829020c8ada1d92d71bd54d3c9d42527d879558b607af9e58bbea3babac06e53

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
05-07-2024 16:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-05_ca36cdd6feb07c719167321fd5476d74_avoslocker.exe
Size

1.3MB
MD5

ca36cdd6feb07c719167321fd5476d74
SHA1

135e38474e679aa64bb8a088bc2612d6b33c69ad
SHA256

829020c8ada1d92d71bd54d3c9d42527d879558b607af9e58bbea3babac06e53
SHA512

8cd5c8a1db57aff0d85340f39d2a2ac0b00177a9b6e830d2da89b86520f6a79cbb1e1fdb7a038e4b484584a1aa994c824d781167c3cfbd0d0bfec230fca8a308
SSDEEP

24576:f2zEYytjjqNSlhvpfQiIhKPtehfQ7r9qySkbgedlRVldlnXfH9gPwCn7vOb7HHcg:fPtjtQiIhUyQd1SkFdlRVlbnXf9gPTTg

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3600	alg.exe
2416	elevation_service.exe
1576	elevation_service.exe
5000	maintenanceservice.exe
764	OSE.EXE
4252	DiagnosticsHub.StandardCollector.Service.exe
844	fxssvc.exe
900	msdtc.exe
4884	PerceptionSimulationService.exe
1804	perfhost.exe
884	locator.exe
1548	SensorDataService.exe
5092	snmptrap.exe
3096	spectrum.exe
464	ssh-agent.exe
2376	TieringEngineService.exe
2824	AgentService.exe
2248	vds.exe
2976	vssvc.exe
5068	wbengine.exe
4480	WmiApSrv.exe
2084	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-05_ca36cdd6feb07c719167321fd5476d74_avoslocker.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-05_ca36cdd6feb07c719167321fd5476d74_avoslocker.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f6f93cf716be280c.bin	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000013b1444efaceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b10a014ffaceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a9fd714efaceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000db4c614efaceda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004d34ca4efaceda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000276494efaceda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005ac3574efaceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cfe2184ffaceda01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2416	elevation_service.exe
2416	elevation_service.exe
2416	elevation_service.exe
2416	elevation_service.exe
2416	elevation_service.exe
2416	elevation_service.exe
2416	elevation_service.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1540	2024-07-05_ca36cdd6feb07c719167321fd5476d74_avoslocker.exe
Token: SeDebugPrivilege	3600	alg.exe
Token: SeDebugPrivilege	3600	alg.exe
Token: SeDebugPrivilege	3600	alg.exe
Token: SeTakeOwnershipPrivilege	2416	elevation_service.exe
Token: SeAuditPrivilege	844	fxssvc.exe
Token: SeRestorePrivilege	2376	TieringEngineService.exe
Token: SeManageVolumePrivilege	2376	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2824	AgentService.exe
Token: SeBackupPrivilege	2976	vssvc.exe
Token: SeRestorePrivilege	2976	vssvc.exe
Token: SeAuditPrivilege	2976	vssvc.exe
Token: SeBackupPrivilege	5068	wbengine.exe
Token: SeRestorePrivilege	5068	wbengine.exe
Token: SeSecurityPrivilege	5068	wbengine.exe
Token: 33	2084	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2084	SearchIndexer.exe
Token: SeDebugPrivilege	2416	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 548	2084	SearchIndexer.exe	114
PID 2084 wrote to memory of 548	2084	SearchIndexer.exe	114
PID 2084 wrote to memory of 4616	2084	SearchIndexer.exe	115
PID 2084 wrote to memory of 4616	2084	SearchIndexer.exe	115

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-05_ca36cdd6feb07c719167321fd5476d74_avoslocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-05_ca36cdd6feb07c719167321fd5476d74_avoslocker.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1540

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3600

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2416

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1576

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:5000

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:764

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4252

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2256

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:844

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:900

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4884

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1804

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:884

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1548

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5092

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3096

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5104

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2376

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2824

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2248

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2976

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5068

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4480

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:548
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
7bf975dd07fb17508b742fa3f26d18a5

SHA1
6705e9102988eeb1716d726a98fd1c87dfa2be7f

SHA256
51e0f312568fb4280795bb9a76ee2629737a8518e264c9bdaa043daf740d4152

SHA512
6d799e4144daef143cdc4c577b6b47c937b2cb22f60316d3d04fa881e9f1fdf4e407e3792b375c0849e226e7a2de957e8c938e7cb208e3b8dc1e282ebe7d1a78

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
82619ddd5bfe9ddb0c54d73321d1fa74

SHA1
56f951cd7e42e27a06b15aa0773dd5b814a1fc9c

SHA256
fe1d670165d636601f7db8c9eadcfea97443dc06d763dbb219ea1d83a0726042

SHA512
49d93e7ff54e14735bbbc46090e4810d191926dd6b9889b05f871eb20b257b8aeae96a45acdf2da900bc9c9f0894099a0fc92dc87df30223139b8fdac4ac71bc

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
24fdf2b6895e8ccf49a45d474ae10fc1

SHA1
5b9f9755f814def83b10004d065c1d4c61bcf65e

SHA256
7af6cee0470de114afbbe9a2b0748fcbb4c0011f80128d669b6d6f0ec6ad1035

SHA512
77e54235bca479903e9aa35fe1527005b402b14d54eebd356f5a25eb5f1cec2e75b1c10a21d3323984b8d8ed9be72aa2e847f91e7cc127438b8cd6393a32a49a

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
eb1d17689b015f67ab57b119ee18b31e

SHA1
a04d9c916fbb1a94a4ae18bec3f4cf57c9e32957

SHA256
2d892ec11427d3caf1baa14f644ebc918adc8359be15e34cdbfa46879aec74fe

SHA512
3841d7b65bcb6018161cd4179986d97902795efec75088fc1a1fbec822c9554305dc8f830b1523486898161bd33623fa7c2398411462f540e152eb54e83393b4

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
75ffc4d1df10f6129e62afc4f4145353

SHA1
647de020f9abc318f077addcd8496d959cba303b

SHA256
aaa4863cf39027f187a3f1ced780a575d042dbc19cd6f37b859cb406c3eac357

SHA512
166545564d0d07127c4d7e46886c1dc0cb620fdaf03e6dcbcd772b34d4833cd15599a11a8a2dbe719b2e53306eb22c028ac780a92bf0068f665351926326a4af

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
8a107c3ec7fbb48c04d9a5f8b2533fa5

SHA1
4a591fdb78220e926648b027b1923ef30a8c22da

SHA256
074d0e593364744ae277bc8d5c1be17e64874e2eae5f6702d6bd55bc60e3ee35

SHA512
9ce3cf5aacef267aed43ed98faa3d6fba5c1da8511f6ea33b8ae8859b074ccbd6f990898b271f45c33c63df6a38c51b9c9e1e83b5d77c95abb77ecd0c677246b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
db77cfcb1487d5fb546da08da6684bba

SHA1
f5df875371d98529546b00fa9114af2e78c1d261

SHA256
c1206ae899e4464870f21e7e79a159d533a851cc15f3ff74ed70506cd2bbc187

SHA512
2562191fe34b9fb39382639560834eacca37316936f596fbcfea600fa767f948f1a3f8f3749f964a0cfc1972c308279c1effe7839a40f7b7af3530efc94cca5d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
2fcfdd35525a6675d39acd071ff1ace3

SHA1
2bbc663c954986ff1100cde0d3fd5fd1ce690966

SHA256
06750b0e1208d52fc87050d2f570060999f162f8cfba1da14553302121f5d5fa

SHA512
9fa99f0a08937b3422ae5dda2dd6fcc3d4045e2edc12b147d01f0416332465e3cdcac102e3107085408ca0d7db7d622a4e026f92489d1295acb6518c509018b3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
697320f40f42909cb81ba885a9f412f1

SHA1
afdcdcd54eff003ee0cd226ccedff4fc909206d7

SHA256
8d43fde0786ae5ce0cbc4685c9d99dca842ad355507573597435af8702580779

SHA512
c863c0aa455f1b1e4dd414e292f1d33c74478ba447323edca80a9c4207e50ef9d561461a84798e00989780ec2658f0cf10a4700f7b24c02ae6df88178fb7a6cf

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
bfd205afb2f0123642ecf6a631aa8ab3

SHA1
f30181c1578be0bda3137b26ff495dd2e6995dd8

SHA256
0014dbcefade449054fecf0c21e8751a2525d3037728eda4c63333712e6c2b73

SHA512
d2f1c2286a3d267e3d494729b5677a49618b0dd64c0f8db1bc5cfbbeeb1c0ae19f3c94c5398db5257612d091ec7f2dd83c1aaedc109e74ce5d09b014adec4edb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
143b53cccb377f8e4efa970586f74a63

SHA1
93c6f52e0025f2f1b6f903b5549942a400d35cd5

SHA256
ee49c72971608aaeeaad4d298089a710eff8e493a599e91dfc62877e1786c5b1

SHA512
3fb30ed8b2e95347c6d19f393a3fcbb88f4f8d77572006443a2576368c74069e9dbde03a4e3894aebecb71ed59e031118229361a37ec87d4331b5c53b3aafc49

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
021647a11f84abe0b3808e126d6c2f0e

SHA1
17d34f1d60e87550b9d4ee7fa3670863e627d5f8

SHA256
5cadf18d479ede991919db9cd3a5d2bd8e0487fb4ce36ff93210ae16f6c4c272

SHA512
635f219cc208b737b1d0918f36f4a2635ba51f1dc379120da9cfac36c10c673ccd9aacbeda72d478bcc0c1c3b3371b12d20d4da5924710072ae8ce9e6e535913

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
cc3b849cb4d05da12b647a214ad6fbec

SHA1
05edb7659072c6e9cf50f2ff41bf370233f56ee5

SHA256
e701bbeb89c78cb757bb061d774fff66219bf9d8c59d97002837ee40c50722ec

SHA512
62e582e146f658982810216dfa852eec004db828733c0d92ab9638e64ad6acc697940191ca0a6bf16a581aa86063c372bf186b770ee52718b913243d02dbad6b

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
96636d7bedd58e368276cb440f830f5c

SHA1
d55ef9d8fc483c75a3f85eae1b84e04d053a73f2

SHA256
eb5883546224203836b9b17094d2f39ed9db926c824d3578ec5bbe8c1958bcb0

SHA512
4d9eea78d1dd4f41478db88123c670a13396203d9cdcc07fa8cf9307582e71cab6b40a4d5f8c29a5a0450670ab71db90c7eb43c8fdb4d6f26fef0721de57ea06

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
6286ad99cb5c2ebff3bbb39fdb5eb0a5

SHA1
4ccdefea88fae4338384a5d8a0a6fb827dfc04d3

SHA256
d8c4142f72c568142f6b7d7fe6d15bec9c51f851f83371249ef806febde5d855

SHA512
aec2fffc9b6cc939d8ebdae7bf0f0ca6e5dfbd8b49f3ebe76fe6d825d34459df812b25d3dd1bb1e0250473d8653ab2edaac3cb75f9d62c2c6452fc73c34fe2af

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
78961c3a715ecb54fe37471885835007

SHA1
8ac6abc7b385e51a8ab04fb14b22c6f416f1a3de

SHA256
d44c6d5671658086bba9ff4d39a57f9e371c1a1b719d8c9ed38fb7176dc656f0

SHA512
465971e516341ecdf793cb59b7e6dc82623a68b70646604830850ee8f2d8321601d3d24155fb506a17c2cc2e655def8d2162139d71a6669f19f22c94ca46fb2f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
1646413713cf0a2b27163567ac901221

SHA1
8673c894fbca4606f3e1d1a3bb9f301191e08980

SHA256
dc8f1d29f50575e3eff98cad2476e5dad12c8b4b43cd2c0e355c7362042e21db

SHA512
05510b4cad4651d909ee15ea6e671d0ae11723445ff3db6c0c303db79d69844b58840da897b5cb8b4959273428420251c669757cfb1309ef03d16c7ad632e13b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
ef434fe85ff7cb10dcf40c71a4b0d1ae

SHA1
776a07874f9dcd629c18076781530cd5060572bd

SHA256
e10c227ce220bb4ef3355c7211f4c6f376ad73f41eed73bfddab010ef66ef64e

SHA512
dec3fa71ba2a9994464e4f35c52dccd91fba72045009f37a40e4746bd23b18a4d493afc212158791310bacaadbd942e641f14023397e52e296c267b8e11fdf3e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
d47c0ecab494dac89d3d2b4cab66ae77

SHA1
97e6b773ca27a8e98f3e5c77e7e9efd772fa94c0

SHA256
d7cac1e25975de214391dd66de08f7966f4cf3bd4780b072a335d8128e5e39db

SHA512
d85a183d9fb849765cbc1ea7fb026b9c41919de7ec26edd2b57236904f2d761fe11040796df8e8a5c3d3ab3f2ddcbd4091eae2ac2ab884da0063c8c90b32a597

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
3599819b8f673c5d3853b6a9c6e65950

SHA1
4156ab26798a2a2587632f4700b66c9ed11a29b8

SHA256
74c95780103973120ab20efed79896630ce4cc250dae6274a8f733c6528a6cd6

SHA512
ddfe7423dbfed0f2840c69c41a3e7caee420c4b9e2ab5816059a0918e56121eda3359de94482146752840507cc694f7a708814413bc73739202ebba822bf20d0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
3e5dc805da12857e0620e50f27d31ec8

SHA1
ee575a725cccedd3760fa203f0e5506786a3506e

SHA256
6d5593669dc34ec13ba449f041b77cf6b1ba903daa00a98a27abaabc3151c091

SHA512
c8bfc28d02666813d387a87abd96cd29c7bfa91e6abc7f227316508b1db2c6b494bdc2b4220709cbe9a588316aa80c4a1bcf946b57b9c92084b083d6cdbda31a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
5f523186ffe6e82139299cb8015ad63f

SHA1
a3f7df4b9c10efb08be341ff941a1cb0c3ce29a5

SHA256
4a0fca5f6cec6de02749c6eb15886ef32b40ae5e31a32c912d6a5f7c7a16a8d0

SHA512
83b1be3718aec3d6281e73ffeba2798eaa1a16bece80c5509e2e0287b67f009b984596eb2bec58bcc6db4feb29dda66d30fd40381215a40ed5b248007a89e6de

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
12ed87f16b7e530b2962ea48f6cf17fc

SHA1
c16ae473c6d849f121cd1c2e61a9b34a0d20dac1

SHA256
d4deaad57ed0f5c2d50ed88838da2c91699857269974bc4dd1895b8eff0e9495

SHA512
8c70b2c0051780909b6a298dc17d0c23789d8a372f6d9c13c795ac97aca8fd797aa60fafc73cfb1933d4fafcac496304563dd21910c26c396fb9559a2a24e8b2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
46e5a78522e92043358fafa63b17e5b2

SHA1
1653312a7ecc45d2ce85f83f77d1363f1924c9c8

SHA256
0499618c9c785e960e0d65db0a3578d50aa91b06a5a90167e42e3ba87b462d63

SHA512
b28e1520360508b955b1221a7c61b5d3555217e277623db89023f8643c91d24551f498e15f9fb5f3efd821312e43ea53e580ceab2abee6a1866aa37846a1df6e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
d5e11d383ddd0a4436b7e1e295626ecd

SHA1
b864bdb5babc8cd39dc39de7afc7cb80d46aceba

SHA256
dc4700751cb8e21aa983dbedcfee2cb9b8f224c8b6454ad44650cd54b0235ad0

SHA512
808c02528d55f1f30a1492f2bf2176d27f33bcb23f5241956ebc0c1447ed46788ce831116a39c16b686bdcdfbbca8215e9fa34f1ca6997d87ec175573a666a18

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
9c34bb60c59aa67c0ecca823ca0f7ad0

SHA1
f39dbfe587345ea21ab650e0ce652a70e4fed42a

SHA256
4213beaf257a7f3132af3523f7cac8122534692d4409064d0f9a10dcd3ca9bce

SHA512
9e8e849da9bfda9c50ce65679cae2267a071a815ef97f6821c7d9d62f9a81b572152ecffe641827f6ad022211da5a0220711515956a07342389c29e53836af15

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
f53e18963483d981bffbee5ee1b7aec5

SHA1
783fb4bbe0e94d2df37951d78682608f265d9e0d

SHA256
4fbfa8efad7d4c80d25e5f8e1451b6ddf2190699ddd0081e9311730f1777d05c

SHA512
5f8e7357b185407d931f8614a4729e58fdc306d946ce632785039fae9c661f13db40624dd607d4b26817124269b019664957d587c250db4ff579290d422e1a06

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
e012da1354745c095b247c3d65f8b566

SHA1
e89cd9ba881dd0cf277562b47b2338f047ebca58

SHA256
c4f87bb27c58abcdd289f6916b485fdf4d701d268de350ed90c110a0f5af928c

SHA512
2d63b8a85f0a421164db638591bcf9bbf1b838ccb9200090a7daaf7adfe8552a4ee4c7cfbfc10812c768a378fb066fe5bd0675f4eacb4b4a8ca5838cd604dd36

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
87196674fe3289ec922463c9f528fca2

SHA1
3c74529cec65f0dc805212434b1fe0456e73d51f

SHA256
5674f2daf961891be7cf53fcffcccb28c03775fa82ec5dcac3b608f2a7c4d424

SHA512
0c9ebb7b49428912e14e6df4a1d114d2cf570f171f4ec8bedde191c31244cad6d9ba358ac846980f23a7279470dfd621c54c27da4d4ca3e1c28d4148864f70e1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
4f05f748547814d0c885a899ce24e4e0

SHA1
f52c9edff90545bb5dfeb8f0a1016697e2194e6e

SHA256
7c6c664d8e3642da7ccdb08a2ff35e809be162b2fc538556e1c1abfaa79c6d70

SHA512
cb72352f800bd5be08c664b16add828f9679403265e761077c1e00624b46671a0755a097b908abee3ab5e7426c15ecfc39d33a2a479e24cb2404082bc9f47053

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
bec06858b8c631b60ff232968e955b8f

SHA1
37f42297f00e88134ad69a91a0ca8ffbf100b237

SHA256
d97351a8c3a546440dd217f89b177daf313b167ce8c8e381dfdce72d186b7ff8

SHA512
a50d6b65fe68d822dbb2f773d61a639bfdeb94f2f5bd93d7e7246bb9ce2f282c43c3861b8dff4ece2f09a117739a897b7c84997ce9305b180c79d4992eae83ce

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
b7db8d35abd3213ab1ed592fd5d07b96

SHA1
48b03b5f6697e9a080e3d2bdc3b4b432e4ccf4ec

SHA256
77c2a1cad8214104dd24b87818106721aa3ced9f5d95c3a68805f68d36c69d8e

SHA512
62aadc0973e69f0df07f9f64f30694289ad85387e2efc0d34491fe4a61fee4a7d9ce999b90ea6c06b7c356a4610a17cfda3fbbacdb8fabba05c457d0d2b6dc5b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
7a15ea3bc58e66043369473e18877ff8

SHA1
380f9b52d6fc66cd9dba6f71fd561182e8407449

SHA256
a84c6a106f5856b5817ab2cd7a86284d51ecc351a690ba1b1727d2f1cafe7cbb

SHA512
c041ccf5bf8e647b8ac9de69812be79039d6200ad2c0f06e2274431e0d0e0d7b28f4bee70b0edac77f7afdd41ab783e9a70bc383ebb18eea374c1439945c3de4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
24f14f28647a5e2f0d1d5b25f3eaae8b

SHA1
f0abc0bf1df83fe81947e6bf55fd9165a26ad37a

SHA256
64f652f8785f79f6888c1ce496a75063ebc5d9370426c6732ef5cd70867c4e40

SHA512
a29e632b29fd3c8cfa964c563ac0832c0d359849880435757cc80bd55e68d16ab7ec3ea020ec1269c3884d66bc024416d74a90bc1c8d43e6deee07781f21dc33

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
71893462922daf89cfece5e3b41030ad

SHA1
95c74a4dc69433ecdea9d37ed8d7157886ed18b8

SHA256
7913f3320c141577239f54875a48f16f45f9aa6d982fd280e38311f9808c524f

SHA512
41201d7ca45d35a7366e2ceb87d9b0b950278838316bbe00326b50a5a458a99112e49096f529fc767a836f85fedbd426cdb10125299078688ed1132a62d587c5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
6486d74ea0c66d3d8bd066e2d96ebcc7

SHA1
e754fc88e26040a61316e1acf27347fa30389fdf

SHA256
85720984f3c73e42a90ac673408b3706ef83e0f25fbdc4086eae7259ace86cd7

SHA512
a1dcb1711116876676b09beb54a4bade3c19c43a684e907fe2c93113cc68f1d8b2a0da7c7cddea1752b88bbdfc51a5788af373ecca1b49ec627806b50150d150

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
1566ce5635a6863d8e741da6aec6f1ba

SHA1
35f90aeb6bc8265121da4360057c3114fb59ad29

SHA256
0bd2815082a5a523c49e15b5ea62704ec9da59ccc32323902d08e45c6b82b67f

SHA512
c0d21b4ba144f60202973c8c19052a4abe3a6af5fcec4b1f7a6d7a0ef43627fc30e56f60cc82b560c06ff0278b801631ccaf129c42f6cc7f3fe5645eb8517a2c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
6ea6e6396a4d2a023471f8140a26ffef

SHA1
f0dacfb87c6e188e0750da7efb7813d55435a85e

SHA256
5488bc70183dcc0290cd7dbbdef8cefb57702cf05f21766f35f915ed4a482138

SHA512
f48b856317fae739a3a56d0c5fca2eb5f0249c3a7f2cf09670735c05dd2a83156b2216aeb0cc32efc34e2a40737ce541c08e67e5cb02300ce2715e8d940a7524

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
afb68f6549c8bf5ab782df9d70583952

SHA1
3839f61844707f4701387f3d265ff0ffa74c0187

SHA256
acc14bc990887d5bf75ca63ccd1f5eb452a71426e6e2c3cb5f272383f39329da

SHA512
de65a108fbe68f175de01c4d195d9a7cac69fcbca4b485a16e027f3247bb9cd889b3e38984a0a1befd7f91f40614dbe33ef3c23e9ba00660ba365fe1714674c5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
0376408400ebf4cba39d2768588e88d8

SHA1
5f180d9bcbcb48df911e9d3b8b654bc74d6fd814

SHA256
3f82f881cff588d1d55005d1f2d800218c6857e20c40669b34a6f02721bd1dc4

SHA512
fe76750887ead15f414039160a2f6a40e3aece2bd4a523a387af225e29d222f87666b887c35a0d9159f3fb97236329854b7f919061fe8307d9c15a57b5760c8b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
809ca711146606c89373eafcaddf5301

SHA1
2dea001fdf7ff238d4e383b76a73af59d6ab1439

SHA256
e0db439b366ef86770a52ede5847cf16b615e2e1bf6150728c92a816dfa57d0c

SHA512
0b742e6abb12ae56924ccb91c3d8d2c3ef4b7dc6400fb4eb9109e99527cfd28781101fe55b10b0c0b25b42c4747b7ae9eb199564efb58df95ba6f0985b3b5090

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
db8b2054d9ce5b31e932927599f63991

SHA1
5b5c310854259d9ca4b4ef610a0a8630599bf178

SHA256
629fc3d0f4a97e502bf1c31deede19ba5dc2e62841c6499ebbcf5766171f6cba

SHA512
ce7fbb0a4f9f635c54de053e480fb61e07569ed0ef05e71fd3b57bcb1965043b9297a1c1d25196944a69e8f3c5633ba8a574ab3b0e487e18a04d2f037f483406

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
0ef09097170fe55280b57f8d4d05e819

SHA1
738d70428cd08e73ec2ee3d2c6d0515bc6b99c29

SHA256
0cdd0a141c6a06b45d60276bd54cac346ed35f6dc5c15d5326d7577dfa0247a6

SHA512
6035a5588a2036c3cb1903264ff3979d42ca0d968fa973b119cc02e592fdf50c064d0a02c4586d1653a6cc2e4fbd10fdb430b814e2f0bc76481925c09896e60f

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
db0f38d97afa2cf317b9daa57748089e

SHA1
a5098a13b8812a8a3382befea95759a3ca71644c

SHA256
3d28844e2002417c3f6b477ca79ab83f656cafb4d754215b03635d3eb60dfc39

SHA512
ae7434b191dbfbf750107bd1ccb2b752e1b80a8bbe33717979cb5590372614d50b8aca30642d7c5b1bc90d9d104d646f8495ba159f63349115c1704548d85f3c

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
930154a8975a691de665dd774dbb7323

SHA1
d0a7ddb917d9c0d0f78aa56935099d09503bec5e

SHA256
47605e1d08e6155360a5e081b968d3a550a813cebb9bf16d31aec789e91ddb10

SHA512
b3db7a403c450196134269ec7756bf6bd30a5eb9dd9a1c3ea1ffc325930f47a41a8b3a8b08ec95b8d475d0413b1fa0e9ad75341db8d4059599dd0303f20144a7

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
1e8fa0bf9be4871aee024e9e58512ca7

SHA1
e83562c1c4c309f9bf3a21ab05244881c99437ef

SHA256
c99f17e2a6a197efdaeeb2cfd9938603e557fc49effd493b06258b57ad82adc2

SHA512
b0379c7f6c184d640493e88a8b793d67aa650d9ef3ea93146b809b8bac3a095641393c3a5b9ad7ebdfadaad92c1f657cdeed2fd907eff28bd0f5649ffcf8e69e

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
dc6df43a6351323d1e48f1b413b8e4e2

SHA1
a1c0983063fea52098a4a0d149e43712535c27d0

SHA256
5ba04c3bef3a19249e3daa2d37946b5fa91f0a9a9a00968389a33e3274647bb9

SHA512
9090efbe31a94fce3e2cf6242c39512d8ec0999ee30e6949cfcaadf46cbb33e89ef89eed0bfe6e2983cf84636cdcc303448f54206013416df212f01b8dbc65f9

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
067a4e708216d3cc06ac39023fff7a31

SHA1
512e6aaf0cefec3e7bf5cdcc64d34f8329fc162e

SHA256
5cf129d964be5d1d7f97fff91bd6f0da4a4e1bb3dc1aa6db8af33967da52f58c

SHA512
d882c9d24ea5eb701ceeaf98420bd3078b2b6dc9e059b88c5f886294aada992d481fbf9e56741ecea61f60f8608348f4c46961b714e5819d137643fe11d34fcc

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
a7c0018de275f0912086b2a4a604ddd7

SHA1
be7c1345bc7bb60e342cd5830461d4ea0c699784

SHA256
1eee8d931bc004f116a911b19d0a4ed7c7c5b8f2bba7163dcce46799377fbb0e

SHA512
13c1f380054069dae16fded1a17a54d8c017fa07e0d6dc4543c8ef075dbaf7fbdad5a80d5c39fbd099cd2450c049ca0ba3492e38e2b989b529d8c61f4c177c17

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
a303b143168ee5861e6d7eacf6708dfa

SHA1
f34362354c0edf7606320893927cf9daf51d2ef1

SHA256
fce388012ac8b1d19284fc788f209f578b61c3c388a841415836763f2f36c7d0

SHA512
eea834588154ac1763864d905382f2b69b441ff8d9d457aa4bfdc00d660eab5bbeb345b7b6b161cded134a1f4daad5665dd805b75eb995524bf48619be74ecc3

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
cf1f692d52ede8475b7ad71c193d7255

SHA1
0544160da3e0178953a012b9edf107e9fdd0a3c4

SHA256
117ea5dd8128a87cad149ed24df31cf1998e30e61330d93bd4db49f1242d1637

SHA512
9d57c09b08e38e55628ad01162e18678e86ecd5032d934be2f52af5b787aa68da2d7e1eb0957d63fd5d1e4d8b2b551eb26ba22a854e8d926e33626224280a69d

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
90e2ac29a0a13e948dc12e649aedb469

SHA1
366cbfa962924716632be6bd8cc106a391d3d2bf

SHA256
95974d44f7e5f643b258bf61ea8aaef90becebd40f878e234c4b39cd5e309375

SHA512
4e8b0191d53518f7ee2d4fb1bd82abec36b8161f728fa52fb80c1fe5896e6f71446ce4c1a4a12d9aed00d6273b8a1f72b530769952b480bbd96a1e2ffbe902ea

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
e54254847b351a41a222e6341dc14fe6

SHA1
860c2e82c64a28fd6fcf064fb01da4cbd8341a1e

SHA256
b169c0f820fd156eaed249ad98274268c009e7f4d0483da4e33f2979729bed57

SHA512
2457bcab840cc04ddf51ab4f89c0bd4a10bad94bc7cd0fab1723397690d90d109eb61d47898954c93cf0aea0dfc3333b0efcff8feb12212ae48c3f0724294f74

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
e4453284aeb46bd746d52525d3cc1c3d

SHA1
9fb7ca0eb8b30575d4e8d31326e0bddbe8b8f58b

SHA256
5d2d4c01988acfa0f1fd56e1b12eec78d5ce04b501dcae3c52b83d2505e1d576

SHA512
baf3e259399505ddf5d7d51dc63c2046b53be96fb5ea2895006e3870343a52b37a1ef177bb72adaecb0b824572a302309e2548ffe49eb1bcf0b0134eb07f63a9

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
e857970b8b8e753869f1a89fbe73c9e9

SHA1
cb34fc11c6f2fd7c86036cda32803d19d3b9da09

SHA256
0effa00f1664b6315cb0be0686fdab688548296567d810b56c71f297f4820d6f

SHA512
7d7b9bc354286b85321f336ec08e1a1c7007b03b5eb0be700a8d8f95a387ab4ef978ef608c056d6079c2c46a271d307d383395ced5584bfd95d5725503f4bad1

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
d111fa6f09dc50537849a7beea3656ca

SHA1
48aef16db745ae8e0176cca01a2aa481906d12d8

SHA256
fc07184cc7926443b5ba6abf35294d90ff31712ca29d31c417280a05090b5aae

SHA512
69e2ed802f6402cedafc88d67c1e1f2b0bb0b901307046f7fdd8ad8e9afc34d0dcb4eb11215db2ac56e2ea63119ca4cd779e50e9b34dd782565ba73d56565ba4

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
ea92180c45b43086e26a6b7b16590524

SHA1
fb16f5f8a7c38f17bf7ffc43af798678a1f09e71

SHA256
274965cbad78574ce850c8ae3526bf9c476abea0a39b4bb5b7ee2e09af5fcd06

SHA512
28d683869d6672e2b9bacf9fb9e13866c8304cc5804691f2ece99b3ef73c9159f7ee56b34e9745da24cea5101cd6a9e919616e97fd518e28681674a510fdf346

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
e512208f97f1292990886cb2b07a2996

SHA1
f781b8f59598fa7277ab9611d8d78a82563dd9bc

SHA256
97cfd598e313529d6f3ed65beaa19090ad8e95268349dfb4ddeb4bf717444e00

SHA512
3a095413c41a2ace2ba0481ad732f7581c1f86ec2a32d1deed0a0533d87586bf0e99af076de5170f0ec0d4b001bed544d6c25642dbe8850593af6ad19e833971

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
4fb85ef4bbf0baf391627e3dcce8d559

SHA1
880d35d4e2805e3103249a64361cb9e0b035fa96

SHA256
c0a917d30442e20355c799ea07685bfa39a18edc741c2b1fef42d5020c545502

SHA512
ca65e405630da9a9cf269b522f87f0f09fc524c17dfe25982d0e321e5d7269c0135fe5a9461da2e3e41a8e7f00d61e5639dad86fbbbe23dad1ee34b8b369e760

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
12d4228528e13c8e6ac084730f4222af

SHA1
35548b2bcbc9aaa28a095b35a51e97620958c866

SHA256
2411d6ef41b66de25f6ce2ed95dfbd1e1ad2e02693616b98f073f59c5f27bd2d

SHA512
68e7fe56940ce2103f565579b34220c8281130d7a61a620a9748ef075d5ca380c076f12229a352efae635b2d475f28bb153eae789cdaa299f877f60eb9f29829

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
e0a0998741892e8c85301856c889ab2c

SHA1
0247f817b0cbef238c9f6509f03d32d6cec84560

SHA256
595a500efcf2e232f0fb3a269b77ff1a6826eb5340870941ec64a74f595f9a9b

SHA512
91c55f5951e36ea88f3aff0af04d9e018536cf2f66c01de7cfa68001fc11e85f8e7cd99cee36c08fca1e21feb976e5510e469d74cbae82d7f85192c91308f6da

Download Submit
memory/464-353-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/464-657-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/764-241-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/764-72-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/764-71-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/764-78-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/844-256-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/844-262-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/844-269-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/884-307-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/884-426-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/900-390-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/900-271-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1540-6-0x0000000000A80000-0x0000000000AE7000-memory.dmp

Filesize
412KB

Download
memory/1540-1-0x0000000000A80000-0x0000000000AE7000-memory.dmp

Filesize
412KB

Download
memory/1540-0-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1540-29-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1548-656-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1548-318-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1548-447-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1576-238-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1576-53-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1576-52-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1576-44-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1804-414-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1804-297-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2084-666-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2084-448-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2248-661-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2248-391-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2376-658-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2376-372-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2416-237-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2416-41-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/2416-40-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2416-32-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/2824-388-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2824-376-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2976-403-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2976-662-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3096-653-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3096-341-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3600-12-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3600-236-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3600-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3600-20-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4252-246-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4252-245-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4252-252-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4252-364-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4480-427-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4480-664-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4884-283-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4884-402-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/5000-66-0x00000000022D0000-0x0000000002330000-memory.dmp

Filesize
384KB

Download
memory/5000-63-0x00000000022D0000-0x0000000002330000-memory.dmp

Filesize
384KB

Download
memory/5000-57-0x00000000022D0000-0x0000000002330000-memory.dmp

Filesize
384KB

Download
memory/5000-69-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5000-56-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5068-415-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5068-663-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5092-540-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/5092-330-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download