b0172ff0fe605fa3fe46e2cae883e6ee040e44530fb8826753cd036a60b6bede

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2024, 01:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-04_be3acd66601e49d0f020f4fb8bcbee1f_avoslocker.exe
Size

1.3MB
MD5

be3acd66601e49d0f020f4fb8bcbee1f
SHA1

8afa25361c7186524ffbbb4bdd9771b71985230b
SHA256

b0172ff0fe605fa3fe46e2cae883e6ee040e44530fb8826753cd036a60b6bede
SHA512

a5091324343f96c9d62227fb7fa64f3d4e5ff8177645b8ae80f1b4c529e205813938b9992203124cbb15dc6396781d11a204162487b768db158c549baa0bb74d
SSDEEP

24576:R2zEYytjjqNSlhvpfQiIhKPtehfQ7r9qySkbgedwZiUJXca/VQBIe2dhi8OP3YGv:RPtjtQiIhUyQd1SkFdw9TQHj3D

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
672	alg.exe
3752	elevation_service.exe
1612	elevation_service.exe
4508	maintenanceservice.exe
3680	OSE.EXE
1624	DiagnosticsHub.StandardCollector.Service.exe
2888	fxssvc.exe
1940	msdtc.exe
4996	PerceptionSimulationService.exe
4348	perfhost.exe
1032	locator.exe
2760	SensorDataService.exe
4408	snmptrap.exe
1404	spectrum.exe
3912	ssh-agent.exe
4204	TieringEngineService.exe
4716	AgentService.exe
2756	vds.exe
3360	vssvc.exe
856	wbengine.exe
4552	WmiApSrv.exe
1400	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-04_be3acd66601e49d0f020f4fb8bcbee1f_avoslocker.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\d472695c3a5208d.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\caps\hdpim.db	2024-07-04_be3acd66601e49d0f020f4fb8bcbee1f_avoslocker.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105437\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{125326D0-F6C3-409C-BC6D-35A6D8D3AF5D}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\caps\hdpim.db-journal	2024-07-04_be3acd66601e49d0f020f4fb8bcbee1f_avoslocker.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105437\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000076e0b75db3cdda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fd7cd45db3cdda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f666ff5db3cdda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008d4ba65eb3cdda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e5d5af5eb3cdda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009fa87e5db3cdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002230a75db3cdda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3752	elevation_service.exe
3752	elevation_service.exe
3752	elevation_service.exe
3752	elevation_service.exe
3752	elevation_service.exe
3752	elevation_service.exe
3752	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
644	Process not Found
644	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4824	2024-07-04_be3acd66601e49d0f020f4fb8bcbee1f_avoslocker.exe
Token: SeDebugPrivilege	672	alg.exe
Token: SeDebugPrivilege	672	alg.exe
Token: SeDebugPrivilege	672	alg.exe
Token: SeTakeOwnershipPrivilege	3752	elevation_service.exe
Token: SeAuditPrivilege	2888	fxssvc.exe
Token: SeRestorePrivilege	4204	TieringEngineService.exe
Token: SeManageVolumePrivilege	4204	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4716	AgentService.exe
Token: SeBackupPrivilege	3360	vssvc.exe
Token: SeRestorePrivilege	3360	vssvc.exe
Token: SeAuditPrivilege	3360	vssvc.exe
Token: SeBackupPrivilege	856	wbengine.exe
Token: SeRestorePrivilege	856	wbengine.exe
Token: SeSecurityPrivilege	856	wbengine.exe
Token: 33	1400	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1400	SearchIndexer.exe
Token: SeDebugPrivilege	3752	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1400 wrote to memory of 2184	1400	SearchIndexer.exe	123
PID 1400 wrote to memory of 2184	1400	SearchIndexer.exe	123
PID 1400 wrote to memory of 376	1400	SearchIndexer.exe	124
PID 1400 wrote to memory of 376	1400	SearchIndexer.exe	124

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-04_be3acd66601e49d0f020f4fb8bcbee1f_avoslocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-04_be3acd66601e49d0f020f4fb8bcbee1f_avoslocker.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4824

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:672

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3752

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1612

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4508

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3680

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3628,i,13281073920029625837,8253721632651544158,262144 --variations-seed-version --mojo-platform-channel-handle=3888 /prefetch:8
1⤵
PID:2348

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1624

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2144

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2888

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1940

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4996

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4348

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1032

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2760

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4408

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1404

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3580

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4204

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4716

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2756

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3360

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:856

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4552

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1400
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2184
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe

Filesize
2.3MB

MD5
e8ed3602972d1cb05b64de82982ce7e2

SHA1
50fcff6a9e2fcf1fb52eef2ad6b3a3a69e9656bd

SHA256
a704514340849dd1e8d332a9b830d4f986abb37d983155aeb71c4fff8687b4d6

SHA512
b47b36da8a9802a6f1e652c1c0647434f8fc642b30d49638a1addd44847960932356f8d61fb63e6fc4422beb592dde8bc9d7e1bf5428475278d12da4670f3b6b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
0f6b04c9d179962ec5fd18a4cbb8950f

SHA1
977cc8c37dd678f17370c6b3018b09f72b0c7c14

SHA256
15c83c3de204248666bcdb935f27a302313d64b159f1cf93e343cd326f43fcec

SHA512
cccc010fb39c24c36ad6f5b93e340764bf36796fcff63c1b833fc55a3a9c221ee54a17476d8c555c989334fbb679ded03431556ebea507aeff46887b6add4dd7

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
ed3926872130b39cff8dc8656c2b9ad6

SHA1
7a8555df65d0f932e3b17f3713f0729f2ef45827

SHA256
f03e869c0b956542f58b0cf0195eb3bf37ee6fa090a3547d3dca856c0364d7d2

SHA512
a51dc8e9db1a072242876e226d11178591b4fb09a4c8aede824367e735fa5daa1ec850c2f1040f557a2ff0b18f63942f73fa92fa3caf26ef8c0a4593604fa2dc

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
f747afda1086c2b50317104c4b5caf88

SHA1
e3708041c4298d73e7f03c5c70ff2ec5cb31d5ea

SHA256
cc41630a673c0305a5a519b55b9bad2489cb9428f7737a60478462092ca0666a

SHA512
e3b753100a0648552ce2d6581e9545828ef5f98dddfaa29971f68810c341208eda39bb8ad1fc0cb73f720464f2e55a466dbacce0fbf7e55461e793d631381526

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
78f6c7a7e507e15efa50b7feecaa093f

SHA1
34b0b184a3691afb1fc07020b4d20c0296165de6

SHA256
23bc396a7179274742d01a06d6dfc8070d4994303f1c583e669b99c9983b6cbb

SHA512
08b67ade6b7fba8ed4a091548db2a4ad63c04a3f3bcd3cb7907e5f1dda45ee2ac1dd31dbaf34c25b31ac31c3f63a815334a0efa8cf19356c0d50413a4523d0fb

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
c11f0c5543164d9e0df5ee9e40e37e2a

SHA1
fe939dc10c6cec42950cbf35a4eeb3c342bb8a2c

SHA256
508429e032695a2b1ff075f2ff8a44bde1eb6561fce7a120ffc16d5ddef19b54

SHA512
9f550dfaa54cf55565dfba3368f0f65a020d4e32a3fc9a13fd3567991cb52efd3965ffbcde57476374d69093add261ebe373f2f8ffbaa646fe00d44fb7ea8286

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
2d00d2c10fb2828701ccbdde3b77260d

SHA1
a9509ee593b4e0244afaba5578f3c4bf461ab3a9

SHA256
94c35c79027f5681469614487ad06d5380871e4b79a5a110f1a0e05fc3f7002e

SHA512
b58c1d63473b6c5adeb9731761be73e5bb2a6762dee33b34009f728acf4e0c23a139346e786fe1e3f7f8880f664ac4ed2389f27c26f9ec591b00f5465c36e126

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
c9f3160775993d389fe51a5b6ba1bb76

SHA1
638c0e189406fd103d920f09cc07ce69a55765ad

SHA256
928543d04a5319e044e9364ca52237e6fa600314a08e84edf9ef07187f4da7e4

SHA512
aaa16c19ef2ebbe32f4bbd5474b36f4581083eb5d45d504ac09a54b4120d1ed77d0eefbdc79d99daec651bf38363345964e532341e6bb51071cbaa17b51aaaee

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
56a0f9381fcf07f9a61f2280ac76b934

SHA1
e87dc5b0d3974383d33105d708e07d2bf2fa2cbc

SHA256
c9484ea21682e20fe113cfdd69a0c7a2c0f0dfc0baa02253ff4aea35263f1692

SHA512
e098de8f3548c09b0ac28e90a1d1dcd47c7ef6d54840f7f623482fb0619d58f0a22d13c20f3712c821f8d93d57cdba4f87cc7746f6a198b05531c11d2d5d1cd4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
b786416beb68625e9cf2ea67bc32601e

SHA1
0e6e1b411d293cd8090e8b2b16e0219c7ea8a9f1

SHA256
7e2f41fffb8bff62dda5f24cdcaee72eb6c173e553e9cafb8f9dbed0988c0ebd

SHA512
bd66d853f252387fb0e701a581ee81f7aa81565f2769e9dd45811b0c01eaccfcccb5b986577b8fff5b67247651cfbeebbd29e56a7c55c26ae1ff2fb46479a136

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
6eefeaaa7fb9a40d204ef014080942e7

SHA1
c949f4f0fde2634ee1ba72ffdf508c4a24ce308a

SHA256
3db6574aa5428c5bda2045172e7d6f7d8295b81deb95549f09e9aef003ad5c43

SHA512
9da6218bbdfb0e6d5e6fba7772691de91f9a2a583debcc4e9f19eb5ea02942ca83e4273ae77465117fbfc529f77c8d11eeeda1de1ceab718c2eda9c7a6af9762

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
f87c18020d1733375db4ad4feddd43b8

SHA1
60f8bf17e8a226548efae9f794597729da62d8af

SHA256
1f21a77e73621e93be7f7162a52554e245ed853ef41907cf1c402dd17c55422c

SHA512
965a2aa7bf0367ef6548df29fd332dab80556b6c124ac2c11a07b5d183857df750dd34ed709a9e6c7a554de30a6ad7f3fe5f9603e7183b3237b8acec0d614aff

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
f2107155f47caa482fd16b03a28d20bf

SHA1
6a337821cf796e8443e889cd711d599789c57232

SHA256
6c344efd5cfa6330526bb8a5822fcfda3a874ef2f4d01900b7539b799fc64e6a

SHA512
c2f3b59aa4edae83ce9c4bbb5e372f446dae41f0f3db4ba98d340f2339283ccc6321ed268db05948342e4b2a75311ee8a2472bf5e7a016eee0c3b1946e38b57c

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
8e7c7aa98a015122b51dc5fadba453e5

SHA1
9f7dab035045d6723c58e45edc3acce0e07da7b3

SHA256
368c04cc177f574c58e4ee9fc3304e2e4bc7931bd954b31920f17815bdd21441

SHA512
04ebac095f2ed724c895f7d49874558c4df6664f86011c2cd936aae2885b4732dd29aa4f6800b570ef2f3bd49a3c9f062562f56726cd06000748ed13186c8886

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
eb47a9f249a4eff35a4e50e3d38d51b6

SHA1
4d219d24c137488d2628fa86e018ccf0cd1eeaee

SHA256
a46577b44dd3b0257a2c9be6bf6480fb8d7b0e4e9efc7ae091a8a681175eedca

SHA512
b6307ba968fec9f29814c3f6d3fca9e3cdabf921fa2c57a7e87e134e8a2cbe3f384915a4680f328e87b4f7e1375ea90ab90d40fbb3347f6ff14a6744a6f5fd4f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
52cfe014e39eaf19e0c7b93dcad51ab3

SHA1
e39544b7b69bdd7e3ea98c42064e13f1489bc5ec

SHA256
3a272537bb076a8935426e128cfbf5c4ee44cbb98461eda8a04e5258e0cfd6da

SHA512
24da8bd2cd2234185ce697698f8b7646ba3b351d5c3602c6ca87639a8b35f94c31fd8fc0bdd7d0fb8bbebf47632f18a6ed3188f8b48d4564a64042374a620fd6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
b424af11c4b33aa25feebe5bfa2b74e6

SHA1
8ac26dc77801a91c0b5335536e5c95115282af07

SHA256
0f74c4d42a03eac035ab3dc70c446c85a201351d3bbdf8c59dcb343f3182b85d

SHA512
9d8cb7e4bddbdf8ea0a857f5f0953bcf32845a29848001a58a33f6070dad963386a5825ddc4b0343f2a2be6584f531b7f100a0579cbf08307a048705d300458f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
957481d82a5cd00f9fc1431ab77a993a

SHA1
08793f52a1bbee56d9343c76f281c82fa43bd5b6

SHA256
76f6e16a217f4d5d999239f46679a8c7ef0a865759c94f14989135964e59d538

SHA512
65e6c77a8adaae2663e8b87ab46e6991ba48347fb44983e0cab2aa772e461619a71ca5d68cd130bd30bb797cb937964535c375a6e568b6405b8e2f39a1702591

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
f2de1fb012814289a8758625b8dd0123

SHA1
f79b35a656e804394d120958d5c9113a949d40bc

SHA256
fc2209739a205253c0d738804a40c1784f3b6875552192e3962c09461a0928e9

SHA512
48e8ad06464e9a860cb0036f4ff9ffb12424eee799287f76a81bece29cfbddb4d861060c9fccd09b8f14ea12c35633f55e5e9a8da1b14e2388129e49d1e8ca26

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
de14ee763f55f479adf1a4e7ebd13971

SHA1
5196c71767a79f8abd61c3fdc2553ec1ca484a2c

SHA256
16069608ed61042183f2aa1ee107aecd0e8fbc66490ef869586c7c2376c7fc01

SHA512
d376a3aa8d294ab98514a043967a6e1ad35d25d962c27f059d70ddc11f3f3ece1d32ff9ce3070647aafff929a474ed4838f25fb1e19d68bae326f859b2b657fe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
7366fb3f06f3b28a19da9a5f2b441965

SHA1
31294210b70573d60a66a11a6fd9b3697637d97c

SHA256
0cf1d7ef1ade7aa114b40dba944e2461ecc58f162f34b485359174636724c4ec

SHA512
13d748bc65afb02791200f5a6a74497d89be74785335abe665f3dbb91072b6d0bb98d4592d4bd8ed657d11e65048decba8520352d36999a60552f09b580a526d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
864e2ecdb102fc1372d9998e30875ff2

SHA1
eefaaf88a2cc4ce9fedd8ec25f94b1028db569f8

SHA256
6f914399c83755cd144e9f5e5d8bc147bab9251e69a22910dc76ef13a550ee76

SHA512
a312864b8dfb9345d00d0ee93cc982d69ff359a1d49948a28d8f2f8fc731ab8df9b534d1cb42aff5e2394138ac1070b9ac2fb152fe4bdbb228d5024a49cc3831

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
52acffbe69b0834d92f6d678ff4f49d8

SHA1
250f2c1e994f637c5ddd3966a5f7d97b84fa1798

SHA256
70d9e8557a2e8bec87dd9b3ebc5b7229b6df4013bd691e63b4471718ee56e8b3

SHA512
adf1fd6acbe30e4b92185399d17b456cf0e6e949930596b66f974db797088d721a0410c02cf8845dcf1c30af85ce7db6f2068ee6eba51824bcd139e77979a187

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
a59de2df86709b93b3f2312bb06f924a

SHA1
4af86440a8afecc728e5dbb956951d887ecaa8c3

SHA256
56b84ad2e9c4d5acc8b1a308b52cb3e69126d0423b2d0be7a21a515cfc94be9e

SHA512
d6a9cbd915d388861d8797b2bc364cd6fbac1f0692284bd391650f3b6e1db92df17aae0c37014fe999c42189f5749eea6dcf42b684b97001cbe04cdb83962737

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
020efd53d7a261f3c259c0345c8a166e

SHA1
0b1e07d85dfcb4c764c9c35de3c8d628d9295284

SHA256
34e08222d778e0f5960b78b944cf62d27e24eba9f1da16721c4796f02fa5459b

SHA512
4482fb569e895c1bc58cb504cb76b09efad60f53fd56be4ed226ffa0f23560af41d95275c06959d21c44ab70d6859b4c9752c4d5fef366a900aa589c8371cd63

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
3f3fee0d6f4e35847a8d0b39d7d376bc

SHA1
d19ed6d101285da54505e887e41aaf41ce7e39b1

SHA256
41046f1cbe19b1a85c9e35c7e51b2b9933a688e3b7c149df80fbb6978594257c

SHA512
dec9f186837dffc2701646e0ce7c8eef50bfe336ba1331ecc6221bde88c624f302f25ea2a056e6403b326e3eb78779051e51556a98a50af4fb44770854e139ee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
e468217faa4fff72aab50a6471c98d40

SHA1
1cd2f6703e06a7ee1aca8ba952ccf02b847340da

SHA256
45a77c1559e1116262dfc8804c46412b3af14cc58d0dd1fe6032f7eec4df77e8

SHA512
282c3ab4deb86b703d75d7e368916057d6b33556d821451f13524b7704a1b44659b491c3873974e4ed7b8f096b20b86b4915de057ca52595895398b943ad874f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
30b10b86117fe7f69a575b26e5d34639

SHA1
4a7c34f73f620f8b7af4e0ce9042ba174943d0f4

SHA256
6bb61d577aaa2f2937647290808951b1e814e38df6c04994ca5eed76c6c3db82

SHA512
bf8857634d576966e5c088583edb508a6ba2f4d6491d66426b828eb2ddff53b4b9a9d2a8c6f2d7540d858f1ea252b90f9dc8407b96750b99291424091c491d0b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
16703f910918b903331db4e5cd2b7c68

SHA1
fcb08cd90a03aced60ff62994e7e8402ba3f3134

SHA256
ecd649a1a469d439a47df88e36259911820ba6a8d14404e333e84d4ab8bca3b9

SHA512
6d07b81966882ac4bfb43637a8bc8daf4183aacf07df6db82824615ca35d746eff9005588a2c0f82ace7c21f59fac8266c74d9df36bc9f0468897b0bf784f4bf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
050b03a10405856b90bfce133491de8f

SHA1
c61911ad1c6903e4c620bfdb85c521ba2f520f20

SHA256
277f726fd2547196c672987aa0c1f59f9d7ed6baf5e584eee146f7f3869f15e9

SHA512
22152ea23364a0fdcc91c48eb8bf4536a006974caa226053e0835067aa28c8e0f3919c8ce819cdf057f59e07f221749e52ae7752b57d2aaa2f489ffeb2f546b3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
ab98d8ae92304df08c72828cbc0f7203

SHA1
4ced3ddcac501eb7647a67ed6eb5270e1a5a82ac

SHA256
4108e8f8502cd99161565e90e6227541c96858c2a4d981ac42f3e5139805a979

SHA512
b91967683b949b910aee8af741752fa8c94cfe7ccbe15d59ad814d86facd51cb53d24feb5aca1079b4d5dbcd2396a5eac66326e904eaf424ea11baf355655012

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
ed682bc8dacea095f958f78bc54bf4ea

SHA1
a50ebb81ae31a3b55e72e798320f5942c4bc4a1c

SHA256
9d4f75adaf34cd9613ece261cd70d51ae9e0a1c7fcdb17bc206347dafd69d655

SHA512
5ea8bdff9877c4119eb5d5431d83d7bc2ae43236d5dc6d94f107d2382885bd930e0b62ef9b9b5b84746da9c3d5a60844cd2419f70405df2371ec44628eea7256

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
7da625687e3e67f9fe751c98bf51db3c

SHA1
9e21ebc99e93d08d93e32f3a325eeb4eae56bd0d

SHA256
e96abf2c9e53a4481fef20dc2f947598fea705fa75aeaaf623be77fb3de72d24

SHA512
2ef6343606903c30e1ed95eaf99b022616c033091a5cff658373e500564f8a1be1904d0c8fa0c4d184b7ac050486af6d2b1cc27ee1ed101c7422cf12bff0b117

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
5723f8d2f09dfa01d27968276dab2e5f

SHA1
13cf3f1521a6e168596c06aaa820411ff2ebbb99

SHA256
a4b0188a6febd31ddb5206f532355ee3715e3a90580eede501a5fad69bd7836d

SHA512
a587ffa4d64b8be00b2c02988ade53bf9933cfe07f8bc229d2e79daaddf8669e0e62b98f527b94e28917bc8432654bb51768c7b0440c981a1c7be1268afdf7cf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
22c428acbdca53cdedc9e4aa8ac340d2

SHA1
826f2f730e68f68b15c6726bc893fba02c7eda5b

SHA256
3964196c4a68833146af3e7ea82401b6cdcf2f8b710342f2d53749e2b72f35bc

SHA512
c6fa70e9924c0f4931503d30497faa04d9a19f3cda206bde56f6251c7e8eade8b46f888c10d6dc2367872e2d15d2f0732fffd5fc2eafc55a1e4d92cf4f1f6c35

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
a81b7f259ee74fa90b8b23cf62490b41

SHA1
b854b7f6baac445ecdf31c4f0b17ee8dec5f8ae9

SHA256
fd1286769be5aa468262b06bf06457c716f5cb5eedac2920e56328645352b888

SHA512
7112f2108e58d36f0193fba9c223e9a0f6fd4df0308305213fe548d446080d4b3a9f99ebccf2024302de12c4e2a7bbf2d609b2e7c564858b596f8bf86aa7d412

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
cbcbebc615bea3fd3c7477f40a4d2f3e

SHA1
545d08e29b025fc5d82ba452f50caad75f1acfdb

SHA256
a9a2f80e716742dad380f7cdd70cf8998259a5d7d4daa749691e8e2840cdbf76

SHA512
e8f6bcb7b429692d3b8d52e7cc2f6dcff543f41e7bf0be8f4b0529069e25877c465a617837bb0f3ad34ea9f2728f46338fd2473286db8eca3426b4dfcd213f8e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
b7e3dc22f87711368909784ecde17074

SHA1
529baffc830c5541fdf1dc4a18c5585b0ae033bb

SHA256
700d593d766c4816504d6ce413fc66d5a7295275d6e18b741604ce2c7fd74d59

SHA512
d8000000e44ee833e1c8edf04d573333cc40ba59049f37981b748177021e8dc6655678742c2e6b6b2db11a5eda0ec4c60cf577b21861a3bb2b158ec35702492f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
96cad1b0d901e2758efc659fdad64905

SHA1
5a2aa1423274202438e82b75a055cfe4ea1214a0

SHA256
ad8b38d61b5b11eda7cd4ef4e3b2c44e2f1b1af3a57659789bfebf2524ae3e4b

SHA512
d897c7e90ad97c5bd9dae17042744eb98c43ce84b3b6d52c68ac737a43000a6ef8270b03b3c11bf17ecaa869ef84b6b7a91423018d7abe373c13ffc11c9f002c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
133a8e13dd4b9c852c9e19e998e55634

SHA1
68180b0ee7484f843ea9ef772f7185a49ac69a4b

SHA256
7a794ed2c318034c4da137f51585b6403728d11927a00e7ba72171586eeaa21c

SHA512
894e740cbb7992f6a144b234c4ba3caf787bf275087df2a4c6104138227c84314c986f67de35c0397d7e9727871517bf1dc4ba1a0203ba341ff96a66976d4b0e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
8ea22be961d91adca63f0b927e64c535

SHA1
8283a7f230622f29326e402326edc866ba571269

SHA256
f21f2d0da4cb3b34d18cd4308a76e08742cb03a051835217356f2ebbcb7bca9e

SHA512
09dd011df17296b9b2e68fdc9f236fe5683e7023ff82bf476882bcd732c0bae90706eb21faf3f4c28657c8f1f2f96454a0d04b12ae998d3762486de81098869b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
950b81859436445bd2926627bbe19289

SHA1
76dc6b4b33b3f939df5f2cc7ae7b97982c9117ba

SHA256
ccafabf2626f9f8bd353eb5c34bfad98277c42a1e0a90a886c67fa65d966d990

SHA512
f510ee13d4cb78bddf72a4dc5335ebbefb25e0ea55d2fb8b643b51d8c8631942c6d7c4058d1d970b672b64654d4c110956ad23fec4eabbfcc7c0df45db3da298

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
581KB

MD5
28c4af0de029ce371e907da0489b0ea4

SHA1
f2058e35544e87737d2ba15e9ec6ddb4bb0bf12a

SHA256
9145729d0d17d7107c0a97eb3153b637b056ca275c16d5b28963ed5955b918fa

SHA512
52a754c896885f3181b3e40b9c0447608a54c5807db9fa368597fc5b45dc0e421c7badb8c1174cfea7dffc474e2268a133a638ac277d30650056ce6bab361f04

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
fa96a07e205fc19299575cc74a732e59

SHA1
b7d9abe9d11ce8d7f6f6293ccddf8fb709af4a59

SHA256
e9ebf3104aa8c8f72a00524a38f5b38d305a8be0013434b3c43ee95750ae57ff

SHA512
1108bcc2933e258ed1fda67d48422f8dbd53798586954409b35dcf6f40751baeeabac42116f821f76b6ccd74e51da722d7d02e042d7a15a489bf6e1aaca2830d

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
513c3efc63add89fe991f8e82fdd856a

SHA1
be4e2b8f0dea9409ec5e38afa6a8ca19e50f53f7

SHA256
a507295c6b158196992d1cdc1a6446d58787fb33fb260d564d0df7c642f22bae

SHA512
241a4fb6617bfd2b2d45e215af0119fd25f9c306ddcf4e7124a61ce9e281a294799c1548f991f6f1f448d7f7cd77bae6b09c667611ad04489030fd12ec4328c9

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
e1ee9c4800a59a3562a3b198c510f729

SHA1
f7321d43f8654bd4f97cfe405982964157ae5c49

SHA256
fecdb135b752e43125cd323b19c0613caa4456f220ccea86e6ccf0272c7242a4

SHA512
a7450afaaace038a34f1bcc1cc273703087376e303e39ae779c69eae39131166f6c04877044a8fc13122701e28057239cf52b251ecc1848df862071cabbc79a3

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
68887f81b913f524044b9e454c0e3fcd

SHA1
026bd051c7a30c44276366f54ccfb6e2055bef10

SHA256
dc05ff4120bbdfbea643f51ab99bb62529a037e700da50439d4207e4afe65cc4

SHA512
016c1284dd35aa55381157758d98f898167b0b5b8789d82fcec76cbd80b628d93e5affddb00aaddfd6a21909b32eefa42c11e4e95ea259fffd039fda1dadfa4e

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
7f3bbfda3aad5ea6f09542392a63dc10

SHA1
1b18d6a2c8bad9e5f092ae71a0aa8c06449357c7

SHA256
ab289f4871eded907d7c1b29645732b0b5630ebd44fa12ed11a6d6b074a80071

SHA512
2af7020d32bd3bd4e23b6f2c727297c7186e43943530abe2e5778b9203d21950c7da0d00586754154c9e1b8bb77f3f7df333af609005f2b0834cba10b7d09f09

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
1720f5ac3a273aeeeff8656125b60720

SHA1
8f3d9c4a11250d95d5c0c127c3325dd5c306a3b5

SHA256
30468b7cc280c0b1cc44cd220021fe1429b56879f4dbd216f810c338fd447237

SHA512
fa1756b3914f9e4960c6cdb31d25b2241dc3a499edc6941521c61e726098ef4cf29eca3c4d014a24c17f47cf44f2bada4048e9abff2fda67ebb30494c6b481a0

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
b4c5bf4e33ac5c22a80659074ee6a9e8

SHA1
f0c1b1b1409f3f55f6b991b6c7cb6d6c2f016318

SHA256
85d0c9b0015c786a0f7c0b57538c9d427d76411cac6178e361e241e20f4740e5

SHA512
3d1da24f9876d0474ad1cd4dfae880099f7426a71f38e90a25f2c77fdac029219dfb8d67ab2adc9e99a1740aae3e2db0fde1ad2a03fae814e95168f89df636c0

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
8b47b1ed7c045251788a0d141a03016c

SHA1
9f2cbdc14fed45095e1ba35337179ac4bb1ce090

SHA256
5d23dd90e8e080bbf4b68081164953eb82cb62b1b703a652487b34fd090b81b7

SHA512
2f81c4f69a4e72114a67097f221f15fea1d93425872a831876d22ecee58c09f81326f67d05ca10a994d4c7d4d055b2e10453a80c72761c856b1a884d4eadf0b7

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
4c0ae5d02b5d30c5c509743c5bda37fd

SHA1
809ee3f10d16a1ef45253561c68c5801a464358b

SHA256
ee4f7ce07e9fdbb1278daa77feceb93461d6b3da73a4502f8419450e304c4b05

SHA512
5dd38244ddcc0105a19cddadaf96e94243576e920b737046be56c461a77c2d4e787838ae289850e812dbf08bbecfc12b0dc1439c5918ab65047bfa0ce02b6f94

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
30956dee167f8c00d7584915ea5e52aa

SHA1
d548a83e04c585b3fdbbc002de47ec2af829d707

SHA256
f1fc8c856d1f444c9ff84e6a33955226a39e44cb12e1976f4158dcc00b5fdedb

SHA512
db996480f8b3ca5ff66301d63d18403f0b7ff7bd17d5c095fb0a6fb7b872db971a6dfbd44e725258417b678ea6d6e5bc02974e1f7a53ca929865d7196779177a

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
d3c653c072f8c125a900ad31f7c49dd5

SHA1
0be57d83d18f10f715307bf06fd89367e222191c

SHA256
2cbe4a9109e84f3d12de62d1ca975dd1f77dc6f5ae386f2dade2c912df947b99

SHA512
474738218f4ee7ed0c9a0da38c0004b7e9c84c0108b1a8b9c808496bd2d48142d000ddf27702e53ec204846d8bf6539d244cddc1deba5dad184b0b63a0ed5d73

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
5f53064494ad97db3a4da4c2576ced33

SHA1
1d2601d588778f174bb330c647bf573dd5741020

SHA256
7dd970f4dc3ccdbd98c758d21f06e541ad9002b8cdfcc6fa8b1c3f2c9cea0bc4

SHA512
32185fe6f6790c772c96552c2d58066b32cc1f364c75dd7d138641560428174b97f6023bc6a4f30128f42ab734bec7cabc7c29340cc1fe2432fadca6fcf71e2f

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
c8bbe33e356b7bba040b6ef55d1a4f99

SHA1
5eea9ea382e3472fa5ae161aeaefd57c206b72d0

SHA256
bc1687cafce447a623682ee566ef0142866058d6cc49609adda290a0da87c4a2

SHA512
4602aac9dac6b9927546aa4553e5f411968a1089a1b4bd6e8989db99723304765653bd2c77219c360faf6bc5b44b7e7c2f26ad0749019910bfedc934b0b59aa3

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
98eb0c5109ee31bab062decf97af1d79

SHA1
ec6f2ce5cb49c115383c3d0dbf89294712f42937

SHA256
c258d62808a24e84d80be268c6feedd85129c9cd64193b5f234670c7f2a98b7f

SHA512
8be7435566eeb1f9258ffcfe7c330db84620ce6167901165a628e3eab3b8582482528259f2b95daa06dd59bafb5c226898915e86e896a8b8b75d02c9c3ec6765

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
5c9914505b9d0d17e47ff83b266b2a31

SHA1
f17f5169ac7d5ad47508c946d325905390802ccf

SHA256
8c7daba93381dc4d4ab904014c177b6cc5099bc133860c5c709439497ace43f9

SHA512
c2a051e881cd303e0a3fdc585e6ab811ca9056a0637f41cb0e1fabdcc54bddc9eb83f197356e4471040e04c694352e1add0d2cd8857a6f8c9ee22a5489f1fc24

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
ab8569781b56a86def4efa8c39246612

SHA1
599f676fc0476c9fd1e70c0c89dd6a8f57f118a6

SHA256
98908095edb376bee8d122ae0ea6f377c964726ae505d95cdd8a817ee6de9e80

SHA512
d9c463be2db26aad1130bb451164167ab7d988479ad42a88e7fd0d1e9edaf0c85e780f269127670efcc1f949b5cad6e942d00277cef9b4162dc3cfbd3d624bb6

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
dcf6de8249a3724642c2b1812f4314a1

SHA1
e6f2f97e099ace3dc990a13862a6b134554e3400

SHA256
9e9792e5fcdb166f24ceec9ad2c163e3ffb4b0a862c27f272ea0da2712cdcc9e

SHA512
1934ce453b63439106bfe534e7404a14ffdda24cdbf873e2033ff8aab638e97f507a0f85e161627565471046024feefe81d7f9ec5c62ea1349432b4c12a86fb1

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
ff470fa32e9b58238933e5966f5145c0

SHA1
a0dd5b9f1d28fccdb77fc9e35f3cb4f92ab0efb6

SHA256
e966c4695108486d52e4fedbd64e2baca2d3d859ada231c37f6cb9935f17eb32

SHA512
6fbd59c3b159519a77f6060b1d3d4d6cf3b2900bf6d07981c7d5ccc89be51b73246a1c780990fb162c16e8a75da87072286fab5ca59ac34f5a3425f64b8eeb19

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
f7a13f4553b4f18129d5113218519166

SHA1
7199c84ebb82cb99ba8e678a16946072348f571e

SHA256
91ec3251f1c103aed6abca1a4f90e41f12d83610f3e9cb5f25528f1ad0f6505b

SHA512
d7d5d35efb9d9a2f279bcfe108de7c3b99f397a503218487adb62a664b377c4c2823bdec0e7287bed3904f18bb2100e810e2736e42810877ec9cdce1a49c014a

Download Submit
memory/672-235-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/672-17-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/672-26-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/672-27-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/856-652-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/856-423-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1032-315-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1032-426-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1400-654-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1400-446-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1404-643-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1404-341-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1612-48-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1612-50-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/1612-42-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1612-239-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/1624-245-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1624-246-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1624-364-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1624-252-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1940-390-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1940-271-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2756-649-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2756-391-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2760-642-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2760-439-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2760-326-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2888-256-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2888-269-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2888-257-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/3360-403-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3360-650-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3680-240-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3680-74-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/3680-76-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3680-68-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/3752-37-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/3752-31-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/3752-39-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3752-238-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3912-353-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3912-644-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4204-373-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4204-646-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4348-414-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4348-304-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4408-330-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4408-559-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4508-66-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4508-64-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4508-60-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4508-54-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4508-53-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4552-653-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4552-427-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4716-376-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4716-388-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4824-25-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/4824-0-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/4824-6-0x0000000000730000-0x0000000000797000-memory.dmp

Filesize
412KB

Download
memory/4824-1-0x0000000000730000-0x0000000000797000-memory.dmp

Filesize
412KB

Download
memory/4996-283-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4996-402-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download