6ac60661b77578060a8e5c120cfae45dc18071fcb6b28ae0de0aa731b457de85

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2024, 06:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-04_5cd8c0f5ea9bd4af32d88781e9e6e79e_avoslocker.exe
Size

1.3MB
MD5

5cd8c0f5ea9bd4af32d88781e9e6e79e
SHA1

ebf56a158d9fe0b0bc0d8484783a90247c99d404
SHA256

6ac60661b77578060a8e5c120cfae45dc18071fcb6b28ae0de0aa731b457de85
SHA512

020e584dd45ace006c39ba674a1d1ff6dec913d52ebd98eb49dd0e5a5ecd7e967cb0b9de142fdbf0a530f1b44279bd94849b646f54df7d3980a8ceb20fbf911f
SSDEEP

24576:i2zEYytjjqNSlhvpfQiIhKPtehfQ7r9qySkbgedxSkQ/7Gb8NLEbeZ:iPtjtQiIhUyQd1SkFdkkQ/qoLEw

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4048	alg.exe
2688	elevation_service.exe
3352	elevation_service.exe
4368	maintenanceservice.exe
2468	OSE.EXE
1200	DiagnosticsHub.StandardCollector.Service.exe
5056	fxssvc.exe
4412	msdtc.exe
2292	PerceptionSimulationService.exe
4568	perfhost.exe
4648	locator.exe
908	SensorDataService.exe
4128	snmptrap.exe
3416	spectrum.exe
1032	ssh-agent.exe
2836	TieringEngineService.exe
2320	AgentService.exe
1884	vds.exe
1244	vssvc.exe
3640	wbengine.exe
4124	WmiApSrv.exe
2388	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-04_5cd8c0f5ea9bd4af32d88781e9e6e79e_avoslocker.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\80247d3b1ed82f9f.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_107921\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d46fd7ebdfcdda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004a3a60ebdfcdda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fdd0f8ebdfcdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cde7aeebdfcdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007233fbebdfcdda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000028bfc6ebdfcdda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f583cbebdfcdda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b7b3beecdfcdda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2688	elevation_service.exe
2688	elevation_service.exe
2688	elevation_service.exe
2688	elevation_service.exe
2688	elevation_service.exe
2688	elevation_service.exe
2688	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
644	Process not Found
644	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2988	2024-07-04_5cd8c0f5ea9bd4af32d88781e9e6e79e_avoslocker.exe
Token: SeDebugPrivilege	4048	alg.exe
Token: SeDebugPrivilege	4048	alg.exe
Token: SeDebugPrivilege	4048	alg.exe
Token: SeTakeOwnershipPrivilege	2688	elevation_service.exe
Token: SeAuditPrivilege	5056	fxssvc.exe
Token: SeRestorePrivilege	2836	TieringEngineService.exe
Token: SeManageVolumePrivilege	2836	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2320	AgentService.exe
Token: SeBackupPrivilege	1244	vssvc.exe
Token: SeRestorePrivilege	1244	vssvc.exe
Token: SeAuditPrivilege	1244	vssvc.exe
Token: SeBackupPrivilege	3640	wbengine.exe
Token: SeRestorePrivilege	3640	wbengine.exe
Token: SeSecurityPrivilege	3640	wbengine.exe
Token: 33	2388	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2388	SearchIndexer.exe
Token: SeDebugPrivilege	2688	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 4488	2388	SearchIndexer.exe	116
PID 2388 wrote to memory of 4488	2388	SearchIndexer.exe	116
PID 2388 wrote to memory of 3756	2388	SearchIndexer.exe	117
PID 2388 wrote to memory of 3756	2388	SearchIndexer.exe	117

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-04_5cd8c0f5ea9bd4af32d88781e9e6e79e_avoslocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-04_5cd8c0f5ea9bd4af32d88781e9e6e79e_avoslocker.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2988

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4048

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2688

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3352

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4368

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2468

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1200

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3212

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5056

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4412

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2292

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4568

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4648

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:908

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4128

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3416

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3716

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2836

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2320

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1884

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1244

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3640

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4124

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4488
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
5e269b0bf7c4eca4ce169194bdd844f9

SHA1
8240c3260a24336492fbd4491692e73e638c4ade

SHA256
9920172a6b56be68638bef7f4980be139cc2bf1d47ab86fca2326dae79bd7650

SHA512
cb20a9f300050df5210aee38856867dcbe5559abb5af9adbd12cdeaf9d7e3cd86cb882e2801c4ecfef96140def855d49f0f78f27a715f4cae484e686ae202a09

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
24327c45d0f7cb2aed7bfd17d4fe8acf

SHA1
cf4bb6e10aad4da99276edcde68a287f2f0702e3

SHA256
6436c1be8f21c375298a697f69263d2bf3b49884128ea11693ca2733878ec981

SHA512
bb2b8a35de07fac9886c851920b98a368dff429c55daf82a27979b45549b6f8f6af072e95c02ba2a653b92a5feaac123a9a4ee2b47506ea76800af54b89a4774

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
75e3b2de8fe8b3fee7afaa3d29377066

SHA1
9bbbe786eddefea36c9fb0899a4e3fbfc98e6b8c

SHA256
aae6f597662cab57df06aa55b7e9628351e3a6f1744d52c76321e78bb59398c8

SHA512
b59d78c12c645ddbbdfae045cf5405c8547dcf6da643ac986e391f9deef7450a14422982bb230a5a9679b0e674f96f743029295c41dec00790fcceb31084ece0

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
d48289d2bed5855c40771d4c5ce12765

SHA1
5063ba4781117e56709df98dc1ed4243ec6a5030

SHA256
56d7bc40a161447eab84f664ed4a92cdf9208b5de981c42af34915bf0b9f842e

SHA512
e50c8deb394ebbbf4cbe0579770754a2868c4b35731e170d8181a937a36acc5f862d39eba21dbe24c10f74f13d8c6832cde87514711d8ecb2dc29a6423547b92

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
75b4d0714c9468f3d350980950a1c392

SHA1
a1571cc68f417912b2542028f67d3442a29639bb

SHA256
788ebccf1c7080cfd98a0cf27f68c017eda62f91e77eb18473cbdd119344dc23

SHA512
0eed64d86d565c83e08ad3c3550e2f0af60450750e04b5c9ae269c442d405a4122f7167c5c7f85b153204a214cd833574d33f1dd2c96467b3406b0bab1f3eb08

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
ff1ce96c9efa4f5c45f277e56b68ec02

SHA1
b930b8b17f35b3cf4f8836c2987faba16426d66e

SHA256
108c7277f3af535442ea588c5c47e324d27461892e902d9e85dd190bc3c62263

SHA512
9c11161d6e80f60e304d95916578b0e128615aaf696fd7e6d54398ce19f4a7ebf3f0cffa6f3fcfd922c380c676e7b87c7fd4ef5f1d26e0f43955fb1a77b408ce

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
6eacd665066186b2044648d145f8bf31

SHA1
e8ea7b0236e0946a88be21497e6294a76a985c0e

SHA256
7929a3617f959d29a66f19ffdb434c8d0f040836182739bc9d8da72375eeef50

SHA512
9e0d41c7edd1325edfe018a0fb39a73355fbbb7868353fedfecf5b708453579d4d56ce4ee266816799238813d29e29cdfb3eda0e3a174111fa87fe4b182b4c7b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
f5b2600dcb437742fc06c99c8b6b135a

SHA1
910e6812466f4d75695a6a2b6d790ab790a835b6

SHA256
f2b8b898a9490363d2eef0d2a46bac444aa2e34dd582cd42ae86ab55f9a3a7ce

SHA512
3b2c879c2bfb0fcf71121e7a11efebdd8bd4479da6bda752076cbbb9591c34ae2317059e37ecb31b778082b8f23dec4741ce4988fe7e330cc6ba0f5b77deadbb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
359fd6b2fdcc6b925bcef625587843be

SHA1
25b7a5c6676c7540e49ac740b2e579ce9d9ec0d8

SHA256
6dfe4cfd4a5e0d281a7ad84c08b6f83cff97a3222bb721d12b07bece227d5497

SHA512
e8d6cc433a6684a724eed627bcfc2d3b8263ca70ce7a80a96ed100f92a42cf3ebb3749be00374dc7659d5b5b69eb1870b1eb4398ad98742ad7e529e96535eb80

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
0638eeb214a3bb51b890fb350dbd1841

SHA1
04ef13283071e3d9d9c62f308318cb3f4a9324dd

SHA256
9ab5d3ca90ef1432095c8433eee97e2f556e125aca35359a580a831573ae79e6

SHA512
1d4af0e420d339b0e6b902c66e259b9e5e294115478c02039d5cee441dd8ae95359f0720575dac980738fa14cbeb3349bf8c85dce7a1bebb6fd53492515684f8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
63ae8ade1e80ff243d4a8f032cbac780

SHA1
d349fb0e730e42f49b7ecd3f8259bda270621d72

SHA256
da2aeca144f8f9634df49982ff080b0e01c413275148d2d704f2a951d5d31506

SHA512
229570c849238e4104240fa095ca82d214dd895c6bb99b04da07ecddb80b77a1f1fd183dfb35151b24a512cb4a245e48939765d432759b9d656df481c7bb45c4

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
4f1ff66a2cab754ce0055cc1be09b1ce

SHA1
c9100383fb7edbd1bd0e16d90103a1d96db62ba7

SHA256
604ae41a9b95e1f3bcab1ed06edf9b55b9b5842f5c217e677f8b7021883d49b0

SHA512
e9cc379147904db503044d9f5829d5be7719fcdebc71f822d37ae8f057bcc089054035be21bd089054f35a8a5853d0a41bb8f650ccbf0352ed3d3ca12274e006

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
0d03e307d6e8506212d6c0f57980a0b0

SHA1
2408b3606f53fa041706d6b9bcac073df0c9e98c

SHA256
c9e4d364b3093884ed496c5f8f4950a39376ad4bc5e596871ca05b4bdc8c98bf

SHA512
07bf64aee7c932170b3753bf713fee0e214edb863cafa09613d6ce577c473bbf1c711535a284348bc83f4ad7ced4afe95b5d247d0e527856d2499078c06e21e1

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
93caeae645551ba423fb85147d3f1199

SHA1
ee38d35995889d295568de62f1f8016d690fe03f

SHA256
87387bf15bd9d7305574e3548d4a181b75b3a2eae48a54371b92761fafd3def9

SHA512
eae9a31d2de8e789a0d3429d1648c874bce899947782076b48f923e7e8aaa02f7c9f91f2e3bcde4f5e9ed468842fa26de734d0945dff8362fe6997d39e7ba737

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
67ff0bf6c9d55aa8e88fc96b3a19050e

SHA1
8a4a8b9cab6b8e52509272c7fbcd28b16b8f2d7b

SHA256
236e3e880eb350d6fcfb82aacc47f89e898e423e46de22db48793198e768c84a

SHA512
76153faef296947cd747cee2c1e4e8c07fe33693715fd52028d4179262c464ffeb2ea04fb3ce754d620b76f8adb0e1bbd345b2cfbbe7bb402af4a724b7009bc0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
bf83acce55420e520b1afc4255e8cc89

SHA1
5a6ac1710b7a97000612b9b7d50c340e8c8a1b81

SHA256
09bd0597728b2a03a545bc859ba5f490d727300790620b56833f557a8b2a1c4a

SHA512
30c4e9f656798f73a56373d01ffb59c1e8547a022550cb88f3a8580cc5c396db660c81034b735d9f3273f56e9dd2af4cc68ce260b5df633ef0a80e0bb4497ffc

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
5f51179a1a0dbfb72d0f4174060c3003

SHA1
45cf45a7262e7831fc914b04a491a034cef368a6

SHA256
ce8781dc52bd318f8a9fa0ca73bd397575d9120a34194262f5c1c7611ed5ff95

SHA512
34becc927201c4dfbbd987557ab2904e53664e74d8918abd9bdc31617f498063624658a984df1b336fe91903b83e95d186fce914ed1f4b8f5dd2a6a552c3eb11

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
d51876a8c1c703a2daa09f8d4569c242

SHA1
99216591455311b90fea26d9afce217bcd27081b

SHA256
c8b9c67ec8c85539f07ba82b36256fdf2ccde79b96c4b68c1bcf72d2e2507074

SHA512
df61998613b9a9f827a9956b3d29ce11c2deff3ddee80612ee312a1308a29ebe927fc0425bbf8e344b4b28fa2dcd7851e501354bc85e753fefa2b20bc5e65c47

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
a8a41fcb3abe347a16daa69715093015

SHA1
9f000db03a36d9150cf35a58fa748e6b1d0dfad2

SHA256
174f72eca9ec6b0f76ba727d6e81e52de5276ed43aadef1bf09f02b4b1638207

SHA512
da3c5f1c343e9fcec5e6a4c567eb87544b524a38947beb24d54ba3734547ffb274b4b3ba965ae373d00d8ca9908af5106dedf06ea7c5d699bb0d353c2c7aa856

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
5a790bcf7974e900a524f37729ab7ade

SHA1
db015fba722064a87ef557e0f3dafd160f056f21

SHA256
89037801e0f72e897d080eae075ff7ee751da1dd9345f7a4ef4d80909aa6a461

SHA512
00cbe7d78fb487fd0753009c4617463f898c8947a5a372a3b0fa1d6787db1e67d0d2466ee054960cadf85ec486a2960403cffcc63086761d3e544fb157e03f62

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
5782a4cbb4d348d65656b8802703b3ff

SHA1
e3d76d14ef6e64bc45248d2bae4c5ad565f380cf

SHA256
e86b84a6e6cd5874b914c9c6ebe83426208320bd5dba584ed6c9109d472cd0e3

SHA512
a0c74c2f0a3ad0fea0f0af4ff099c03e2f70277b0a50f66ee7c2c47ed39ddd097531df267e9ad8d1fa7fc2b5026bb907f9c86172dc6ec1571ccfe1d6a997d644

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
6fa7ab9f3f68025273fb58842fc8e018

SHA1
cf06936e8c44d9144f2a018271803c8a2b9ba9c7

SHA256
cb9a00b4964052f9c8863f6defef85d1b989628536c8473eec70c08181ee4448

SHA512
727028cd84d1ce01f234f86633a9138cc987ce1492c959beb4507b2d7dbd8db345ffb1ac703042b680f77c219487462d041f033e7223badd59ffe464e10836f5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
7cc29e8b42273dfeb371149924633b85

SHA1
05695f2c33bd5e89e3a0e16d09c1acc5bdb6664a

SHA256
cc1b7a046b581630607867a0acbee62d37516abda78c98668948049728ca1354

SHA512
e6098fb0b45e12bb6e8071588aa983273cb74f924910eab131aa1a0d1b026555ebdedef8867b75f49942fb5b94f606d3f41d5ef977544e9033189be175b60592

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
497e1506cdbcaa28fe6207ed51e72671

SHA1
6701767b70fff01749aacbb9065f1a75589cd42d

SHA256
791b36121cef4069ba779b3a9f0fdc9340a5e99a7d0573f7661a8bced53be97e

SHA512
26a6324da44a0cefd4b7c485f62e56b6dde0fdb4d4a9f7dfe6a9629220a52d35a235e06cd3789d098da61299dc0c128a410ee2117b51dd52bfbcad60f49b4867

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
a9254ad08844172e48a15bb359ababeb

SHA1
42fa2bfa1c5d9858345fc636723965074ef95e8a

SHA256
92654d5683ab82f3257f44560a1776acb5ee930de8b925b104a7ec68040c9536

SHA512
580732417618809ed7cbceb266fe9f5dd9371ede141e0c0a261005245a804fb0e60390e3a4092a4639f0b380f060c7a3aa2c3e71e8336f93d1417144fc7811d1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
e84559be72b0da8ba1a645dc0f7ddf97

SHA1
10e5b9878712bde27e8f27478708cb995ef77145

SHA256
974e6972539b98aafb1b0ae3f22bcb4e2f845911fe57d7096816716533010f0a

SHA512
e6e6ed92c559f66a384b38775ae128755391a6a5206f51a9ee9190f74d917726ac20d78ec5d528841393ad6ce308ae3ba09bfaaf9e63e912228e5e2037e9af7b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
f526d6ae7d2347c1ece6928494640ec8

SHA1
67ca0a375368d776f2ba451eaa31eac8e4bae87e

SHA256
75f690d8bf61b61d39554de81736b50c18b4171c0cf359d05fcaf1997800d08d

SHA512
8aa44389c8de823d111638db3510281471b75151919d44990d128b3801e5af1e15d194d40c0d1b572602a0a37a39cd704fc10a230dc50d72a5a72a4f87dc2b45

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
5725763600a0eb3f925fadc4b9749f3e

SHA1
d0293c41f488e179c01d784fa7ca9d8372a9c163

SHA256
b3970738381e00f852813801a7c7c4d097b8b5d190cb89fa1f181587bbda0490

SHA512
c7195a28e29da672b3b3defcf0e6fc0bcfaddfde9e4f566bf96ac456e8587d0a84533759f2ea7a5673b8c93286cf58e6a768b581ac7508f7cf0431c3c0503292

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
ede6613f72f878f21f64128f133cac0f

SHA1
18c1932cf7946de86f7064ba332c8782ca2d4661

SHA256
68c0450098609268998175d9769fc2594565e2ac0eceafac66caa11d1a9a7766

SHA512
38602e4b17c5f552282afe07c9d29d623e56c680860a7b9d335a966327bae76a06269e4231770eaf26514f63a03d42fb295c655763345bca75d83bc5fa856a2a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
8bef576248a2914ea5f56be84e53a94e

SHA1
4de5c1ec906ff01be8035721628eaa55c600b3e4

SHA256
253a7b39548b0bed7420b08fb04af92f3c4876253618574873d299f511603386

SHA512
06418e6605b533026b36ac080f094ced11a60b8f68d3c36aa4b3d2262357e4beb9f33227e2148ff69145dc0d1bd10b0bc6348f01a8388b69606d31c4ac91fd12

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
7da8d53eec47bd3b7bb9aa10fd5975a6

SHA1
74b41b94f31f3a332646a77196275f98600572f3

SHA256
da89b312b173c4fe28aa593c7ad03f4630514175cad678d789846ce1989cdf71

SHA512
a71d03415807d21bb59017c1d7c6895a04abaf869c3da697ccf0740fa04c4dfb34e12ab8b60f154d4307a046549da614efd1bf16cece48511c30be70fa03ada5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
631de9cd37d83fe7d9a3e855b9648d05

SHA1
fcd733fa8abd59c36df5c3283bc0086c5ad82d0d

SHA256
5fe5dd91628fffb40f0b8042c9fec8c061b8a6ad27187a5352cc3cdc192b97c9

SHA512
a9b8466092d8502dd44f85086b3c526550eb56336fa3c569e8dca77340550758d4c5a0a7a2a0d7a379ee9907bf2b8456fa1d89d3dd2fc4efe584bd3fb321213c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
712335a3c2c227d982542fef3c03c64f

SHA1
8f6cbde9d7af99c09152ab793dc608c7636cb285

SHA256
2a77297c73b0b8d04b8280c5b93f490edafd4293ead5fcf799cf666a5165e09c

SHA512
2f0a93202056a410bf24e92374da01d6401c2fec37c4afcbabfdbf5030d5fa5cf5f228faf08711380b7bdebf93b4b29bf611fec328eae86970486e27768fbf6a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
78f4d8e18fee3eeb2cb4630696332aae

SHA1
3b0a5e2db6636a1886de7e29d3818f6143ad8198

SHA256
897d3e34748154e1ae8180f8b231e4aab4eb87d3415b444243785488814c88af

SHA512
036b1a777daf09e130f90341e232c483ac9f65bb74507c94a8cc377218cc10e2740bfaca61cbfa31b6e558a4e4155270054307101c5380ca10b1544d457ba8b3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
84a3acfeea110606845abea2e8356518

SHA1
3bed4fb6ff20ecf8d09dc116740d6fa68e9913cd

SHA256
e3114bc8689243fb21919fd990999de20085bd224c6780313c79f95e614461f6

SHA512
8866fb1fdca668d70edc2d8a79d8dcc5efc18525abfb699f3addd97804e5df266305ebdf89ccf3893fb22fcfca40f8cae3481544319ac90a1c3fb523ea1d4529

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
6fed1b43eeceb16777ce2d37df9532d2

SHA1
2db122b60a7feeaaa85291bc8feb5507fc899953

SHA256
701ead625068d9d1db3f9cef940c9d0c6e076886b308704cd25717b83500f48c

SHA512
9b34c1dde5626535206dabd3cb973b355adc3337e9bb91436e51c03b98234d5cab82550224d8106a48b7ea17b7685ff25d85b8b1ec8af40ad0689e205f11c1a2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
c20bf1ce66969a7e108941671f37e5fc

SHA1
f133b717bcbfa458d652ed74a79d9ed0b9184d6a

SHA256
6bcb044255804065a08d346e9ebf6ae4f55b6f800c86b0e164124fe91615333d

SHA512
604e06a4522347f58c13944255ffe9d1c773d06c61e952c38ad978b767f175a0174d7f9d5ef7977719c5d87b1bc979486c736be2e2160a02aef8c3d7b840a2a4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
f95007a2a1071afc03cd15de927765af

SHA1
488abd57fb677eed9292a1f560b516b73912e3ae

SHA256
1e034030db57abdd34aa91a592207ef008a5c7a32e163f57e63f2769cf889b25

SHA512
610447c7de875a54f63eb1e684ec7e52447c05f381671d04509e38fb1a10b103600e3c28130aeced7024fcb9b418c66835351054b5e727368738eca5991d2c0b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
350d760bf71a1f12f4691ef66fca0bf5

SHA1
c2821cb2ec73f122824610c459f837b13128774b

SHA256
1398525ad897f8fc71af008ec97a61c4fa68ad84ba8ac06ad2769607493e8520

SHA512
8909ca708423d9c4c535a131766de89600c80eea8316a1ebc8a170c9f74ae9a650647e11b3fb288bb437a4c8978bb6260c0e0b0aded75efa51c8eb7f123912e0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.2MB

MD5
0845944978239092d948e600c34ec7f8

SHA1
35bd9594336ddba23380b2b4da130e7baa2a4fb3

SHA256
861ba86b7593689e23fe8e7f99f6f84a16fc1258a437cdfb92ecb308547323b1

SHA512
848b04fe021a4e16817dcbeafbae82f4a7b701350be2e8d12073db3ebe4c642d8267d57d7a0ec8ad6848dbed34a32235da9287fa2d6eaef372cca82df75215f6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.2MB

MD5
7cab6761d95fc8761695c3aa4e9c464d

SHA1
1ff2d9148e1938383743470202ce27e0cce7362f

SHA256
9d0d447aa6831eb1001e47d21ff7e7f823d9899a7a2d179c5ed03430bd538f65

SHA512
e7eaaa222d828dac2756d20a0745fd9a32ed166702a7d0dbe4145e02adad25b78dd54fd3c55ab01d3c142e6e980ee5ba233bf96ab652468f492c88dadfe21047

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.2MB

MD5
b807be8cb0f93734050bca28f4f57f94

SHA1
b10c904e3407aa79bad07cbf3ce49907b5255a42

SHA256
dc0ea4d78941bd135d066e196112f83b1f4ae4d73e9672c16d8c734e792637f9

SHA512
dd57fad2aede35249df6978bd22f75b49fca44ef9203d754bf123d42aed3bd701623a6148fad536325be6f6a88f438e3233e2e68d92baa69d09a5cedacb24b06

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
1.2MB

MD5
763d4e3230bcdc24b9129da5a69513d3

SHA1
2669648226e526b521feb8be4ada5c473b79fafa

SHA256
a99e9066162131e59986b7d427d538fcb331cd2ff0153e8c969c980dbe3ac84e

SHA512
28c0132d7e091c5bbb7888b3732ee63383e7828ac43011a543e86fc9a74585d2f11fad36d5f7ad743de32a861e99e536a5e27e3ce0c78abbce7d6a33ad981ba5

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
85d9f143e59662a48efb73cc472d78ba

SHA1
188c7ee775e0f5ede3788d2d232781ec1110e7a8

SHA256
8ed6aa3ccc2cd77cd4118d47c647bf8e4bdb71586b4c3a0ee6c969adf8c35dad

SHA512
0b0cb195a35d866ef46c600de2055e587b1a01366ecb6eb08ab71c19c734ca0fbcb794bf989b7495bc592726d737d63b4de547f462eef270cd2b62ec8f0f8e8f

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
cd2ff3b41f7c917b1ce6aff1b4fd5779

SHA1
d5c937d45047c084a25f0189caf98b84e819ac5e

SHA256
6cbaa43b248fbe3437e3e17d721f13355602ccb34a5d63563d25f631ccda5286

SHA512
72a82da41e47e1b4c147b3e7b7c2fd21f5426d8dc19b0ba882d859e3902f7ab2701640075724857378047660e3122e0700364ba1ca1ccde7b4d54dd350ae0044

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
88f63653ff367932b859d359d52e42ba

SHA1
be3ceb36172ac4f609cbfbd4944eb1b5b9d65133

SHA256
7a7c10fcb18de55175418e3323940cc156480c5c16e7044ee07e6d3614a33b99

SHA512
7e38b6a54183fad7f74ef665b02faf6e851f1446d9daa6b6988128a98e6f34a5a0a20e565c10595f0b8aabffe4a0d6951121cf6e79370e679aa458e9ca84d5c7

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
8a03e48605d4f028d885b5dda2f99994

SHA1
952557acdb47ba00477483c3940ecaadb4b5daa4

SHA256
32a199957817f13fc17a56305e538d520e502f0a76f600d3e62bab65daa35741

SHA512
5e33286223504d18c8575c92b1b26377310a29980f6f308e15e02aa670052e483ac4443fb17747a801c68f36593e2e8e3cbcaa4adfc3799943f5b4f853d432eb

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
c16726c7bf8b2477929e006d923c7fc8

SHA1
3f8a41ec66eb30ae7a78230019673c19c1fa7669

SHA256
d372d41edc03391e33ffdc52e0b1338cfabc59d841290dd8280cdf2f1c6507e1

SHA512
aaf0578490c2b8552395e5551a907086bf11be356afb951ff7c29a8c7424960363452da651a336cd02a5e96e9a79820a3690949d025de25d59b2d23dd14a0958

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
b3b169288125188b06b4e1cd31048a30

SHA1
27ffcd868f824aefdb8c570feb3c6aa0e4a68c03

SHA256
8d240244203ef7f9698f0c002201d60f1b0729afcd8fd43961da59f93c744269

SHA512
17ab02c20195c76513a4496c1c28be73474659c5b6824caf20c196a2473ad9e00493644727869e2be098bb496df8c343a97bea788c16744b2d960641145f4f66

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
badaf47be75484a8e6023625e5aa47c2

SHA1
f55c2ac4e92858d962483f67e664cdfa90ba8692

SHA256
a69fa74e3f32687eef1b43e3e3dff3c12472ea97a9c65309ec6460d02cfc8d85

SHA512
36bfb4b7b04207c23ee66ce9bdd152db68baf0689045930b33f5523b5e58e4a3acd261435dd75eb70d05bd0af002dbbe483d95124e9a269ac88a1497a18ca756

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
04de8fe1dbe75da3990cf23a46853134

SHA1
397ff4586bbcf881442b29e30427c3e36e0f08f9

SHA256
ab48a587965a45ee3f61dc09a73123746df834694390a2e48c93b80b863e2c66

SHA512
0713e4d026b8cf04522c560ef70a2cce6ffef1bbaddae57a45cf229db670a4ba45f8d6454044c5532e6ab49ef46ffaf493137366ad867f46dbbe08bf169d4f30

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
e6ed36956fdbe0c1b696ad668cac2fdd

SHA1
4e6e820949fa9c46445c41369d022c72e52a160b

SHA256
80db9d844f065327b7015ee4ae6b2b5d913f541902002d791359f4c0036a8b20

SHA512
7bc11a061b5843f8848779f7bd6e26a51238ed6cfdbe0a99e79768427bc76c48a2f5f266db4d46658d1e0952774204a0fb1f7a24873985afe388b95bbc2b0a35

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
fa523e352ce5cc65805f33feb8a2f6e1

SHA1
904a176866e8000ae558cea525c8de9204f33094

SHA256
c193b3838990817e05759ec239a4788d2d03f6b1b7dd1551c28fb3b940ab0965

SHA512
2b07c747a89ef487f9e7b4d41a01f232da28f7090ca9bc14d66f12b61fa9204f8497e9e14063e4840c3efc103af9ec75aba728f254340a2b3c668cea748e5584

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
7cf3eb466049c4cf6bc1f6830ce5040b

SHA1
2b298ae155766c6f196d86a5ceccb6f80c8cf542

SHA256
9fe89c9139446383bb513d905e076ab88e582186861a574f678ab59acd00125f

SHA512
df60d575d1f741e1cdd60665fdd0469c7852b934285e18670912ab605dfdf8bcb89934d91757472a1bd2251cfefeacaafb0d4efcb0dd9a0d9bb4b300465e0cc4

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
b60a6339705fd64c4b6ee7ce0fedec87

SHA1
6285aea71c5c7c7650409eb41c2543e619eac4c9

SHA256
b69da238f5ef7fb666124204dde668f30fb61af7e1cf11ff597603ffe1170f16

SHA512
c5078f3be76ba02675ac23a14780337508e573c2df4e46bcb63234cd89591def493142b32c8fe8794e932f231673930c997df55bd896eb8e4011bd1e3f282805

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
092498ace8fd8104bc05da21ebe1b148

SHA1
1e8c53c1df76645f09d162981acc4fbffb95c981

SHA256
b1e8acf4e3827dde772755a14594901b7d14d2f2bc8cfe80b42566fda8b514ed

SHA512
24a9107ebf736ad099bc5812c8ead6ddae68775678a43d6327c0f99be596f5fb3dd56669ca0159c3bddb78eb1396584177b38a78d5f816b273985329a87d000e

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
43380999a5a255c8d53bdfd77ec75f05

SHA1
a641945ed97a441f1ab01edfc28f3f376aa00489

SHA256
f8f5781c941f0dc500bf4371d2c9a5106775ee9f87739e74b8ec37919dd556b0

SHA512
63ad2f2c1b5ff1e20b65f7220197edc7caacaa597ad022626041672bd9ce2558100e8b7a94b8c65d1526f8e0e3867a9e7bd04ff432c55b750b069e697e0e8541

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
7909c6b922ae2884d3c5678bac59d91b

SHA1
c6344dfad57f34a7661b72b35a1eddfade1b1c8b

SHA256
5fbaef99af78504b8f0420c7b3094be67cbec539b525e16ddd9dbaa9d6688eee

SHA512
e6e96afe65e3acb49399b62eacb4525469f2128fe7e5b778968e733ab8f778cab111a7bc03c10622c07069e563d318f08f009dbaf5b42154b8b9904a3fe9cb1b

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
29fb9c9bb7ec212d4a0499ed43971592

SHA1
5ac5f2c273bae68552388632eff34d75a8bcd27b

SHA256
ad4067c41cc58bbf25ded03b00d0247db6cb4c0c74dac79634814f51a3b59747

SHA512
d5ab06379593c90cc3bdaf6d689324bd1a9ed1ae344101f3ad119e6aa6d66f32b599b89f38e2d06e3877278f0d40d7d9917a1a5f803b143ca9b2e28e7c4f1675

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
ac93e21119bc61c0ec63362577e54156

SHA1
0166d0792c115e5b0786a7ceca03d90a0827a87e

SHA256
5199d541916a6d77a22f5ae263103b0c85724b5a9a5b240962f22a2da5a25d57

SHA512
db6922e8d1617e7e3de76d53a1a2c4d3efe278e970317f39af12aeae2e27a6f5c3df1e11bbea7d363733d74ee347449167afed1dbf3130669b53de8938becf06

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
3d3580ca9192d711b447c382debf66d2

SHA1
1b763d5edc53bf9b2459465952124ce3dcf2fa2c

SHA256
52b865c7d146b980e3746b479c1b5da207aad6328aafcdcb4777fff390a5d56e

SHA512
ba9fda24d54f741eefef636e73ea815a115bc2f1025ee4048d0967e5870f7768a84f9bd062a8f2151513e9213c634f0601e3276367f964caaba1dc0c76763eda

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
f9937226502b6a8301168368f238e661

SHA1
e2d71c016e2d36a89a3680651e379f7e3baa1ec8

SHA256
02876da88dba318733bba9c3d8064398fea72fe743b07a7cd7087332880ceb6e

SHA512
fed316a2be4d364f7dea93ab80b2b44e9b3038c68aae2775382af233c271df0e0d34924c13d7ac3afa2e7763c751c4c71ff036feb6842273146d9265b84d8b24

Download Submit
memory/908-326-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/908-582-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/908-449-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1032-584-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/1032-363-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/1200-255-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1200-253-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1200-247-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1200-366-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1244-405-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1244-589-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1884-588-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1884-393-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2292-288-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/2292-404-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/2320-378-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2320-390-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2388-592-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2388-450-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2468-67-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/2468-75-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/2468-73-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/2468-242-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/2688-40-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2688-41-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/2688-238-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2688-32-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/2836-585-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2836-367-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2988-1-0x00000000022C0000-0x0000000002326000-memory.dmp

Filesize
408KB

Download
memory/2988-0-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2988-30-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2988-8-0x00000000022C0000-0x0000000002326000-memory.dmp

Filesize
408KB

Download
memory/3352-241-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3352-52-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3352-44-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3352-50-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3416-583-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3416-343-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3640-590-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3640-417-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4048-237-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/4048-26-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/4048-16-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4048-27-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4124-429-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/4124-591-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/4128-340-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/4128-544-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/4368-80-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4368-61-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/4368-77-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/4368-56-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/4368-63-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4412-392-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/4412-273-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/4568-416-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/4568-299-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/4648-313-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/4648-428-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/5056-271-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5056-259-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/5056-258-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download