e1401ca33df88

SHA512
1987368cc5ca572bbec58c0a82886dd3521ea1cd96baee1bebb90f4e2e381a236e17839fa2204fe7eda529b748909245e8cb96f2f595643aaec0666298245c5c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.5MB

MD5
ca781ea64f3fedfc153d1180f4373bac

SHA1
e46e23599294a3d92c9d83296fac52bcedb6d196

SHA256
a211ed5873894d28880ce088280d0248de4ef85a494a5450a129c3d26fc25090

SHA512
e67dc6a2a8f0edc74f6c62aee17515cc71f9807c2911b92231f65d590858b84485580e0e5ea364ba989caed8f2faa397e1be6eeb19d06c28445c1fd7127f6a25

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.5MB

MD5
fde1239abc2377e942064e3000dbe6e4

SHA1
2ef171d9b7bba85245a9274e9a94f454d250c72e

SHA256
61c22a6ee785d76ffbb812d4abd171d3fee5364c02f719ed4efd36bb225084e8

SHA512
42ff9de6e757444835298f97193f63732c0e909af5f64c19fbe5129c96ef111f09cdee14e50d00aab4b31601d918b67a3363356bd48f2817d1b95f87b2791164

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.5MB

MD5
11ca80e33b34ac58c2e6da17653a1111

SHA1
3bfdae97bcd054c9834a4535dc0336e64fff32d8

SHA256
90ffcb97a5b67d63eedbdb99f578280aa32e7afe5fba0dd0840f2216017d7f33

SHA512
32897eafda3f95c6076c2dc82b21e0cc3fb6a1a9eb7085c6b7cc8e424f77eb102819d15f87f185abdc88d24e0be4c8ac73363f505b0f4e9a7cf8947d0160fe39

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.5MB

MD5
a9dfbe99260c16537d4e1e499a129149

SHA1
bde93256babcbe3b164f98f627b4b2fc2ea9dea3

SHA256
82fab4424cc509f30e4f84f4d641bb3f4594fb694f48c8a8213a5d46f3ce38f2

SHA512
3ddae32ba898b2924e0adaa240b370db5d910ade155b27698bcfcf73df206164cb5cdef3112af91df40094534029a7f5a9ede2d090de26e69692dae27b0550f9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.5MB

MD5
d37783f86a601096b7a82cba33db1c54

SHA1
7419175b3413fa9dd5773b0a9f0ddf112161eaa7

SHA256
c615f80acae18060aa48017b2f8879bf163a7ccd3427e3ef6fe39da7d3243c30

SHA512
fa6541744dd92a1cdafc693d48c8a556b6b512707949e859778ce5f7affb9014d2f6db8d091125be0e92ea73091c3b885832f34741f9f807ddab26df2b24af40

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.5MB

MD5
d2f6a0dedc7b59375f43f0b931f77181

SHA1
b6e405fda5f4f5e9caa74a8a67aaf3b8a167ab24

SHA256
b9529943e67c5a7730fcd995d933dcf1991a041eb59615e8ce5cb058e9a6ff00

SHA512
260dd5067e33020b182ca4a7015bdc4650af62719e587a9d1272712120cabc7c61b9c7b21587958ec5433fdd0d5d1b0dfe8e78512b0d3e535ecefd15131788a7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
1.5MB

MD5
48e3f5162e82f14b835070c5296687d9

SHA1
f71614acc72075a37ee236e7f21b4fff4b901b6f

SHA256
542a89e603a4be542b585864e70dd220442e7f53815830ebb28637f5c2cf0dbe

SHA512
1cb50ebfb2f7c8de2655dad008494c1be74f1337a4689756c9f6d34b4fdbd2a8d979c8c94301945ba7081cc627a97c835ac8aa14a12806c169eb063282ff5811

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
c6221567fb87f033e4b39ef887f16f82

SHA1
45e42f08432758fe12054180aed4089063d8e371

SHA256
5377f5ad0c20fd046b8a9d98532446dbfd522b0161ef8829ca6b47daf524be83

SHA512
8c7c2e6852cb01cc4416969812d6e76bdffb9f0ff79b8b79d75334ce96655dfa6c321d0fa659e9c13555f1fc6023d72db4d792a827e6486602b5b13b114d82d4

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.5MB

MD5
a7d7f4801d9691695588d245b309dd29

SHA1
6562fc9fe891ddd30527cfa5ab1ba8efa19336eb

SHA256
2115d9b0ec166660cd0be3b944598456885f6e4d5011dffcfad0100f0d58fcbb

SHA512
b01d6300477c93e66e655126ebc45698165405a4ba8d355a7d09be78c0a835e9b8a3a7e108bae004eb3fb5dafab34e8e74f4d92fce4905ef785ba59b04c8f5c1

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
59df625e71ba5aac333381eb5f6aac9d

SHA1
08b49e66b39e84728b9c40ebe076057d1314edd6

SHA256
c54e522598b6df0763b38f75f2bf3abe3b2c240a38adad13703602e7132dfc37

SHA512
0a85bef4a66771a03cebe0ee156ebee1ab30b29bf0bc5f8dbf7cd0a0a65de948539ca0511b62f1d295a0957001ca8140aec7385164fbd9584b7e5276a9b4b1ed

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.6MB

MD5
215ab2dbfed8a6d2e2353e55d46952da

SHA1
043bef6e08319cfef169fdcc79259afbc23a1def

SHA256
ac379e2055e7da6eb20d8e429511b7ac9e5cb07564c375dce53f2b8f478631c4

SHA512
cd1f8b75dc75f5e9417a64fdba3b73c766b992fa9a8a85b92f3f1dd8bb4f6b0549986c682c0f3d2fac1978072594e8077f5a081db468bdebef421bafcc132215

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
464456ef9acda3a73da13c6b5675febf

SHA1
8391996d6ece83b2a7dc48e129a044fd618c2303

SHA256
8a7e2bdc810a2f861f6c6d4fbcdebcf499e28ab712531e81cf9145b8daa17e4a

SHA512
80ef25db07aa929a56544218c01781b620532bee75b7a685ca9e141fce1dbb7a5c8ff04988ce7f5fc036ad19230fab74d68e5d9dd19afd748ecca21d7b2ec798

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.5MB

MD5
caa76d44c2579b9d431153a785eb0a2d

SHA1
f54e57b8cc813548a182d175ac305793ec2f4f63

SHA256
5e04f1f2882420b334022eb94e6748bfb351c882db32e4b1547dda2a0e6ebe4d

SHA512
00213e1e8e96e85f2408c78c29313a9b67702cc8814a598e6f25fa635a6698cead95e98d5e8c615e5dd35ec9ee0d7ee2c0d27b3116053d4c0314bbafac4d5c59

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.9MB

MD5
ea006fd9e529f806bdc588ead32780da

SHA1
1ff3580e372979a8e67e6cfaf0b2b6314e28298f

SHA256
8b0da92f1b16c039ffa412147328862db16b78bd5513642f3bc6023828f9d7c1

SHA512
197897d87164d85ef6ed403b8c6fcfa5dced5000709bb9233e71e0b986ada0e4ec1c74654f0383a7d75ef188360a17f3293b2d1d1885f0093254784c057804ee

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.6MB

MD5
01278df89349f071e8f43c20ca062763

SHA1
cb46527c4e50b9dd1d29f77227e738e346ea906c

SHA256
538ce44e4f98422886450863af4c993c14d2fd9cdd3c0afb8b2fd1d694b0e30c

SHA512
a93ba81c863074de44ddb164586322f403e171b7f680d63f38fc3ccbf2f813106718cbab036eb016fbde1a75d8dea13acc983a1bd203442e6b045c46b9c528f6

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
175d74ef1bc10b0b82dd719c5e07790a

SHA1
d1314d8f4ba8ac262db814d22c06d8b951153423

SHA256
7083d8268948829350a46f1ac649f5184bf8657c3302c9e145b486f98fc6ff4f

SHA512
70cc0d95c8c223f7bc58cd2f6c507ca29276befcaf72159fa322a7eed302da6e41912cbce02430f78b6bb7975bc5e5bacc49f2880777e777c54dd2632f27a97a

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
d85b53f11c963c3c98c07145a7fb5f12

SHA1
469b797d744a4c4f73ba7b15dded54e891d05645

SHA256
ef94e8b2c7dcbf666f86232afd8694e70d6929a2b950a0386da41b75adad1be3

SHA512
853b1be7b5a41ab56b29cf00d2a714fda38c70f649f63fd3d1ee4249c05a54f26fe9c6353f351006a2a207e2a8918cff1b9c38b18b3465dadb945fc3f4ab7142

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
835f0dc3822ae3fc0c3352783fc84e3e

SHA1
50830ca6560865f812e330cb436373c60122d183

SHA256
6833e92186e66a194514b10db26046272488d9705071f59270bbfc760be968be

SHA512
0b8c97c145e009702fac1f857d340d35c028d73bfed50fbadf9c151af7473df0aeb1615380bc03e1fdf04990abe5249ca60ea26f1a336ab36e53db5e076f52ab

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.8MB

MD5
c2f6d078d44be04ee10a706a5261e222

SHA1
ede93ca1edd7292cf4873344764aaae9fa0cac57

SHA256
5072c87540c03319bfd43f4e86313c10d7b13f6e0824bb5ae97c161f0a2e7075

SHA512
a617d0007415aa83834725886fe85869d1e5f79cdcb852318d77fff39510c76f047977bf1c833faffd0785f6ad34d09f7c7c7fa35c2b411db32c91d308e4f2c1

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
e2e7389821810bf5e17dcfb1a30861bb

SHA1
d7a5dd1386f17874a80a7ded3b06e70cbdd0da2b

SHA256
8d277a23337adb86ede814553ffe1313e790b83f5ee3a28dacb0093412ef8f2c

SHA512
b28538cc60cac1d4908455a1af74c4ae385eb29d5e91ea3afa5aafd85f2a74a5956a4e9e4bfa3105346e44ab101b76dca23198dc269b9c917adc0a4eeb55d604

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.6MB

MD5
18ad34c49de0205f4c5ca553316b9fef

SHA1
817ff7b7adc01ac62998b2e387a59b6a38cd6d52

SHA256
4e86ddf87d51a49821e49664b0add771c4f1ca04a835e33e84023a403cfb656d

SHA512
dbef847b8c2eb7b8d3b36c1ceefedcc204e10bf0dd952b5268658887a982fd59db9af681363f4305ffc882dcb9f740c79183c8debc6ed4d4c5082cf414d5e7f1

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
10218ac3b9d478c6ff45d0e0e6fe3794

SHA1
8f699c13758ff964b0e0f26d02a37c93cc289a48

SHA256
decc14787227f0e6804440fcb20b306d2e5d0426d7a1c765728ee3d931e45ea5

SHA512
4c888f6d0a5fd4c9be93b63cfd25cc0de718490b9edc96bf16237e8515ea062e8dc1d9c1f5f1a291af2e3343de9900893035489c90b452c046f59f5a24ac047b

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.5MB

MD5
321543a8f176af6a39b1aa78e2ab06de

SHA1
ecfe24e9f9c8bcf2b7d6d6ec72f10bbb5d99a623

SHA256
c42f547ec3a15eac52344ac93117de495bf3db3c7f4eb4de6dddc926f6df65e7

SHA512
d3a39b76446fd783c81c47f4ed0d82648c5a6442636b2e36c7cbe3347984504e4685de96d2ec04c734dcf0fd275a4b2f71344eec4b2837626f72037425e337ca

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
582a8f8869ab6be06b33ea94b4ef867d

SHA1
08cf88c6e158697f9313e6666e7e084dac035382

SHA256
bcb07c9997050788457a63128072606863f1987358acffbdfd6d756b5ddaee1c

SHA512
947ab4ec6c34cfe074db551543216d928c02ee21b40fca5e34b948d5c0b52aa6f189c46784a52976bd7329fb99df55ac039b205adcd8c7461090d6678b5386d6

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.7MB

MD5
06afb90add564e73e5affa8863310837

SHA1
2b00d343252b3bc0f25ef0060b0e415ae5bc7fc2

SHA256
9aeb6d0a0b09c7346fd80707e09be2627d87bb3f3901ca07717eb63538e38d99

SHA512
9bde44ad9f110a95a55101d5a673861ab701dce188c3da7dde0118e6ac8b303574ce2473b1483c603526f2f4aee3d44e7945c42226c84a737884e2c3527b4890

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
90a476d1a1af4d70ecfa46f85d288070

SHA1
eadc4c11a6750de6cb0118da2e231c4f26c42749

SHA256
6e0d1d3d7a4a5e1f9f50fefc8b939f02f336b2b03f0282b20dfb2d4f984076bb

SHA512
6f856744ba7ed29243ba6c82eddf0fd441ff87cb7b027a1b496e1a6e53d58b4f833e3e5e461f1d75b1c6e9abbac05aedbb9ddaea4ee6e006e143675111509b58

Download Submit
memory/208-31-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/208-32-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/208-38-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/208-237-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/840-666-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/840-404-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1188-428-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/1188-668-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/1668-391-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/1668-272-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/1728-403-0x0000000140000000-0x000000014019C000-memory.dmp

Filesize
1.6MB

Download
memory/1728-295-0x0000000140000000-0x000000014019C000-memory.dmp

Filesize
1.6MB

Download
memory/2164-544-0x0000000140000000-0x0000000140187000-memory.dmp

Filesize
1.5MB

Download
memory/2164-339-0x0000000140000000-0x0000000140187000-memory.dmp

Filesize
1.5MB

Download
memory/2880-0-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2880-1-0x0000000000A20000-0x0000000000A86000-memory.dmp

Filesize
408KB

Download
memory/2880-6-0x0000000000A20000-0x0000000000A86000-memory.dmp

Filesize
408KB

Download
memory/2880-17-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2936-246-0x0000000140000000-0x000000014019A000-memory.dmp

Filesize
1.6MB

Download
memory/2936-247-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2936-371-0x0000000140000000-0x000000014019A000-memory.dmp

Filesize
1.6MB

Download
memory/2936-253-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3200-416-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3200-667-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3212-392-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3212-665-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3232-258-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/3232-271-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3232-257-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3476-660-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3476-342-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3480-669-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3480-448-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3792-377-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3792-389-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3872-241-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/3872-69-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/3872-77-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/3872-75-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/3976-427-0x0000000140000000-0x0000000140186000-memory.dmp

Filesize
1.5MB

Download
memory/3976-308-0x0000000140000000-0x0000000140186000-memory.dmp

Filesize
1.5MB

Download
memory/4104-354-0x0000000140000000-0x00000001401F3000-memory.dmp

Filesize
1.9MB

Download
memory/4104-661-0x0000000140000000-0x00000001401F3000-memory.dmp

Filesize
1.9MB

Download
memory/4264-440-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4264-319-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4264-597-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4452-67-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4452-54-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4452-65-0x0000000001AC0000-0x0000000001B20000-memory.dmp

Filesize
384KB

Download
memory/4452-55-0x0000000001AC0000-0x0000000001B20000-memory.dmp

Filesize
384KB

Download
memory/4452-61-0x0000000001AC0000-0x0000000001B20000-memory.dmp

Filesize
384KB

Download
memory/4668-298-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/4668-415-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/4788-662-0x0000000140000000-0x00000001401D3000-memory.dmp

Filesize
1.8MB

Download
memory/4788-374-0x0000000140000000-0x00000001401D3000-memory.dmp

Filesize
1.8MB

Download
memory/4948-50-0x0000000140000000-0x000000014026E000-memory.dmp

Filesize
2.4MB

Download
memory/4948-42-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4948-240-0x0000000140000000-0x000000014026E000-memory.dmp

Filesize
2.4MB

Download
memory/4948-51-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/5008-18-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/5008-27-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/5008-26-0x0000000140000000-0x000000014019B000-memory.dmp

Filesize
1.6MB

Download
memory/5008-236-0x0000000140000000-0x000000014019B000-memory.dmp

Filesize
1.6MB

Download