3d032b379725d11000a30ade2fefbe0881516cccfe6e6ce5a5978436f5b2632e

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 16:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_04b5bbc97808c93abac75c0042e6b505_avoslocker.exe
Size

1.3MB
MD5

04b5bbc97808c93abac75c0042e6b505
SHA1

e455578720860020aecee363e1812204bf1740fa
SHA256

3d032b379725d11000a30ade2fefbe0881516cccfe6e6ce5a5978436f5b2632e
SHA512

4c50c8d9b92951a2325e2e1a8a9ce7dddcc78ab3e90ae844757f412e60b6d319a6c644b580bbfcd5b9a45cb447f23534066b29a14be19a8f62ff5ca3d39bf3cd
SSDEEP

24576:92zEYytjjqNSlhvpfQiIhKPtehfQ7r9qySkbgedWe1g6p7HF/w/ftDsBUiScD7Wb:9PtjtQiIhUyQd1SkFdWmgiTd8DsMcDKb

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEfxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
2756	alg.exe
1252	DiagnosticsHub.StandardCollector.Service.exe
4864	elevation_service.exe
1688	elevation_service.exe
2900	maintenanceservice.exe
4320	OSE.EXE
5064	fxssvc.exe
4144	msdtc.exe
2308	PerceptionSimulationService.exe
2536	perfhost.exe
3756	locator.exe
3760	SensorDataService.exe
4544	snmptrap.exe
4400	spectrum.exe
3748	ssh-agent.exe
3312	TieringEngineService.exe
3624	AgentService.exe
3052	vds.exe
1952	vssvc.exe
2916	wbengine.exe
3856	WmiApSrv.exe
4308	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 28 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exeelevation_service.exe2024-05-24_04b5bbc97808c93abac75c0042e6b505_avoslocker.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\89e769b8293b476c.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_04b5bbc97808c93abac75c0042e6b505_avoslocker.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_04b5bbc97808c93abac75c0042e6b505_avoslocker.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_04b5bbc97808c93abac75c0042e6b505_avoslocker.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_04b5bbc97808c93abac75c0042e6b505_avoslocker.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe

Drops file in Program Files directory 64 IoCs

Processes:

elevation_service.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

Processes:

elevation_service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000de9e3967f4adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007b9c7767f4adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000de9e3967f4adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000055c45f67f4adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000079b32d67f4adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000513c3767f4adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006f021d67f4adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e0b14c67f4adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

pid	process
1252	DiagnosticsHub.StandardCollector.Service.exe
1252	DiagnosticsHub.StandardCollector.Service.exe
1252	DiagnosticsHub.StandardCollector.Service.exe
1252	DiagnosticsHub.StandardCollector.Service.exe
1252	DiagnosticsHub.StandardCollector.Service.exe
1252	DiagnosticsHub.StandardCollector.Service.exe
4864	elevation_service.exe
4864	elevation_service.exe
4864	elevation_service.exe
4864	elevation_service.exe
4864	elevation_service.exe
4864	elevation_service.exe
4864	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

668
668

pid	process
668
668

Suspicious use of AdjustPrivilegeToken 40 IoCs

Processes:

2024-05-24_04b5bbc97808c93abac75c0042e6b505_avoslocker.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1800	2024-05-24_04b5bbc97808c93abac75c0042e6b505_avoslocker.exe
Token: SeDebugPrivilege	1252	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	4864	elevation_service.exe
Token: SeAuditPrivilege	5064	fxssvc.exe
Token: SeRestorePrivilege	3312	TieringEngineService.exe
Token: SeManageVolumePrivilege	3312	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3624	AgentService.exe
Token: SeBackupPrivilege	1952	vssvc.exe
Token: SeRestorePrivilege	1952	vssvc.exe
Token: SeAuditPrivilege	1952	vssvc.exe
Token: SeBackupPrivilege	2916	wbengine.exe
Token: SeRestorePrivilege	2916	wbengine.exe
Token: SeSecurityPrivilege	2916	wbengine.exe
Token: 33	4308	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeDebugPrivilege	4864	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 4308 wrote to memory of 3336	4308	SearchIndexer.exe	SearchProtocolHost.exe
PID 4308 wrote to memory of 3336	4308	SearchIndexer.exe	SearchProtocolHost.exe
PID 4308 wrote to memory of 2472	4308	SearchIndexer.exe	SearchFilterHost.exe
PID 4308 wrote to memory of 2472	4308	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_04b5bbc97808c93abac75c0042e6b505_avoslocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_04b5bbc97808c93abac75c0042e6b505_avoslocker.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1800

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2756

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1252

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4864

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1688

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2900

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4320

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2212

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5064

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4144

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2308

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2536

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3756

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3760

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4544

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4400

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3748

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1940

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3312

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3624

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3052

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1952

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2916

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3856

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4308

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:3336

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 784
2⤵
- Modifies data under HKEY_USERS
PID:2472

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
c5fb819591da86747235137bb6f87c30

SHA1
5db25d2268b3ae312c3b2a608073a091e6f6df46

SHA256
b566247f1e06b85a6538a688e489bf4482ab24ce227e7692620e77e3dc407e00

SHA512
26804d25ebe61519494bf12065853e919c6cc7f79278bf054011471ad3fd945c18bc947f10feaac3714abb3787b73c92bbb9e72876bac09d25f7a7bc4dad20b5

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
8db2d948850ed3d351f5a432da584722

SHA1
1fecc08d2490a95d7163311390215e4fe2aff5d3

SHA256
dc8ace9fd6bdf4597310f7386c857e722ad084689bfe070baf5e5ed564ead66f

SHA512
f1416c939c655c6ce4910d6fa338416c022bd8d51aba4f9882a81139a8178ea323d4d5cc10b2eb1e016a17e8330af43bb9a7cd5cd9bc68a9bb33e1380e5e81c7

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
2c4b2342200b035b629f0e23531a1cbe

SHA1
68971fe141ab8ce89592118414c20a2e2901dff2

SHA256
c4bb296a98aefafbc294a5e94c6dd253d9f1766c8b9fc0494a3d9b7b63a497d6

SHA512
179750e643519af3635b51cf80e25e8143dccd6b67d020883e77ed7c244140b26e753697d4a4b34ddf3409712355e748a3ea3169cf7b4df59e68ba7e15bad4bf

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
7215887fe7748e0c54e16c428d43cbf5

SHA1
b9c927595a6afcbc8c29bdb5d45fac2f1746194f

SHA256
ca9d99a4ce5997b17910760d543b541fead5a954cf078c0b624d29d7cb699176

SHA512
10b4d0dd921f1bed5fffd13a46215d7e18cb9ac76b7a431a46651621be5d80460e751e3e4d34f91aa1baab957d8e2825f8c5bb0192e129f32c75bfa1d3bec9fe

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
f1aecaeaf4de77c72d6c7efb71e21ec0

SHA1
5444a2abf43f7290049c200f9ad46077b5122810

SHA256
e2502a1e3202695dbeb8541b22cedd1f1804a2f70590731d136fdedda92be27f

SHA512
431dbcbdee4d7f39ccb9a952162a4866f34aca4e2fb59e7ff35134a25e729689207d09456ab526c6be0edf6ac7321466b98bfafa9a7f4e942ac0b9e3a6cd5d17

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
def822e96b2ba2e217915219e75fc616

SHA1
dc8cb4c3b1bc03c71efb4812a76600031119e0fe

SHA256
039a9109940c3cf61cea2d0b6088294fdbeaa4514a102f4c397eab165066832a

SHA512
4f5da0e873a2d3c2c93a182f32426b402d738fd07b5cf2ed89046e5f9d97305d06d233188e22a6ae5e4224b621edce33af38d39d9ebbd16436981f5b97a5eca6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
8f47fe2c8bddc5d0805a32b7d14ea9ae

SHA1
a9bacdecf5527d84cbd643687f6c842a2c0998d7

SHA256
bcfc91b08dd19cff5ca4f8989e0203f8503f7c14fe1947b7ce911eba92fc482f

SHA512
c482a01cb19a7201addc5c1014364617956d0a76bb1da43fc71f47b9dd55bf89c109401b3f508214fbc35b52394ac38185941506f001177fa43fcda595896e33

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
23e7d584c75392b854ca31aa456d93f8

SHA1
97510338f9ec2a4d6fab6a5ff077ec106764ed99

SHA256
c47c119295ba94b89f1981d45be64eb7a72c3fdb6dbf4937cc275e842f254a0e

SHA512
c8c20a71da2a410caf180c2867c70ae2ee784b582b0f3214b211763f1cda2ec6ac8f4ee0c37d81fd17a3085f3c53712993549982db613034ab9195b98602a10a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
10d2c874e5175e6cf779d580001f66c4

SHA1
eb19ca17cc577a583930b719c281c9d87bc15579

SHA256
870186483f65eef386d43d5dbbb82d171fd05c1d26913af1c5a92ecc23520b50

SHA512
bbd73fd62e25a70d732c37525209f4276fb2f75591a3ef90e4b29be1024fa9e3a915d2164c7d242102b1e688d54b83fcd5ca1ea4aad2311ef6dca3de99a5b9ac

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
fae79d70e9a00651d8bfc38b14fc8506

SHA1
35c696a6d9932b3c7513e132d4ac880d323cdf20

SHA256
e6c673c9bdb1c22899768ed0755d656ba07320b3a6b4fe24b931712841b21e5c

SHA512
d44b57ace5001741ee34f319943c3481c2ba9d69c9f732e8a74170636b144a21392d97be5f5620a93f0dae249c7f1394f044f73672312b74d099b61d8637deed

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
4fdb33c5c9203663bdf39f8d17ec7466

SHA1
8df639e891726c2fe8f2948a0e336f9e84a99e59

SHA256
4c85b32dc0f5b44d6fb1cec9e1274913ae3bb26d0516f35215b0ed4195910fe8

SHA512
20b3d91fcc05748666a23c4f08d09cb43d9ce100ef107c3768bd2378557508a564802ff8f1bc5b2ab54a1a42b21ffc2f6cdecb061f2cc66f01300ac0ff098b94

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
0326693f2107b35285dc5fb0cc110b97

SHA1
f132184ce78bd9773ab3410a9e3f26ac10eb45d3

SHA256
e2d6d92c19611175adfe10074c3a19e16e3d1f6b1903abd2b24c69ec75cf4a51

SHA512
06fab0f16aa55b3cd3a69c462f6548739577b63c983283970984d62a410116ca68fec08b3e708f320e3bd34c5929f5940283595d9b9f307a42fb5cf8efdb0b85

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
4fa0cd65cd65738656fd8fe40a279a2f

SHA1
3b9cee543e7c643edcbea66ba06857c4f9ad7093

SHA256
491d5196d441949063aab9b440ad4e89834d1213ebbafa23b5eafe1a4b7e94e9

SHA512
c56567bb18c0192dfc1c6afa2e349987290e6d5103184c417501b3206655b4a9016ef25ae7c6c8a879f30b1a2ea297fcec91e593a8ce3e473049b4b8e4f520d2

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
4005de13e60b3aebae88e5149ec2c849

SHA1
304000a4ff71a391b9ddff35c24a6c2e59f05d6a

SHA256
cef810ff32872211a253d13b0e9ed5417b7bac33be9d2950dc192c5b6b1c6e71

SHA512
be869be65f94a94f121bbe5c5b0c2f678422d12c1b4edc35b4a67c33b5dbe33259a7189531aa38e8ef4f53afdc9a796e426af170286532073165d4e6ec55408e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
839de14bb9bccb78097dbfe1e86f141f

SHA1
fae5810a9e6fe90889dd87094a939abedf2ae2f0

SHA256
0b33f33bb6e6ac877bae1e8f6b5d5d22a978190a738b6ff3f0f0deb8f5d24f23

SHA512
22ba29efdeb56d20a9f9c7a83a526e329228c357596d3b6afcec0a27a1f9b3f48e39794b709940b173238f1804915ad9a1bd75fbaeabfc706a7a84edf2ab8d59

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
0cf2ac1e164ff0c8a1ca25ffcb98d2dc

SHA1
06084aafc9080ca4c6187b80a3ef8ea8c21a0672

SHA256
f720ae1f6c3eb2daef5d6107798494dc54e8ae8c31d38af179b1d46d367ac76e

SHA512
fd34f021460820d18e4937d532cbf2bc39c5d00cca990a3990ffad8bcbd77d8f0bd001dec310f95a899de1ccde4c7a5cfa85aaceb869b8f8cc9babfe0c69a009

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
7463410f9fb6881a90241d43eb85f75a

SHA1
232bb70130ec903645a4bedefef81a3b114e42bf

SHA256
0fc359285f474899fdedeb0a128303f18894bcbb998bab2e5baf668521f186a2

SHA512
114104c20097643ca65feab6650f38b50abea573741950a6219198f3543286e9de009000a02e36527e551677c17b975e27a018c901dd22b42ef1ab96202cf810

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
4c819e44947d81b39a94fdefa07e6584

SHA1
af1f74f16f4d5b2492ddee9a28c3c5417b4dd11b

SHA256
627691afc28572d782277e3cb1ef35d8a69b55c276b377efc32acc0b838299d3

SHA512
58e22d0e1d2ad7544d99b1de0d11aa592dd11cd55378ff7de62da0584710458edb5f7a34a670028f44cb66737cc07d78cfbe8087b5397d1cf35b79b9a484b75f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
720d428c85cc3217b4cc497f171973ba

SHA1
09f1860562dca87aa61fdec5eaa80a7b103e8cc2

SHA256
3b07dfcaa1f82a123713a2d79fd903a1f05c7eceb14ee1f49673f4a86660ffb3

SHA512
49cc6758d9090ba1eae86121db1acc24db8b9dd5d14b4d311f22c5774a3af0dbc2b92aea4db6c222c78ca0afc8b7040d208eebaab3402740990007ba96f2bde5

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
a2be999984892e43d0209d9411d5df55

SHA1
8dc7692fb5de7fd7740852114fc8e2ffbb79ad82

SHA256
4102d5eaedb111df3fef4ca6d440cccd9f18b32796c9da127316bca8c5b2a0a3

SHA512
9447bcee96a09799c09453f62bc690ee23583a96458f9270c0ae161ad3a338ad17f1516592193ad625df54f6dc79070cf1b52376613fdf627b4d708c5a5d1176

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
8e6c2a6c4d6d206dd4337461f871dd80

SHA1
3aa4377a1fdd321d8d3e65af220c193712a1a238

SHA256
8c2e9ee12284b48f67a56af253a2c13d1ad4c94ecda30ce759c10a5825504e1f

SHA512
9f264e0fa06246546f2e33c244b9f3de73b6d6912278cbe3bfac44a667b8f712db72b5af7d3905b540056d592f448e997f1c16ce7573a4d0e0c89d0395ccbb66

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
57b1841b3b510af9f8e74ae5e1d77873

SHA1
e1e04bda8b8ae28c282ce504adc2eb9bf80be2aa

SHA256
71c8e4ebe56ece642e8e6e38b84d3128ed52894fdd2e619f29808729af2b3850

SHA512
1c0a41b821c886f8756dfa7890a2b2310718175bf4b6889fa845ac11c30d37b87dac189967abcee4738bea82b7a7dae593eca44424f195eeb4bd9f0e6f775d26

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
aa16736c3db2c028060f3f25dea1a2f8

SHA1
032e9244f3c963f6d81f1ab675eb2905efa31806

SHA256
777363cbdfc1434225d470decbde95d38d43e1a3aa8ec81ea6bd9721da27d4f5

SHA512
ffb0701636406ba3b561ce2611682ecc0319e80af88d02b61b357222e12e290dae9b2d7045967366382e191457ab6a010e4f7886372d59e3f626e438b8b8e1d5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
a30f9ad688e19e7791ae43c79597dd09

SHA1
509fee555e1ba766f3b9d094916fa1b301cc2a6a

SHA256
c7b9f7e06fe1523e657db3dd3f59dfa48c3bd87d852b49dcf1c222904c6c9cfc

SHA512
d3d39b13e2c94df70181d80dc003c41b8c10c85fdc868e4f5a9ece2b4e4b771cec0f5c3d15a1ed661f417920e623f1a38912f259a4ac4368f5b49caba82f0f74

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
e129b1d0ce1079a449913e91283177ce

SHA1
697b21f0fa6139caf66bf30751d50351bdf47678

SHA256
d4e3d46f84eb30cb05020958b280fd99166e8dfbf95a69dda0b5f6d88ad59320

SHA512
f99f9e2f2985b9aa491c286c7a2172e7c3afc1b27cd3ee4a73acbed7564439f1a1348502210118d29bc1e4fca4516f27291bba141fffbbc379fb9b42fb8840a4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
b42556594ccc8208c93555dbb0dbc032

SHA1
d649871acdb8be8f791c6a33d7f5d64c2e80d77b

SHA256
536f0e86fd35c80fb638185f91ae8f24b1dca4456082f1d30adedbed68429470

SHA512
182ef1d11d5fe7341af896722dbd55a4088844bba6ce97c8ad1c51a60f443afec25ad3a8bd471ef6f90e130b2986a1fb8d96e84617b6631a23d5c180338afbc2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
2dd7881136524872c7be8504ef019593

SHA1
5e93f8220c2082d5f30ff52e3b9c49fe03d59f06

SHA256
3d86a0f9e64dc69c4eaf4364ba365b8e1d62e1f543f462be21a20d396f220d21

SHA512
6359af833d28b8e8fae12188d48cd2cb5aaa035cf14b3a17585a249a18fb1f9da60fa4208329992bc9a1cd4f8836b38ead8752dbf3795a6a24fbccd224d92da1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
96823198883e130f6a8b7a4dea529504

SHA1
a0428b193f479ef8e93a0eecd34ca24278673708

SHA256
37de80b89ed375c94003db69ed8339ec6673266f6aab621436d097231222a010

SHA512
41d41626fef30b14f2843e1cfe37a676fcf8cc130ab255263d2372aa22a8e799a263feaac84d8ccd403d77638cf0c63e23053e8ac50e7af498ba7d9a3deadd01

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
c6aec87a8e2071de1b079c5d380adfd0

SHA1
05e1a8ced543d8be81b79427561e37a9c5a04c17

SHA256
5e73a2bc1c03935e630f1de1c6d7d90bdc461525131222ba50f1986e4c2e0f8f

SHA512
202db59f8ec9ac60327cc6b09a1858cc24296b20cff04e386e75a24d1728d170cb6e8ee5cb99874f7e0332b0dca296c47e1711a1ab0c03e58905fae0c1d3573f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
0847f57aeb9ffec24b7d96baa0b89f51

SHA1
0587e3326847c5cd726b1de1d017f09f5f25ae05

SHA256
5ebec69064b4484b7e3cc8716d8ceea7327bdaa044e6b46539df55c9e8997dcd

SHA512
ff3ba5d6aab08a590dc949a909b76f16fd3f4c031acb90c4801e79ebc1f0b0e4cb7ed0081fed5bdd4d08d6f71b9fad5e8d1ed9919f198baac1e0c3d81e84c546

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
b37d0555ba1ead13ccf499d4185105b9

SHA1
d00629db0736bb7c6e4a336c566a391388dfe900

SHA256
8098bcfb88c7b1c101aff98f0d31af12725564a4e15dfa15e3ada68cf6566821

SHA512
1b30553c733f0a4ab82aac0b12df3f14d80dce52539b719a86e941f662794d914c1c6c0f8f810f0cf5503bf3d4a587cfa0a7a81299a01acb4d522a10a448b9ba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
531bfbb500e7e97e03a220726870ba2b

SHA1
777de26e136beeb1f19c2a93d441be3c014602e1

SHA256
6561b00bc8c2b4cbf7a8cad5a1873c9ff20f860f561d1c92453e14be9454d92b

SHA512
bf3af678d934f6b5cab0ac834d060c607ca45e7b636859fc235532fd75429570160678452d4a7054d9511754f93443af738b8b8fcd9a1c644e70e988dc999abc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
5976b16c20ed54399c343ab3c18d3939

SHA1
d892f1ac3b542a06091a72193b6b305c5f8c3f27

SHA256
db2256c8c9bb60a9d5066b90e7eb1439ad7cdb42cd78947ab0e28e4794b2d4b1

SHA512
7b73453c23e584cc2eff0d6bbef76ab7855e4f092d17a9f508223d94e158a3f1f78f2ccfa8e74c8b5d4ca004cccb6454743bcafe15c1e49d6102ae73fdfd9ced

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
8dc1259d984e9c8b1e2dff9f24561db9

SHA1
dcf599087b58eb438ebef1b9c66ee4ac2615fb57

SHA256
e8f0e75cb112190cccf12d7f5f5994ca50732374b424463541a7247f6425bb2e

SHA512
72b6fd0df3f9a5ef6cdd396ad5c9cc423d3bdf60ed599dc2ac4536e9a676344e79cff354acd751fc6a43848133a8568ea2294e38ce87f1d4f5f30f91d6c99234

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
20038c19d7c9227723017be299b4855d

SHA1
268cdd14e77e3d9bb49273e6ab2c8acd3a7022ba

SHA256
55f24721afa05154846ee3e4e1da2e9959da4391a5188e1ffe70c0f6c40a4950

SHA512
a3c17ca9dbc2b5bf636cfcfa484bb4168659482adfc664a1e62fd60ab98ce0bc0548bbf9fa6a13dfa05ffd14c8513584c558f5293bde49730cdf42db32f45305

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
707706072dbad088953f807eb1b36647

SHA1
1c8649f6e6e2bc74f8ad8044bf817e04ea753a79

SHA256
d128b878b805cedca2962ce9f50ee8a238650d6f52ca35689c5757b6bc6507aa

SHA512
18af5bcd4e11d9dbb1480870f8f44b1cc7d368c5b5c460a7c42c4aa86fc6f46d36f86661b2b50bb95e0a3695a5fb55edcd39fbe1c73b3891eb3e8268fed138c1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
581KB

MD5
1925115b2f020bfcdaf992beff36cd39

SHA1
67e2a4dd9a54f585982204c034439b5130897e99

SHA256
882d02a13c8f18961ac382ef6949e5a8bdbc0061dc8b3a1c49c604eed63d90be

SHA512
cee8f7bd245a05ae89fc9459e50a3273b471dd05e1585b1668a2ef74b4afe94f4f710a86fdacfcfb852233803ac79d8071b37c7887502b9ae46117258be4df38

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe
Filesize
581KB

MD5
49a9a22a9b5288aaeb95ece90f3bd8aa

SHA1
f1589839bb2bd84ed4cd362fd07594209ac568e9

SHA256
24ed4a49abc57eee335ae4e16420c6eda5611c5262c2faa8dab865b6fa8d3087

SHA512
928fbaaa354d70994fe55690928b30e57786212e4e3509b5fff91b55fc2cfc8316ef12272e9163bb2bef0d00797b24201def3203967e9eaf0b68bae8240bd1ef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe
Filesize
581KB

MD5
d6e9de19bbf4ce888b43c849ff2f25a4

SHA1
ed6ebc9e6c350fab3541acece53012a7a0809c7a

SHA256
2cbef5a19078e5bd16801139c31f8d63cd289035dfcd4cab9670f5c9e842abc5

SHA512
a6dcb9f5980fcf729538f8c2a4e3f6842d153588d9777b1229bb75de906064cd029cba101668c500f74ba58ff9b35557ec6cda171a2788cd2d51d540e7734441

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe
Filesize
581KB

MD5
f4a3f1ac7231222e2a00c0d5675882c8

SHA1
7068c764e7b65b405570c1e5e2e426514c5638bb

SHA256
ce484cb01ac15a75a3e7618bd426960ae45a5948b55b9c6424bd12b6292ec21d

SHA512
ceb42cbc00ac68950af8a55135ab1d2f3e4aa5eed1e90dcb02debdaceeb5c72ef604d7ee631d0242d7bec399d1147f1eb928ac0c64a09d9530ccc59bb406b0cd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe
Filesize
581KB

MD5
b302d8103ffd7594dde210770c83e5ad

SHA1
aaeb275a9a38063a623f9595f4420d5576d3fad3

SHA256
77599dcc88f6fcfd4cdeec3098bfe740270e8612e99cc479a0babedf794eaafe

SHA512
dfab18995c06f62c98c77397c9e4d6ac7eafe61f7432641fdfc212091626bc4fef9c515ac1ec3543a08e74af87c77d354ca126ca89a4ff0bb137c404e67ba66d

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
b4e53282e454b4f498e64b8c2bfd02a0

SHA1
d50a90a8892752fbc681c52aabbd03bb69ff2cf6

SHA256
f1029f03ed5be40ac42c0e36cd80b2f8276dd6a1add4bd816c0d23876f3bee81

SHA512
60c248b4898e3f474e759fba77ede976d1e17aca815906ab468813684cae3a8b7923aa7578501a012e46e3a0a69660285a89a814af2ef0016d6e2c28f9a0c390

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
e3c56e3c3cdae9f24e087585969a7a8d

SHA1
a90ade81f232d8dfc7f47bbdcb86ba07721a01ac

SHA256
2aebe15a2fd63587abc8412e4c3ca87ce13258ad0eb252d317cdaa9243a9dae0

SHA512
6eda19fc6887be8d3ea027e8aa943bff3dabd52ef31e1c1100f06536c9c8a2ea4d1e91c13dd47728df04c7c84a049d1b65167d2353e4d2766c3fc715a7b042fb

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
dbe2ac9f2f8cbe3dc942c114a0b253c2

SHA1
f0d82880e45845ebf47d9221c8bb238245370e60

SHA256
a6a6b540e8ff75d22d0346b0eb3deb696f0c5c2c1553912121b41640f3ce8ece

SHA512
51e9269c4c24252a11ab4ea7d420830785b64701512c3bd78ba83c242f8d37ef6dd4c74f481a3a09cb67d7d15c54c613a8575ec8873827200955fc968e18a031

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
5d6d380c0348080eec5ccdb99d7ab054

SHA1
ee0f10c6e99cd9ee927941325df6d8c13484b5af

SHA256
a1a07d153a5a4c1a4f0942ea2b242e930e63c167b1bb74d92aabb323797796a8

SHA512
b07083584de72e9ab2e5218278fdee04d78db3a5f433f47ab78cbd904de189cdab258c71746c6e46c186f789e36c71ec89caed098f7cbacfed9d5947d179b50c

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
47eb50436752c18b8a401fd198f2563c

SHA1
71ae724c1f3038c37547a0efee01a218a4e176da

SHA256
9ee9ddc4c27345131ec7c52d3e694d696d79aa3380d9d5edad1b6e5d960efacb

SHA512
6d7f3b014da469655f188214c5775ea6e78a90be05e6092a2d6db0ec586ea60d2813b63c921ab97b5268ace6b092c529ce9afcea473af377d3cbc1823544f571

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
05793fec33c05681ab8ca612fa92e09d

SHA1
8d478d5977e28f928b6c83aca6a7e22648aaf032

SHA256
58a41a1aee5ebc7b6a9f4d1e895f5f4cf48b34396fd7330dd6a777e9c8d984aa

SHA512
401cf0478f163c5adf5e17e7ffd9d4cd5517934ce673e83ec8f4ad720acb7811c109a0b7bc1249403bcabb7cd678852e29696e990f2c890a4ad8de868ab11709

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
a46515d37c52f28d00eeb68bb294b3b2

SHA1
b90ad421f2a38825fc90a751695667d247edb365

SHA256
caba0bc5bd96ecf49c65397cb95174cb31e039cc0a9008ee7a036b173f52b974

SHA512
eeab10f65340e5d95c4d78c19c6db04f41c6e6dbd8af16f910525162e34f3f5fa2b2641ee3f3d03053a8768b0f5cb7a550fcaf623f53e9497d667191d261fcdb

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
16fff18eb4ea72feae87fa1dd3c07147

SHA1
2049c34a96eaa769594a7a3d614fac76e036ecac

SHA256
be24f7124c37ff03a09b5e86ac5b90ac4c25c6e597c037776a1f74f67b0c262d

SHA512
d861cf386ee5e0e7777d29934e0ab01345f01433881d41e1afbbde738cbd45762dd279dbe921c8e1ec2a03ce2486127bba2a386cd9fbd1d15adf690622e6643f

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
a871f46c50cbc27764d96b91013fb472

SHA1
2577bf819f9842719e00aefa2ad564a0674508e5

SHA256
0666a448661dd92ec93a85430fbf92dabecd82c43a51bcd1fb0672e6043fa3d3

SHA512
c502122c4a13b909ada597fc8e2f5e2f65b43acd67e8cbb95527329e648cff5c40e735727fda454b6fb93cb3d5c5bff9a373497587d806ac4a8951df91ab24ac

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
f0c3aa3ac61bafc55f1b2571ec723774

SHA1
89bb56b9105ff08101feddf5ef25a07fa4d919c6

SHA256
e1e2c1a1e045f1b62ef6dc8723ac325e485e3c760439b9ed797c90f18cb9763a

SHA512
e1cf5004cd6c28b4eb50fc687070ac830ad7274af6549fed2c5a912c7383456b8368d45b41e0787c49bdf1e916cb1e5c3aa478c7199f6ed3e6c39a3715e11bdb

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
11edc615f74f3d9aea7312e5de626962

SHA1
2f7a60fe26a4e175a4d775e5c1d5132675f29c58

SHA256
71acfe2cbe01fd2fc8c99d5af5d745b398f2d25ad859cb26b31aa56bdcbae6e6

SHA512
cb79b72800324a50d0e7477d7ba806549a858295cf13105eefb29fdd93536503d66fa54042c87d231d605a7e989923e4c4f93471ff34a24c785e9a2e4f6d03a9

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
4e0c37df443590b424c80624ce1544a0

SHA1
2be9d7445998372ce0ed3bd55582876dba4ee91f

SHA256
c9f83cee74242be98d08e494609b0838630f890d10ae86e80ca49f08e5d41f5d

SHA512
7ab4d8b55fee6ca1d390c13363e4b806a609d771bfb0573114a5c0968e16e60c629342fc44b9e8f8897f23ce48a191caab2bc5d44de6b2ef769e0ec5f970e6fd

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
159f3fa5f771d465f754fbe4a71e4d75

SHA1
9443607921908c509e78cbc0f17cb44117391c8e

SHA256
15eae60bf8e7a0203d5ba09d4cb8064bd0f4abe44e3072bbabf4002171b5a71d

SHA512
beb36072b11e3a1a1215a93780c4452a273f13f0fc786e04e6161f22b700fa326023d041a00996ee8d3b5de682e5eedb87e296c50f436a1c94a38e09cebb9995

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
099f9cae3cc21ad7a4280af546be4f38

SHA1
9fd14282f528bb9e158e7ca1dc4d0cd3d5dc90c2

SHA256
13805b42e4d6bdde1c395a0e4eb359703ce17aa0070dee6277964fcf60bdee7a

SHA512
e5c529d8435c4003c711be0df6df97f390842d1bf2b3673608b9de481ec47985cf82c401054b59e98f5c531e19fb0306eca62829c646e2922063ed12ab5c3cce

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
2d6f8dbf9f815b219b196b23ae5362c8

SHA1
9b00724c45d7767dead84b6b2e7d057f371b5247

SHA256
55445912a91c4185ef91624bf9490815de888d97b513937f6ef277d488843b11

SHA512
f2f425ec9e150bdf897d824d508eac1492526216996777a577a027ff6290d2fd791af0ab91240a09155dd1f1393839dd779c5abf526054d4000cb6d77bc41516

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
02fa531c19e44b15106dafe27439b515

SHA1
bf1c3f8c22e27b42ba8df4dcf5bed922122615e3

SHA256
bed44c61df1a9dd70030f0589136528eff8efb12de6fa0a09cf5136e247edf10

SHA512
9b98a4d26c0f63d6a9f35e07cd88aae537f17382afc22ddf5a996203c435a67aa8f343792062ef1d97479e1ea8c584d089d966fe4e0fe7ad5da66bc2d861053b

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
7057080fcafb3f4ab990051ace041563

SHA1
1d8f19dfd1f591b7bc6910343a096fe7795cad36

SHA256
d93d6620d023878568229690a7cdaf7ccefaddb2604437531b7fba84df215386

SHA512
b9952c6aa45ad879b7a32d7af5386de46f35df2194c297aa0bc3345ebfb4aa22e59c1247ab2fd710faca6fa527e130c348da2d0f9e3d13954be26c590a8f3a00

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
ab8628e6746a27314c8c9208bbb2b4d6

SHA1
e604b577959855aec91e71646f5b1894f9fe042f

SHA256
dd9396dc9cfb27a744bcfbde4e66ae5b8911c7ea0e0fd3a060329a93de2847c4

SHA512
e8be1a5a38799f257e581e1257c54ae3958bd0b6d288f7aa861dd962dae5c0b545de7dfc64ff4baa05a0de81fceedb8c150453421c14f7edb0827e311ad09217

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
c3331194eb7ea5f66b90d764e8ce798a

SHA1
fcc0a73734ab3d7dc13676971affb9b060466bfb

SHA256
ba855083ef7b50085f5e43d213d39dcb7879906e80fa75c2b8f48a96f6ea234a

SHA512
e077ad2b0e0fb0dfa0a1a6329508a09cbec662b6d6d9690302b91677e7eed8c5533206b80857fb5cfeb4870764487b418196b10764ad1d47119891eba4c68704

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
6d3c70eacf98805600968eb53b6306fd

SHA1
2b1564ef2e15cd0ae1b25a9d6324f5e1a47b23f2

SHA256
1b3d5c59be1f1fddadd5b36d3dd6b1ca227a799f6eb538efbeb6df12f5bcde67

SHA512
e1b6b8f0a9607d97b36955952d323cbb6e808f8c778ccd67e64eef8aa2fb7ee5550d1b2d472c8e5d3d7b255d29e54b2aa5ce8cec1f04e8bfbd27acd9076d927f

Download Submit
memory/1252-242-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1252-30-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1252-19-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1252-31-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1688-244-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1688-47-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1688-56-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1688-57-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1800-0-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1800-1-0x0000000002280000-0x00000000022E7000-memory.dmp

Filesize
412KB

Download
memory/1800-6-0x0000000002280000-0x00000000022E7000-memory.dmp

Filesize
412KB

Download
memory/1800-29-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1952-460-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1952-330-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2308-264-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/2308-270-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/2308-263-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2308-329-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2536-276-0x00000000004A0000-0x0000000000507000-memory.dmp

Filesize
412KB

Download
memory/2536-275-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2536-333-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2756-241-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2756-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2900-82-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2900-80-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2900-65-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2900-66-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2900-59-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2916-334-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2916-461-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3052-459-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3052-326-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3312-318-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3312-456-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3624-323-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3624-321-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3748-307-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3748-455-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3756-285-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3756-337-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3760-290-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3760-452-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3760-342-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3856-338-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3856-462-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4144-325-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4144-257-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4308-343-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4308-463-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4320-247-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4320-70-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4320-76-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4320-79-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4400-295-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4400-451-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4544-434-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4544-292-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4864-36-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4864-44-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4864-42-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4864-243-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/5064-252-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5064-254-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download