3efbe1a9b1421b0777e9bc8843f0c678035f1635f3c51a0ef1c78603e83c80dc

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/09/2024, 06:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-09-02_983f7dadafa3c838b7b86b290a87f3b6_avoslocker.exe
Size

1.3MB
MD5

983f7dadafa3c838b7b86b290a87f3b6
SHA1

6921b1da52ad4d9a5be651d956219e09198e29ad
SHA256

3efbe1a9b1421b0777e9bc8843f0c678035f1635f3c51a0ef1c78603e83c80dc
SHA512

d74d68e30e14b777c775ba340938b7af719b08058ef1edc500cf225f3d53f3be34920d6c2a5d62095c02a32ed5e49a61670f561bbcf071916bc2dee16e7018ed
SSDEEP

24576:F2zEYytjjqNSlhvpfQiIhKPtehfQ7r9qySkbged0SkQ/7Gb8NLEbeZ:FPtjtQiIhUyQd1SkFdNkQ/qoLEw

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
928	alg.exe
3732	elevation_service.exe
4536	elevation_service.exe
4604	maintenanceservice.exe
2644	OSE.EXE
3164	DiagnosticsHub.StandardCollector.Service.exe
4680	fxssvc.exe
3564	msdtc.exe
4084	PerceptionSimulationService.exe
3500	perfhost.exe
4288	locator.exe
4644	SensorDataService.exe
3652	snmptrap.exe
1000	spectrum.exe
4916	ssh-agent.exe
3700	TieringEngineService.exe
4172	AgentService.exe
1776	vds.exe
4472	vssvc.exe
1516	wbengine.exe
60	WmiApSrv.exe
2904	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-09-02_983f7dadafa3c838b7b86b290a87f3b6_avoslocker.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\556e082e89816891.bin	alg.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-09-02_983f7dadafa3c838b7b86b290a87f3b6_avoslocker.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Adobe PCD\pcd.db	2024-09-02_983f7dadafa3c838b7b86b290a87f3b6_avoslocker.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_86062\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_86062\java.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\caps\hdpim.db	2024-09-02_983f7dadafa3c838b7b86b290a87f3b6_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-02_983f7dadafa3c838b7b86b290a87f3b6_avoslocker.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007915905d03fdda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e916715d03fdda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bc508b5d03fdda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000af8d675d03fdda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bc508b5d03fdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009a6a035d03fdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005d554d5d03fdda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000068fdf85d03fdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000036037d5d03fdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3732	elevation_service.exe
3732	elevation_service.exe
3732	elevation_service.exe
3732	elevation_service.exe
3732	elevation_service.exe
3732	elevation_service.exe
3732	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3872	2024-09-02_983f7dadafa3c838b7b86b290a87f3b6_avoslocker.exe
Token: SeDebugPrivilege	928	alg.exe
Token: SeDebugPrivilege	928	alg.exe
Token: SeDebugPrivilege	928	alg.exe
Token: SeTakeOwnershipPrivilege	3732	elevation_service.exe
Token: SeAuditPrivilege	4680	fxssvc.exe
Token: SeRestorePrivilege	3700	TieringEngineService.exe
Token: SeManageVolumePrivilege	3700	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4172	AgentService.exe
Token: SeBackupPrivilege	4472	vssvc.exe
Token: SeRestorePrivilege	4472	vssvc.exe
Token: SeAuditPrivilege	4472	vssvc.exe
Token: SeBackupPrivilege	1516	wbengine.exe
Token: SeRestorePrivilege	1516	wbengine.exe
Token: SeSecurityPrivilege	1516	wbengine.exe
Token: 33	2904	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2904	SearchIndexer.exe
Token: SeDebugPrivilege	3732	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 5092	2904	SearchIndexer.exe	121
PID 2904 wrote to memory of 5092	2904	SearchIndexer.exe	121
PID 2904 wrote to memory of 4728	2904	SearchIndexer.exe	122
PID 2904 wrote to memory of 4728	2904	SearchIndexer.exe	122

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-09-02_983f7dadafa3c838b7b86b290a87f3b6_avoslocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-02_983f7dadafa3c838b7b86b290a87f3b6_avoslocker.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3872

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:928

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3732

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4536

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4604

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2644

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3164

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2444

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4680

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3564

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4084

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3500

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4288

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4644

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3652

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1000

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4916

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2408

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3700

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4172

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1776

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4472

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1516

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:60

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5092
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
a0157af84868f1c0020ec3563151bd81

SHA1
d1dda0999472ca89f4fe037fd730d1a1e604b572

SHA256
ab9c151e3a06560b08f1968160eae83e8533fd9b711d305bb7c39e7cd33457dd

SHA512
63955f93c08d4f2f14e28138a9ed4a2b15e7ddbc73851d8843df2acba9d9f30e724b4103f19754b3f774a15877cfdaae0333115eafb61635a9b1137943f9c28a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
149eddcfc2f3078458a639b98daf11ec

SHA1
ddb34a6e4d3ae3e1d87e7cf4d0d7fcd5ca6f7760

SHA256
672f4195b62cc72d607437df50b7f60e222d8dab6ee6a7816243afd980164fdb

SHA512
e8272e6023aa34fde6bec3b42a7222540a5535c13241b28afa66a67c44a97b15fbbe5f61ef6eac5e97357b7a220f9c996f378591445aaa4f0f65fd897cba9e2f

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
f13db408d5cf207c26b6166e15350d97

SHA1
2c71689c0369c5356c5e3582f29a57460a22f710

SHA256
f2b6c0118d0b8e7095a36a07bc3d9655d759477870c3c3d6bf92f42af44c6e5b

SHA512
495e05284e8556dda48b151a5b417727ebc9a2a973cd67c6f982240a93b7bc8a08a578c0a97544fb2f470f9eeca8ae6ebc750f49b6b5c135bf7de8e1d9567594

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
553cc9dcaf50983e674971933077966c

SHA1
d8128ccb929eec252712ea9b122b441644bfd709

SHA256
f6d7a6a42ba6afb01cd79c137b1067acbe7467cf9de74a2d1fe8dac5f9a32343

SHA512
5748d5dc7d0b93e7aca1b1c6607394454d577e1c0e795a95fe597e1213dbc7325118976d34bbc68f7dfd0ddb0c160fa9f44e7161c62c323e104aa0570f71bbda

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
76d1d0a5649bbce7756e9e751e861e20

SHA1
0162968e54614a1554e2cace06235ed891a71f8c

SHA256
1caf66d58cdcd923c5fc49ee25b9d5801f42732361f2daa3aa3cf5b02c2be38b

SHA512
d619f15b47607ac5922d103097738b245bf107beb6f7149738a4fc2257f1bf0212adfa3381c433437f78966bda90187ae536fd4dacaea808fe50f8152bee3463

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
d171b67336619342e38e828809df70d7

SHA1
ba213c55bf7f049d671181635ad99718409f8f10

SHA256
fc698a641b2b1ad5c33be07be170c0349dce60f8008d9ca945e75e784143e00a

SHA512
e9e07dbac80ad30be0b4e3396804448d4915abe56a737a8803ca7c96565cc7672c5f60543b3d947b8efe98aa831b25a0f4b33a9d24b72b32d8e39c28982a4bfc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
95dcbfc047db605af078c63f073ba0f8

SHA1
65f75d4250c68a6ce1b54056b8618d2dc2276bb5

SHA256
2a27ed55858ad531acaaed0571bbb92f7f3182bce2ec569360f8128dffd594ed

SHA512
30371215c8e114200c1919b1e46080e7221f0b56bff6f2030da92ba75f858be542fadeb45fe4c44c21bccbecc2448246ea916f41902cb02b57cdadb05307a268

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
9db213dae8eda74fe79c8d3a55e2649a

SHA1
79259e4341f91e46dd1767998c891d4ff3ab074b

SHA256
b7ef2554ef0ec723521d4a482f40f7e9345f6922f4fab420f79a094de8d6d268

SHA512
0265c356289c9570dd784a91ef524af09a5f29dbee0195585ef88118851fc7b916badb8834e45de0b236170993e3137145e203578e81bc428f4b17cca8883778

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
651bef6418204229992b6148f58c2789

SHA1
2091062f72bcbb06ba8aa33e7e7c9220fcbee4e0

SHA256
d7930a887ee53e49842eef4578407adcff4bb28a3a8e21426c1be85cfd9274b3

SHA512
888fb2087faddb50e079d5999c8068e51e37c70001cfeb7228ea90d9a3bfa432e557813ab0cd1acc0f01de5d20c87cf74ee5ae6b9c4e6c1c1e41290cf15c608b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
53b513b9d669033e9dff7d24cce3301a

SHA1
f66b5989ff78775109f0b35099f0539de5704555

SHA256
6667002f2d82859f337d2fbc636f201962df6c0719f8e3ab699c2d16b5611316

SHA512
b6cd8589148e8946efb701b5dda373627b871d8a27722d1eaf73a57e3584a536a375781d65210afad868790379eac97d33b36a0d77af13c6d82687313f3062d5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
7d17c219e2b3fd2b9e2b69a367316237

SHA1
2ebde2b55d8f60978e4e942c7b5d40de15bca788

SHA256
e654d4c83e26ef2194119b37572205a66ec15f86dd92c340dffe71bdb5f3bcf2

SHA512
4ddde6e7b506f07a5ab1da571b8689321a7fecc9e511e49e574f67a094322f317ff6c67956f2ce0c4b090cf368910c332cd56b11d11fd75562e921ab68b3a476

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
bb797f87d0ac13e6058ba1ae08014bc6

SHA1
ce4f15340f306cda629e55e6eee896bd26156f2e

SHA256
e4dae3260a12af22738ccf62cf6098f009bae2608ae5ccaac50009b5403eedda

SHA512
8ed0fc3d09b4fbf7ce5c10a1520b8253ece105d06b22111befc319137ff9b4f6d4f8a16cf420e4d6821c91e0c84a43e1f981bb7d75f0823b304669a465c54546

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
c3249d565648d5f49f03c18996e08fab

SHA1
4d73d45426529754c6e410ba52520b0c15adbdb3

SHA256
064c0d0fadc3b5c5308dcb44fc9185b182ec2f8944bc17b995b76461d5357d86

SHA512
d6e7f9a62462b1337fddba9b42683852b9077b3fc4a7be9c23cf1127a939f21dd9ddf8359338a67fed0939a07aa91993a386f9592e60ecbb6699b77e5e2b3610

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
3c04bc7fd700f2095362613129ce49b8

SHA1
cdec9b23ee97b6ab38992253391d5541791755aa

SHA256
3f4a0b53e5a1b24a9e533e2c76ea34b36148539dac1f114f4840d6bc617ed584

SHA512
f6b95c48cced60019adfde94c000bfd774d26331c33b40ff3ad72d01a67c22a3fc886603d4498d4348736252bda1d8789eefe2e42b6b3d0398cb8f5dfa1436ce

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
04659dbad5ac1c750a7b04bdac40bb62

SHA1
ccbc87cbc222460f1cd3da51805207a6251d4c1d

SHA256
720cfc954843f3e101d80cd5ecfbed8ded4e6094ab425633d5bc452c1c9c578d

SHA512
32d04a5e6805f4cb49dd1ddbb991f18f7f5eb6bc912e8fd93353db3f0184d710637239635a9779a041b0dc3acbad3e019098b5f973bcbc50078a5553eadbcbc5

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
d413c5440b8eef8d1241de3e8d8d3973

SHA1
37cfca804cb2e471e3042589467131166b66c537

SHA256
46aea981f09210b015a674a6fd57692f5af722e1f990b78f23f5857898cbb80a

SHA512
fe8f50c4f55986605b45bc9a44352ae1ec3c7167d57fa8e66bde71446ed069bf0d50c0859ca9517f76778ac938459b2d005b850e7a55d2784b9fb2a8cca53550

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
d6e6c42b6a69246d4e4f654f32397598

SHA1
a9b44ed76e4697045104340fd4f767d3f8d927ca

SHA256
a606a17b3b9b6c4be9e6b1a79fd84cb1131b5af4d9f1d4bc3f7b6b12b32ae691

SHA512
618926e61ff750fce17d62ab124f53c74a40adbbe774f11d28373f9a078778693ee40a1ea59acd3cced2318003f14c9a6e5ddfb3086e9df876adc6fc40398739

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
0a0f0cdff32e022537bd05493e95c6b7

SHA1
cb687560377b31185f3d5a49c38f97ec3b732cf6

SHA256
efbe1fee67292b2d27b691c5f677bce1e85dc0ff8af4a54e8a17d23b4b0e8b79

SHA512
98e488f8a7f889a8168ab8047533dc777f3bd21b2e3c3242e4d8f8358e0a258e27b9abd398483370b7ccebb0e3f19ebc4cb3b7410772116596b1ad8aa01c1b7a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
67aacdc5b04723695e0a51a969e3a5e1

SHA1
5e74fd6723eb035d8401822575b9a04b06eb0b8f

SHA256
7810d5abb659dbb963f8e92607e7bdad86ab53b54033c615d93866a072b4035e

SHA512
d0774bc9ee1362eed84f9c7c860cd1ce74286ef50c32f7b034cd0f204e044453b9877a481a6dd2caf41f87c57b066854941acebc42fe71154ebc81718b825e93

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
1756c019587cce5d0930f9fb17886b03

SHA1
0b7c64bd1b340b3e7987596217d3330cfc674345

SHA256
2e99a2fcacdb5d2121de276b88af1e4b7123cdd6c7ddefd44f3794055dbc27e8

SHA512
ba9daf3b916175d8da008fa6c7dfb674620fe7999038bd9160ce448c8f39a67705cdd9cddc16d7165aa238e9d8b6256c9363c6aa178228ef85f8f98664a383ff

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
2201b329b397a6c216a98f476cc4257f

SHA1
cd6105824641961f5d13ca676ca6b71b31e5efb0

SHA256
f059c0895397ded80e603604d84b6465c0550f9b7e71a918d4eb8b44bd260031

SHA512
6778f21c19a6d688ad1cb9992999cf73d0002dd135eda0e203ed3867d92f3b5c68e39ef2c6136b429dd68e4fccbf1d6e3b3d2f7923e1f5cc6d647cb5f61c483f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
3accefec8948bdb1ada3e6f0ce266c67

SHA1
52ab3d7b51ebc14173d23722cbc77bfa831129fb

SHA256
bf9a14163ac8a358602ae9ee4eac42bc07d610a14b17267eef8a43af68d9a8bf

SHA512
2b88ea22494cff49f60db7e0c2425a0951ff63da66d8d7966fded023ae81b11e6d29e6b8603432e255074b7749538afbdd86f1f63b45cd011f6428894070a38a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
2106e2deac3800cd2af9b723c97eddc1

SHA1
e914de73a720de88ec93079ac9465c89b5ab4a9f

SHA256
b90636bbb13d75ff770d27e675fde249b02c8ce46003ca401b30d3b0ae19de77

SHA512
3719b85495cf70024e914be42406aaeaac13cb03dd7e564e83c6cd19513a17942e5e0fdd1e4811befcb27eae69f518cdafd59fd2338681a0eb34c3a192ee83d8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
c50f1b2b256dce86e012f00e9e08800d

SHA1
4775911e4da8cc7da833ebacac4cb0696b6a558c

SHA256
9ef8d38d030b0270e5fe928291787fddc5c992a213a7a6c471375f73f773c4c4

SHA512
9bc29c808144915b54029918043b38f0d9067cc0063bf3f73a027747006734d0a723ba3787b8a70a73eb74dac49ab98a31409493fd841fa2ddc6d5da9a4e3d53

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
3ac6e2e672126d70710ba84dfb32dcf0

SHA1
9babac419ec47fe862625063aa1d6b07ec3ac7a4

SHA256
0aadc7d79a3cdc86627aa8d2c2c78c91de2f9165f52661a8021f1576b3edb011

SHA512
6089558aa5fd54927d3b1a036637e1705687c2a91a779d22186ce8e3f16689775d0af7dd6fd4c1a490cfbb2d2ca8b4298e569345b5f9e79d96f278e5e7419717

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
cd82282ceaaa026d219c6267de63a2e8

SHA1
87c11bf49456879b0e0de235896b3cd4e02cbf36

SHA256
5bca9104196d65cd2fabdacd120d5b245e936815cf39630788a4624ef40ffa24

SHA512
08b48df29dd538ea89a03845283e082734cb5f51166f3086f103314c9110812dd350521e440f22ae570e4668d7a22cc0ededa92da96345d441516fd515ce388d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
8d92de2b9cf8335f35f019074a8aeb5a

SHA1
54f3151c8d908ee628b04576a972fddeeeb9c302

SHA256
e792ae7e6ea9f5ef416624e5990a3190a327b00ea35133ae23557f3fa34f1f7d

SHA512
99a2916fa1e7bc8e7573b15a8f1df57fd751220b944fd5214cc65dd972c921ce9ef7da40596dbf99912f613b3c0eae574875e48345153ca1c324cfd439acdc30

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
f56b4b554063094f6301fa18bf28d9d4

SHA1
fc3be4aca7163b09e7d1832e867f59c6fb4016e3

SHA256
c4347803726666705c83b5cf49c0941fd37a1c06e020ef7b38b4639ed18bece5

SHA512
54adff746057fbd20f30725019ae58a1ecfcb3187d23aef99bbfa488d7540402cd2608353b04500c7d1aa7e854bb532c53c4ec3b83bb079f4e3ddf47d150280f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
2152895f74357b609cd4aae7491cb44a

SHA1
b69fe58a6aff7b791bcfe91d19ff81853e60d5eb

SHA256
7d2c29bb3ce6a919c48571f891098909da52852eec527beb0b4afbb37d28fb0f

SHA512
14f6a993f62ca1a944eb542c9e9870ddc306103c529a51d8a142208bd25a3fb2fc5b4bd391440f0937e85c88b252d44a643ce256f7c1a70851594e4ae5966d3c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
a5ce7b85495f5b63715d099a7cccfaaf

SHA1
d6dcbd768c30fa2ed3cbb763d7d9f7485cd949e6

SHA256
d8965e018ed49dffb8f0f3366b920f750123b4e26ec45a5810d57c10b083d7f9

SHA512
09a9e489d49fc88bea43752d53819096ca4651b8680da8a5e45d66d72f170b6b9d199068ead9d1a517318994e9b001f60f5888c60f3138a3542bf2258f4eda67

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
71114168f2425d05960256125b975955

SHA1
1ee8ac5f8356e4c20a7b741ca495dd1934f4e276

SHA256
61bd8b208de4ee023ff1a3a1f67a89d28ea30a054633169bbd0cc33c2efc2597

SHA512
542733a5431234e702f4413f2b331cd41e6685d9e7c4dda16fc21336d74b841182b0940af4504fa8d1897abbfc97f8d6ddb4964068ffbd2f94e9724ece693a44

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
fdc629f642c528466efeb6f38de6f728

SHA1
4eef1329df2274e7a03ea7fdf27ea4b8b09281c1

SHA256
7643df6388bb5ee7e773f69157258e8f359d6ea87b057ac0884f08ba455a0380

SHA512
1d6a0cd08fe99c980960b9292baedb7e0ef3f8b11a07df222775be59c583584674c2a43bf8733f7b36c50741934d29fac0404b0657b8228d55172134bd6b9837

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
654d2956629b197d6578dee47917f5c0

SHA1
1617ca75204a150f51ee63c3da54b42de93609ee

SHA256
feebd53b1a764b00adbded87ece503cd1650bd9c4ab2dfda8129bd2f2f9910ff

SHA512
041b7c82619c20c0030744785a46a00b41552ea5cbccaa0361e67339ca3e65b883214fcc9e78e222e21bb62e4585951ee6261d5f38c4266382637f0387c110ab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
21f4512d0556d46bd14d40be98744273

SHA1
6d83b6a304ecf4b358236c1ee45b3d5f35c06247

SHA256
ddb4674122c202b1a26baa85a85aaaab390a3851dd29aa9dcfee5cc53770a94d

SHA512
706ceae0f1880094a1b858c8ec7c04091ef7cfc730ccf762655149925ec52858b2b3bf869b6ac63b346161fc21a088712c66d601aac582c17eb8c963db106cdc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
a28e2d00ce02c5ff3eaa7b2f5efbb371

SHA1
2e3e3eb39bd775733bc04a421f5da8fe59d05a71

SHA256
06af6bb9d42c2de72f3acf3137ec4a5a392ff4ea21e3d1a4f31f4f4037582c1d

SHA512
1ded561c782e9ff62303d6e06c4b2ade97f2bc396499bf2c03f5c7955f1adca15e719c1760479af22848046d242deb1f5091a80ce0290294c385bccc588c7552

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
74f9ac997409b49da3ca32a503cc8411

SHA1
0001081220676d26a4d252d48ffd22d3ecf96a4d

SHA256
6cf12d7b9d44de26fc6ff35418bcd3109e1e4db9d9e9c3f464b1647aceaefccb

SHA512
544d75309855d1b3516cc12f9d4f1506de7e6a79ef30a70e7e5393fe44aedc3d46969eb7118f1b864f405d29d9a3d72e8f349666ae4b9e5ec473c7e9bb606f02

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
d022bd13a8c571cbfead51dff5c19fc1

SHA1
1e23bb0ea7f1051fdb7c88aa59027e5172b0a122

SHA256
4db96c98241e93f07e2ee7bb8194bf99823dbb26da22c1150611b0ed1076e0cc

SHA512
2e075a0f78158ed3979945ee623c89b664ccab3452fdddcbac4196397fa588ec8cf3a2f18523196ccf36582db068a12662a909b5e62e7358d90111d4ba5dd1ed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
e0648277c3fa587c8f2e00435b1465d2

SHA1
450d966108badb64ebec000249f3f99c255dd523

SHA256
cab4abfaa588b5fec8d3279705e4153ef4d70aa67c7e6d59fca0ecc8a961eb77

SHA512
3b28128ea0e50a830799ae22229e4abbb721dfe1198d8d6f7f5482cf6380cd8644f728a4fe64e62c14fac4fe09f96ef6367a3d1b0c30e8b9e56afed3ae9ecb4c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
30966e9b488688b1d0f947edc4cf4368

SHA1
47c88b25a90e4e2995caac5a485c86c4f71de9f5

SHA256
4b70d11bd9e9fe125b9418bca9fbec7f2bc483e1d1a2c259db7c5bf31951422d

SHA512
37e864adf68d4885bfe951ddf5495542d95f882418f22077de2c9aeb57c66af7ff29bb381a31a15adf39cbe314cc157c60b11a86c4962883bcd84ce17096e038

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
b5b9da704e05ad84b0bb373c94bf12bf

SHA1
9699939b6683a895a46acbad6c2899ca738a01ea

SHA256
86b1d0745791ae974967a03676b457f14d9365019464ce1957b0cc91a1c82bc9

SHA512
25c86323561713b952b7434272c6e9ab3f54229ca7a003227dfddd0ffb4406ba3eba1b36651be1c595d34cc2f8151683b0bd80fe5febc280ee4cb6fb025d95af

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
a343ffdb30a8d29250dc91376e8276af

SHA1
0ae1a42ddbd8e58749843e389fbd0c14c96dae9f

SHA256
bde38a402408de8b58ffba9f6fcf92b9d360b9eeed944e62eb89cd5a5777f257

SHA512
bb911f718a6caeb879aeed8abeb94d8dc89a4be08aae37f88194091e3bc44f1f0c353c50b3f60ae016c113775496a688c68ecefaba1a691d52c9cba6950a0602

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
18640580b67c5f0a1c69ccc6a749bd18

SHA1
9b1ebb71c07c2b53e2b3a9361986cc5133b89d84

SHA256
0cc358ce7b7917b960f6bcbd5f1a774762654e7d698d027d6fed72eeb7b326ae

SHA512
db59420e3dccfa42e9cd176c6b787c6fb0ee7aa3d6563215ff47ad316c859d9a98fc07cf756dfa810745401b854704c27ee4928dbc16bc7ba1d4fc330f5f677c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
581KB

MD5
b076afc24a2a13eba97a14d238f9b78f

SHA1
bf59ae1251b1edeee8d6f438827e5867c871b4b9

SHA256
db8d17e19b7d9c8a4dbdaef1d6f519865675179cbf1d8efaedf8b0011a320dd9

SHA512
c8cd23c1af8143f42a7907ed6da71dd3c4b4612d6740f0f949415b306cc796fd37e0ade038d769799656d81b2bc9b46a23b05d7fc4558f2c88e44cda2d92dd3a

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
2d8265e42584419ae69b77f8d0f814ba

SHA1
9ab99a0bb89fb18a9248a65319cb93b758b59f94

SHA256
0ae36813a314819258e1a5778b9449871412b8d939384726c9b7254853729609

SHA512
69bfdfcac261414afe521e2f751de7a643817c52c4c505c2a7e0b9bcc5d4be96f2636ebc87162e07bafc128368b0b93484f0b4cde5351b756b47a62b4d6ccee4

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
0e0b436eac34e60d0f5680e3fbb13adc

SHA1
44ee51ede0b861b3706e6b65149eadd9b1cf940b

SHA256
e74297d89c3e5d7d37c58bc72f64fe10da42193b34b88b0273bb8bf25d2b7010

SHA512
06eda48bbc6b30c3235348a178a75b96afe8488689b01b7e22ca4033cf488d72b7ae8c6bfd8474d7fe0e68b860768fd49e68d716540ac96d6a4486aa42a6e0bd

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
5a3f0989918874c5b9912d074e85f654

SHA1
ef11b0785990eeab8a03bc54bb0d852088283611

SHA256
a44fba17d61bca0d9017e199af2c508639efeef45193ba3131fadad917a393c9

SHA512
31d14680202bed8de5e96759ccf14add788ef0dee152b4617d5f1b7c85b7f6c72c2c395aac4683f723345e79ce54f23b5279859a26fc0a8749ec8872279fc0cf

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
8540f501058477931c343485f15d6e6c

SHA1
7b04ce48d682185be3ad89eeb1bf27377f9d50c4

SHA256
3286861dbfd87a9b08e241e54c838da27b28607dc75f2fe632e33272c08df133

SHA512
fac8306e9821345c46db948532cd3e875ba36650dbf7ef834810c55609d2866dec7bd8c9635f6b79e8a7b4671ddbffcd8a75269566a3607510ed172af1443a81

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
6897d0d5e010d8a445379e6606d6d20b

SHA1
465e8f5d50ad261a2d421a3b72a5bbd03bb75350

SHA256
ded1995d92a105f6fd3ede1da8e7b254db0a6fa0b1e3472538499eabdedd7331

SHA512
87b07e23035fdada451fe454c841a011fe70d31b011ec02b8c17aa78fa577be5d393e1d9057a0b04de2f86b54689f565afe8bba31397d9a263d66e5a3609a5b9

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
5aa9044600ed28ea5f3c95e6d9786cee

SHA1
0ce1f3576ede9cc5312cdbd1ccd5755c9ae29af9

SHA256
5e18dd443bafc5c962b9297009ea77316ccb5ab36ea751cb25edcd06f7833966

SHA512
cc243b4b00ee7afa1e4cdaba1599f845ae7f623c8a55b4b50eea2f7ed954a2701927e092609225571325549fe230801216002e87713b4c0b364f963282ef5453

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
4942bd9bd813cbe60d53ec2e2f56061a

SHA1
25d5d312b429997f132915eaaa782cba216db15b

SHA256
a73c6ccabe2c1c8c90b4f9326fd0edeb95da8bc5fdb57f3224bd1fc11c1cb81c

SHA512
3b9d3a6522db6fd5a1fcc2f8d9ce981ecd327cf850442832ce40a6708a900d5bcff27640e44ae19485aa44d94786cfeecdafb09deab1fad310bd62c6311b11a8

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
e1ff50c75838b1f27e68bc8aa4efe219

SHA1
a0ac1dce9cd0734aa6dcc848ba5e15836fd59ef7

SHA256
da2bd75bd8dbb8dad46e95edd3d8d476729b87315cf097b8444c858bb5be4fbe

SHA512
234246bbbbdb18757d8634a555681d771a0ec9b4aea33393b2cd1d89545bce18bb89c182ba856ed76490de214bd36650ba8b49a1d1c38c9ddbeb40320ed3cc5c

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
3965f9fd2fda95695e122542e247fc7d

SHA1
306b855021ceafcf4ba2e532c3c17e23f928aba4

SHA256
4abd0057a5e22e6e5c160c86c82ade867de22e96a03d1d37a7090e787707dcae

SHA512
a7ce4504ecf417af3922e0c5223c047f7c3bcfe6b370395959d36a8fbabdb0d0866af52aa5a3197fdbeb7c1ce13bbbc1af85d26333e4e053f2c87a5c3ea3c057

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
4b2c60320c99e6d15e899607af76aa66

SHA1
fb7abf7a2621fead3bd546b65b8c7fd3900d4d86

SHA256
68ca32d32948c0fc16d4909c5f14283f76890c122c2503988a0a3fefaced8caa

SHA512
f0bfd6fab6132053c84303c47f7904d2c69424dd36b3f50f92e5b45867b0a719bdef4fcd4fed8f9bd0cc8d014e8e9cb52e0837993fa5070fce15c71a38366574

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
132f3447ef14cc05bb28e9d21beeda35

SHA1
0b5170861c35bc85822067a69254a530992616c3

SHA256
10849f04877d5c6a92a2813858734d2b0b680da64b8d5dda9154d00d1d8faec9

SHA512
65bb5a22fe8820239888fab6212ec840f6f75a177af36de2b391d31c5b9ba287e9c0393a1cb3da9bd5b6e4f7a9f72751aeab61aa4969da0c7a17cd6c049070d5

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
b22e42e224ff220b9b492a4d925de50a

SHA1
e119349104405536e2d83aebd24f5a4685c759ea

SHA256
6f95b4c33e039199694e60227c9429caccc1e7155d3702ab71219843a399ff4c

SHA512
1193098ab3fc453f1fafaba5ecea8f616caa312b7efe3172d5af03d595f332ddc840751f54c396b0147df63ddcb8c42302f35cad63696045513d633db892e24a

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
915f0cf86cb05258449347730bac766c

SHA1
42defe554776f2094892de8f9807c9224c2db10e

SHA256
3d7ae16d0c43214ac40f1bd66f03fb2c28afa63d908c6aed35f82ee5f6a021e7

SHA512
d9114e181d732ecdc5394f1c268d4c2c935f2000d0dc445232acc2f52a50551ea5f9db41ff3694e9698c80938b25997c9ede9f1f02a7d058cb95045815de79e0

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
90f50b37050786fc439affd443111c8e

SHA1
85aa46ef55c1d745023cc0340317928fbc28e5ce

SHA256
bbbbc7bb57c42e42e20bbb2992e29bccd453272ca626e42153347aad78523394

SHA512
962908793affbed10eaa600f80157bf93162eb81909b890af4642af2bec8daec417986081f49678c32a98aa6b2a5f4f2a55b7a8c6697020ee2175734c2a438c2

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
b380ceceadae539b13a355558d5d0fd0

SHA1
24f9895a3c18b6b32e119aae1f95160e6c634272

SHA256
ecf2c361cbc9152c9e7fc38734801d3292ea4a79270227e9d070ee14123d110c

SHA512
9009ee8fd2f61e1faab870b56869028814317072a8c67764c5474de4f02acb3e7dcab84fb4a24ca7bc529babec18a10e2039baba26aca0f5a7d0dc592c3aa6de

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
c5074ffc5ccca2a35031877259ea0ea3

SHA1
c67dd088ce698561717153ac98453d0636f54bb3

SHA256
ae15bf3dfad8408560e0565000d347d24c21e4a9165cc28173e1ce07c327b479

SHA512
74c5246b376a41517497f8dbfaa76a2f4987b1f9ae1c22ff62370c4b1928d3a6c99b350b729c2ddff8e4e4fe312ad0034eca8ea8bef4271d10cd577852b61dfc

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
4a9c99f35bdc13315090a9ffb8f6c175

SHA1
91d945222081b7f94540ef3b136cbb3dcec02c4b

SHA256
ebac9ae3efd1cb699589b13150b75725d61b3be7ccd59f02f5bfce9874f33986

SHA512
092db7a4e7372d3a302e955528f94e0d9ad830e623778fef24972d2310da0bc9774ed9c869cbfb016428c7bcbbfde703d415c3a5383db29ccf2304627886c498

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
ad3f4dcb06f5c4a5764672155a25bf2f

SHA1
c12f5f54cf3077b9d037214435808e1965640615

SHA256
abf75a9df1f4776b093a40b4e65386a557a993a3b804fb66379669d73edb18d2

SHA512
2230a585553ffb6c06c3e126a4b37485650474c41ca42b0ea252db02ec4188e2881daaa183e54fd6f6372cfa4692617fee3e3d18956ea4ac920014463bc09102

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
20379ee980b05a68436da13227b79c64

SHA1
3e928c7033cad72223dbee1391707f59cabeb5af

SHA256
21b1293185c087cc283a48d40ffc16f8daaa512578ae8354e9263999fe0df579

SHA512
9f75878d45ed510ed8a0759b4d4af002684490e357dd3ed37fb947a39efa59a91f69449ec093c16ec6843ab7742270b1a403d706b16a0312e4bb5c7d97d4ec0f

Download Submit
memory/60-427-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/60-665-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/928-25-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/928-13-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/928-234-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/928-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1000-574-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1000-341-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1516-415-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1516-664-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1776-391-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1776-659-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2644-79-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2644-238-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2644-71-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/2644-77-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/2904-440-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2904-666-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3164-246-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3164-252-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3164-364-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3164-245-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3500-414-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3500-297-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3564-390-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3564-271-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3652-330-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3652-525-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3700-365-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3700-656-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3732-41-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3732-40-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3732-32-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3732-236-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3872-1-0x0000000000B20000-0x0000000000B86000-memory.dmp

Filesize
408KB

Download
memory/3872-8-0x0000000000B20000-0x0000000000B86000-memory.dmp

Filesize
408KB

Download
memory/3872-0-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/3872-29-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/4084-402-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4084-283-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4172-388-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4172-378-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4288-307-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4288-426-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4472-403-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4472-660-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4536-237-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4536-52-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4536-53-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4536-44-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4604-56-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4604-64-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4604-62-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4604-69-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4604-67-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4644-324-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4644-663-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4644-439-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4680-256-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4680-269-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4680-257-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/4916-352-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4916-623-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download