daeadabdc016ed4d3e4479fe2070b1a43c626c8f4196c4b94513df3c2842a714

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 15:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_0e8ee9e0cbcce80658157408d61df81a_avoslocker.exe
Size

936KB
MD5

0e8ee9e0cbcce80658157408d61df81a
SHA1

2678164961be5ab203d00ea6afda44e43459d9a1
SHA256

daeadabdc016ed4d3e4479fe2070b1a43c626c8f4196c4b94513df3c2842a714
SHA512

83b004a9278ec5bb0a883d2e74d0d3809e4dfd837d0f605b6839c1ef2061bed1daacb4195fbe1f3ac6a76221545723551eef62707cf76a4393af35e8c9eab30a
SSDEEP

24576:PPkMojzaWXFol/j0CfQfHEB/kxOTx5mTJnxl9oZluDpCmEJ:3EnaWG/f+HEB0OTx8LLoZluFCmEJ

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
4700	alg.exe
4708	DiagnosticsHub.StandardCollector.Service.exe
4184	fxssvc.exe
4912	elevation_service.exe
3272	elevation_service.exe
2868	maintenanceservice.exe
1588	msdtc.exe
2100	OSE.EXE
4556	PerceptionSimulationService.exe
896	perfhost.exe
4564	locator.exe
1192	SensorDataService.exe
1732	snmptrap.exe
976	spectrum.exe
4092	ssh-agent.exe
1008	TieringEngineService.exe
2112	AgentService.exe
4492	vds.exe
1220	vssvc.exe
4328	wbengine.exe
2160	WmiApSrv.exe
1972	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

2024-04-28_0e8ee9e0cbcce80658157408d61df81a_avoslocker.exemsdtc.exeelevation_service.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-28_0e8ee9e0cbcce80658157408d61df81a_avoslocker.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-28_0e8ee9e0cbcce80658157408d61df81a_avoslocker.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-28_0e8ee9e0cbcce80658157408d61df81a_avoslocker.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-28_0e8ee9e0cbcce80658157408d61df81a_avoslocker.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-28_0e8ee9e0cbcce80658157408d61df81a_avoslocker.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-28_0e8ee9e0cbcce80658157408d61df81a_avoslocker.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-28_0e8ee9e0cbcce80658157408d61df81a_avoslocker.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-28_0e8ee9e0cbcce80658157408d61df81a_avoslocker.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-28_0e8ee9e0cbcce80658157408d61df81a_avoslocker.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-28_0e8ee9e0cbcce80658157408d61df81a_avoslocker.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-28_0e8ee9e0cbcce80658157408d61df81a_avoslocker.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-28_0e8ee9e0cbcce80658157408d61df81a_avoslocker.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-28_0e8ee9e0cbcce80658157408d61df81a_avoslocker.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-28_0e8ee9e0cbcce80658157408d61df81a_avoslocker.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-28_0e8ee9e0cbcce80658157408d61df81a_avoslocker.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-28_0e8ee9e0cbcce80658157408d61df81a_avoslocker.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\818ae0d84a48edc7.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-28_0e8ee9e0cbcce80658157408d61df81a_avoslocker.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-28_0e8ee9e0cbcce80658157408d61df81a_avoslocker.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-28_0e8ee9e0cbcce80658157408d61df81a_avoslocker.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-28_0e8ee9e0cbcce80658157408d61df81a_avoslocker.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-28_0e8ee9e0cbcce80658157408d61df81a_avoslocker.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-28_0e8ee9e0cbcce80658157408d61df81a_avoslocker.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exeelevation_service.exe2024-04-28_0e8ee9e0cbcce80658157408d61df81a_avoslocker.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-04-28_0e8ee9e0cbcce80658157408d61df81a_avoslocker.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-04-28_0e8ee9e0cbcce80658157408d61df81a_avoslocker.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-04-28_0e8ee9e0cbcce80658157408d61df81a_avoslocker.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-04-28_0e8ee9e0cbcce80658157408d61df81a_avoslocker.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-04-28_0e8ee9e0cbcce80658157408d61df81a_avoslocker.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-04-28_0e8ee9e0cbcce80658157408d61df81a_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-04-28_0e8ee9e0cbcce80658157408d61df81a_avoslocker.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-04-28_0e8ee9e0cbcce80658157408d61df81a_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-04-28_0e8ee9e0cbcce80658157408d61df81a_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-04-28_0e8ee9e0cbcce80658157408d61df81a_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-04-28_0e8ee9e0cbcce80658157408d61df81a_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-04-28_0e8ee9e0cbcce80658157408d61df81a_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-04-28_0e8ee9e0cbcce80658157408d61df81a_avoslocker.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-04-28_0e8ee9e0cbcce80658157408d61df81a_avoslocker.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-04-28_0e8ee9e0cbcce80658157408d61df81a_avoslocker.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-04-28_0e8ee9e0cbcce80658157408d61df81a_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-04-28_0e8ee9e0cbcce80658157408d61df81a_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-04-28_0e8ee9e0cbcce80658157408d61df81a_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-04-28_0e8ee9e0cbcce80658157408d61df81a_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-04-28_0e8ee9e0cbcce80658157408d61df81a_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95203\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-04-28_0e8ee9e0cbcce80658157408d61df81a_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-04-28_0e8ee9e0cbcce80658157408d61df81a_avoslocker.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-04-28_0e8ee9e0cbcce80658157408d61df81a_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-04-28_0e8ee9e0cbcce80658157408d61df81a_avoslocker.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-04-28_0e8ee9e0cbcce80658157408d61df81a_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-04-28_0e8ee9e0cbcce80658157408d61df81a_avoslocker.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-04-28_0e8ee9e0cbcce80658157408d61df81a_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-04-28_0e8ee9e0cbcce80658157408d61df81a_avoslocker.exe

Drops file in Windows directory 4 IoCs

Processes:

msdtc.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exe2024-04-28_0e8ee9e0cbcce80658157408d61df81a_avoslocker.exe

description	ioc	process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-28_0e8ee9e0cbcce80658157408d61df81a_avoslocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exeSearchIndexer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e21bb67f8299da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004aeae17e8299da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f1457f7f8299da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eeb7d27f8299da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b2ffd57e8299da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000058657b7e8299da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000077449e7f8299da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

pid	process
4708	DiagnosticsHub.StandardCollector.Service.exe
4708	DiagnosticsHub.StandardCollector.Service.exe
4708	DiagnosticsHub.StandardCollector.Service.exe
4708	DiagnosticsHub.StandardCollector.Service.exe
4708	DiagnosticsHub.StandardCollector.Service.exe
4708	DiagnosticsHub.StandardCollector.Service.exe
4708	DiagnosticsHub.StandardCollector.Service.exe
4912	elevation_service.exe
4912	elevation_service.exe
4912	elevation_service.exe
4912	elevation_service.exe
4912	elevation_service.exe
4912	elevation_service.exe
4912	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 39 IoCs

Processes:

2024-04-28_0e8ee9e0cbcce80658157408d61df81a_avoslocker.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1052	2024-04-28_0e8ee9e0cbcce80658157408d61df81a_avoslocker.exe
Token: SeAuditPrivilege	4184	fxssvc.exe
Token: SeRestorePrivilege	1008	TieringEngineService.exe
Token: SeManageVolumePrivilege	1008	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2112	AgentService.exe
Token: SeBackupPrivilege	1220	vssvc.exe
Token: SeRestorePrivilege	1220	vssvc.exe
Token: SeAuditPrivilege	1220	vssvc.exe
Token: SeBackupPrivilege	4328	wbengine.exe
Token: SeRestorePrivilege	4328	wbengine.exe
Token: SeSecurityPrivilege	4328	wbengine.exe
Token: 33	1972	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1972	SearchIndexer.exe
Token: SeDebugPrivilege	4708	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	4912	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 1972 wrote to memory of 1836	1972	SearchIndexer.exe	SearchProtocolHost.exe
PID 1972 wrote to memory of 1836	1972	SearchIndexer.exe	SearchProtocolHost.exe
PID 1972 wrote to memory of 2184	1972	SearchIndexer.exe	SearchFilterHost.exe
PID 1972 wrote to memory of 2184	1972	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-28_0e8ee9e0cbcce80658157408d61df81a_avoslocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_0e8ee9e0cbcce80658157408d61df81a_avoslocker.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1052

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4700

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4708

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3148

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4184

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4912

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3272

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2868

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1588

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2100

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4556

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:896

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4564

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1192

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1732

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:976

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4092

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3748

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1008

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2112

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4492

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1220

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4328

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2160

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:1836

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
2⤵
- Modifies data under HKEY_USERS
PID:2184

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
0dffe2ce326b9fcafdcc7f03ea0db205

SHA1
fb5080b52b58e3e981d17f10cb0468f09a2792d6

SHA256
b8b96028a028942250bd08868de5a875eb8bf347e66a8808fe7e92db7cc87aa5

SHA512
9fa2b879c09a40150f2a855ca496468d14b59bd5c7f08c64fc621087a2a6d333e08e68ee41e6e50a510a9f95129c79ada549f914e1544aaac172649bebf61e2d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
0cf5c97a224600f8b61b9e2361051ca8

SHA1
d42ec5286ade30f956e97d711fea92d24d7af8c4

SHA256
a734388242b999cf6d164e8f5813ff7254389bc12b97dbeac573ac9adea4ccfd

SHA512
06d2264ba21a3935fd9be6f7dfdaeed620b7687b52f4a79ba817ada27f4bfa66a662dcebea8879f7121550ad8f6ecf3d263cf7b4ba2129cd951962e5af487a09

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
4762d0242737d753a8a12c3fdfad4a90

SHA1
f5a56258756aeef87a65e78d2b3eaf8fbd724b7e

SHA256
11ea6b799da96791619fd6c5c5c2f3dd4a65fad7fee6cb73519ea88ecaa76388

SHA512
42e8dbe736afdfaf07f8e36ef6dc1589534cd14a06881a9f228dd4b7e715f02539a82e259d6ea422b298364931151d617d71f845878915b3180abbfab0191dfa

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
10b98ad2b3781e9d98681ee8d2b1d990

SHA1
ab3b75c976cd3b3f05e19fa4eba5267e79d1b2b2

SHA256
a66484639bba4c0a21dd64a9e8eda9b653202d7b02cda1f3c1c019a4b984ae0c

SHA512
882bfe806129eaa40890c1d7b3cafd36ec34c6e4b49cb4f295eb2ac3185dcbd1fe24d7f89143049a1c4dd23956dc7da8a1ad982d1eba6c8f512ce6e584306421

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
721f6f8a93e05ac3a65ac7150cb6e925

SHA1
e27ce72937455d2c0f8166fc99c8b58f3d8547fb

SHA256
303079c29fc9edaf1efa23ded557546ce48684d5a17473de834c991aef35a128

SHA512
cb3172cf4eeaf4962df8ff998b6118cec444806093975aaf8e55ef5df718a214480478415f43799afb584cd47cb29836527845d01cdd0324fbb156e703627799

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
63bf6cd9622e2a0636ce2462ad3f2229

SHA1
3daa605767f17e55e7649d0e3860ee8a4927a327

SHA256
69e5368e84912803c6844f54db7c541138fa20cf7ce1b0edec8223ff60d6d883

SHA512
0b1f7455adcfb63365e64bfb71aa3b73ac210fd9c7d7d37119942770c328e888f8688ae00261f50bf88ee35de65ab54184e5a100dadbe44bba48b44190c1acd2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
41d1224ab0937fabc5b67e79827bc5e7

SHA1
6fc5008616a04792fefdc62648ec4575901d9b6f

SHA256
970eb7b48c8bd3758641510d0b9a545e38b4c3dfc569b0ed40ae60939ef425cf

SHA512
e8bcd9a97702580ceb64e0f93e7067e0502e3c4c5040ccfe394d061c9703899f22fb6ad3758c92d1d289c1c60d341aa87ce8bdd3975a088e1f4473735974648d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
9b02611bcf05b14b2efe11cd60029fd7

SHA1
b867b3d695a7a9c8e43618d375c55ad786f56c2c

SHA256
6a44fca977924f6d302fb7f1c2b63376fe253d85747d6c9c091c17bfa64bdb02

SHA512
e6a7049a2d98689eb987137ac48f637c41bd5fffba57faf4d41e104798e87e03e456a8e13b418b53673025fb569f57afa55bedf25487c92a28e19632cdd5a24a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
c36488ac3e1b148733db1027ee978bb1

SHA1
08a229f1a3791a87f8ec70341ebf9679b15b13cd

SHA256
42f854e40aa1fc59fd4d480545ecc407d6d72330b2614b73d50642d4ae094c71

SHA512
59b4a9600e6fbb52bb22d935cbf3325e959b74ec095d5402c83fb718de2702e0078027b2710b06553a35064ba3f5d41dc2cb590c772a7b7406870d8c2832ab86

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
6ce77416b3a534b7c5512ef4aed8a78d

SHA1
deac03d710d615a9ca66592acf0e45a8662c41e0

SHA256
dabd701a5410ec023e3db6204541a2177c15a1f36a26c1d401f612a920653cea

SHA512
de231102ca9ec914229e45b4b5fa25305c17705353d47a710fb5f27958d2fbe5eb1c73223247866c53b89fc8ebf5a127bce7c63303e898aaae9ccf80c5823f52

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
e0141fe0df84afa3c3a961d11627efeb

SHA1
f0266ef6f0d7dc75f9a6f4fda1c281d1f8172b0b

SHA256
27066184c284518b0af6af3f920bacc1ff81bfce36e580b2aad01dc319300aa2

SHA512
c77bfb714fd33979e7371e6a6761e21f7cc2ac7b557115c1fd713e16d7d8d94a78325dc4f5bbe08ecea04c21c1e1b669dc8c6f203b9d686c76a749f579d21f50

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
9da8e485c9d514d70cfa07cf8352db47

SHA1
eb16787edde7c4b1fb844ab7afe338559b7ab995

SHA256
ba5ae67ff764f5029c445b09d89c317ce7b2136ec06330ae445483cdd067cc7a

SHA512
b7cd929ac9a8072609bb71f95a7ac91d07290dc5e8541335b897fb563655253d2905cda587a8d8c1e797a419cb365aa53c1c1e5e07d59b88a4f7c648eb3d6506

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
cd27d5c1fdae2566d7248388164fb4ab

SHA1
35c576131655550988db9788a35911cdceeeb75d

SHA256
e5ecb6bafa554d681cc3ed450efacd4fd088831ce0878c9734ad5551dabfe0f1

SHA512
84487ac09d10d0520ddae6e50729a85071ffc6ea349998c842f46b092de9f34937fb4fdc985b2c0153079f5891d141f86226de3b40963bf64b1007fa65c07a5a

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
5543e83819d9917dab87236f7f2af390

SHA1
607ea584823b65e3403c75a2863e1d8eda3412ab

SHA256
35af38b5f28fea0ae0637e0d3398ce6d73a211045a6fa90ad5c30a573a285c81

SHA512
b2e6de70a283049a1ed3c873fe82425ff8082ddbea6dd4910ffc8bcf7e2dbfc7b495c7db9471652f491f541ae6f93a7a972e90809f8a9d7ecf97ea10bc70ed14

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
e8c944fe152970b79799ab09203ced41

SHA1
e80181a9ed8a36eb9f8cca9532b031dfcef9aed3

SHA256
cd9772073080cf2e8e98a9f8e7ec3cddaf3b4138fda7d402b5cc49201ab6b054

SHA512
3f92263da792f9d49e95222cff6f2a554dfb486828f1db4924ea1bdde818a2c16b9ef830e04216d035f369ff388c48dbed31636218c8795535a12738727d13ca

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
119e9f120f068d8dc9c2c39f87edea7d

SHA1
c98dd9ba37b3324c8e5841581007a68d0682abd4

SHA256
731fe6e22a32bf72c871f87606a4dca376e544546c115d1e14abfba6341cbb05

SHA512
ed1886ae8473d0ffc40abbbf77ba1f2ca999c93c70eec98499188c17b2f743599599c0712c33cfd802731644180d7c734cba9c62e4f455c7fcd1dcf804a831d3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
1bc0392f52a46f063cdb99b3b8ca3c22

SHA1
f949234f514f4c6d2b1806e75bfb2fbb86d00217

SHA256
3c3fd29a33fb1b848a893354a4b980c9394baf5f8449999f49dbe173a4c4fb80

SHA512
3b53621325d551bc26e0c7027c766cc256cd1ae5f7f669c3d59d119596d1ff2725a5cf73dea5b71e5a81044b143d9b445a1c970ed7ce24806dafbcec7a1a614b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
752722a8874d16a5f69d36cf8333dedf

SHA1
ae166cc062f2d40a00120e4421f48c4393cc7d95

SHA256
99c38d961730429c4b553bb537f7991e7688bca6bfb77fdd3ef64a52d9273f38

SHA512
03bc9951cec9fcef3abdcbf11d07534b58f31477250a673780aceb973898349ddef5b1ff6c49c426b92be9bfbd1d1fd14e0d1873d7ee1700c9f9246b44d2e839

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
7fa734964935bbd0c57d4c225c7ac99f

SHA1
d65b2c11207d635e5aac491ad57cd8362ba4d529

SHA256
0a20ecd3b354d56801ffc3ec7c2ea8699d15131633291b7c8924ace5b444dcf2

SHA512
d86a7ebbbf7fb2aedd0256179827685cc8ca6bb02721ed124168490f103620991bc89017bd11ab03f10365c24da1758bff8242dcd92a6efff9290bc95fb13ae9

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
51fd3fb0969f702e5b0174ec2c4cfeff

SHA1
dd462702f6cd94e8e90fcd2709d61b78f3904f06

SHA256
dd7279699b8b9296cd41edbea0eaa3bf3735ac445c716cc6f9fd9efd4aa25a3d

SHA512
038d6458f0d46064542fa6e4d8ac367c13e9b267028a0e7da1e969b36aab712ad999521661f7fcdfca69a15e9d1e3d4f290723756c6597e64c6fac9fb5122a45

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
3b658d6361bceabed0e281dceb4d4365

SHA1
817632a1b7f5faee947b97948b005253b1f3501c

SHA256
7323eebfe7b193d473e763ac66aa254303c24d958435175af41be57e7a88b008

SHA512
a99f3d317a930a11eea58e43739bbd558f93f7380548c97a44fecfd4baf6625212d3b66055459e2df566c43d72cb0f6925ac0259b48d4ed3a5f5dd0fce8e6da8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
d22cfdb4820cfe60f5147bc505799c04

SHA1
9f037561e1e4a65a56be2f41111580d4ec75cd84

SHA256
cfe0f196a2e116a96b1df59494d420557169eec0a01869ece1c4f2026ef48565

SHA512
f7dd7eecf2d2492efb0eb93470e6449cb0749861ea7089253067e6c926c67dc661631a4e664990f6c82a9edaf46030a718ed24d2b387ba48cc359e9d1e176188

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
aa52e701bdb19ffdb5c1d23867a0be22

SHA1
1d76b89d90dfab12bc8e28846042cafd010ed740

SHA256
d1e8396ec9f0183926251186f680ca869ef1618b181d15fd11e7f3c4c7135cb2

SHA512
ae624b7bd32590a3993a0add3a646598522b334601b9b0cf0a204d157baf2e0a9b569ee1ea006f4f53bde2f7ce703484848a8653b05588d0c0a07a91482b4f04

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
6da034f9e0e4717e0153f5d3e8d25c51

SHA1
d84d140787a2a2ddbaaeffb098275ebf4b19242d

SHA256
b77f3fdb1b520494d91dd4b72b0cd6c7806a2502c6ce6bc8d7e1430df605c8d3

SHA512
6b1225ee231ee55b34ac64bf9abbe612634ef018e37cc9a38be4f8276ff0b3d0fc89ef60d3b75dc7ee567316ede40cb3fd5a1a636dbe4e10ce18837f83e7349a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
25cce0e347908f95bab4eff318dd8d90

SHA1
fe9c38d28da507e7308229d27f77811e6fe4cb4d

SHA256
49b707b472a8601794f8da4cbe563da7e5943f1e0873c3dab5e4611208b5ad11

SHA512
ae2f4325432e0a5c0624689b74ff7ef4d91ef0ede654a68db8fbc1f2376c47517114ab1a7ff6588d56ee8dc392c5058cd329b94275fa2997ba1a704bc3a3ac8a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
83b696d5cfe080c6e7d5aeabd72677d4

SHA1
cf7a4ee9d494b85f041668f389f004a9ab7f7a8a

SHA256
65d54247f65f58d33800c25f3ce1315cb6978b32a4363bbc0135df76c2730e8e

SHA512
235173785e56fddd9b74452ad610f1d2c7f86f789ef13b2fe27e98ce072416f979530220557d6a3d92aa5dc63ff9879a5e117910957f0f63c87b9e9c707f8ba8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
575a5393655d98023e7810f2451ecb76

SHA1
fcef93ebab1d0cdadd793ec6d8eb6ffd93fa58a4

SHA256
c7abb72000a3d3d43c5001af2dc71745b7f0de2af0697fbc531b016d9ef97f49

SHA512
a4001a52cd006a1eefb1ee87c1e5561147b4bc8140107b879387b1c2a688c01129a01222a3b2468c18da85a69614f1b8ea309ccfa287b2e11efc41842cabb9d5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
00273136dbfc7653d93d9c09b59b3d4a

SHA1
f167286d149a62990f3551f34a1798223cdd0d4f

SHA256
7310614a3c404bda22cfcd0da88b7fafaccec2233ccf2d2fdc972ff081368e01

SHA512
1b0f411cabc8cf2025a2c2a45ac310669ebc5bd4a2d791937f25717e422510db9e3973c31f05b4c177af7a317a53e188dff16f1e2fbd891e0a8bd1ef89838c23

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
22678d3b3709b3caf151ecad381553e8

SHA1
c5a9cd1b2b984dd139895d1465706dc0bc9353d2

SHA256
6af0daa41a32ce249ce2650a0722e8f86ad2f5a58c9a9bc9cd3fb6774b3ff8f9

SHA512
84ae97e2e316b9ce6b370473ac433279da244f6adfd4c0953d87e7c1eb04b1e005e8d2d1af98c1688b078d52ae3b4b6408893a86440243b4680e9d4d5000d7e3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
c3acb48bf786c1cc70272fe98ac32d71

SHA1
66c6091b6c17627cb8a2fcb81dafe6f86331bcb8

SHA256
ca0e5b4a45e98e05ae6fd7face040703f47f5e8b138d7b54ec3c43d6529a616b

SHA512
3c39038ae980880b05b27458c5bbf01465c7d23262427c36a849c5d310a4551fac7683a26ce5eb8e2884be6a82d2aa8cd10ad2c83c09368bb87e871550fc80c8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
5c3843d6b7736c7f2f87d592f39be173

SHA1
33e796049495c47c162d39f8bce74c0313811d19

SHA256
2cb9dad0fa333c174ee261653f3de2822d5a84fb3eb232111cca7063b244ed7a

SHA512
20f9c2e49c69945e2b1269382f3a742feaf0271135860af05ee3ddd3cfa521e0c7c02f8f498b940de7366a4db649348fa8e985687d9cc4ed7456d6d412d6c904

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
032f32a8f399c6f67fdcdd28d5606bc9

SHA1
f0a55b142bd1d7dde9f8835779ec78a3d282b771

SHA256
11b0f695fd70229891347d3d7fa3477f2d3091c8026f1151516d5847d04431e0

SHA512
cc14302427efe0b5d6ee2ca6037a30c9caad72e45e03492c2f0488f91d73600f8488b70cad204baeb7df9d1b30ee5e1a3656d93c41e9fb7e0e19134563d0f4d8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
1dfc0f9e95da30c1299a9952e5a9f033

SHA1
866c06e82819d12a5ea831968d94f80527c9195c

SHA256
dce5b792976b9c6f942dff60ffa8e6571a193abdb772da467a64a28eaa0134eb

SHA512
1bbe2e21000e5cdab533755ea05ce2baf34525bbf7d49e92737a66b20de3cce0168981a4b3c81f358baf25461706200064163ee1c317e55fbb3c030849cb01b6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
99211e7af1d4e8dcadf206d7254db0b2

SHA1
2848183b758f043e939afdb23584adb278ec3a44

SHA256
2375e3b69d28b93e2d01740c4f6a0529dfc9e8cbaf4173150cf99d2f622c9240

SHA512
8fa7dcf1efa652f87d3e3482839b784080d26f59d4520c1212c13b6e9052c05e2ec127d7b418cb752f39bed6069788e42502da615de31ed482271a039617de8f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
b6fb86c5be4de8b052e0935d4712cc70

SHA1
b99042df5714f8b74052518ccba563dd46cf9eb1

SHA256
e88b3807063162f6e43b1c408e9ca984c65bd84a111da4362bd0815b0d38632c

SHA512
194594566a15d4a403d9ba2bf0b37f6050c44011fbf65a89dd234ca86b4d1ab934cc3898a2b9999fb646d9798ef57a37971a6ceb735dd726d7ef9bd1a3a0e759

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
57763eb656eaf99787484e11d817e2bb

SHA1
d6d4441d32ca94b84ab50b1c7167ec5fbeef7b8d

SHA256
1164257b20be01cf63ed65b3590dc60e8cb784edfeade4f3a3066555fa133af8

SHA512
1fd99a1ad77e976c120e35332dc78ea4c7670a940c46324e0892816226119f5bd33f9edba5f27ac515eb6dd1c9ba777519bc970ab53eb20a35aa519558394464

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
581KB

MD5
da855505fca0ef406f9689f3dd4eb2a1

SHA1
38086b49df0c00994fe962f37ed016a0072ef5c1

SHA256
729edb98da6e8772f5efb8af36d7d555477012315da3c9e11b5a23d802cea4b8

SHA512
36a119deef2e941c03972888a06a968b2f92899502855c497df3eb6771c7e07cb26b7d7b520bc25556a4272aee4255aa6f2c22f77004ce3a361a3c2fa3e2429f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
75918969ebb6366f519256d6797536d9

SHA1
48a635320f6132d0ede1192a7001dfc47188a15d

SHA256
9b4064509fa27cfd3302a5e525ce7e41d76fd3c475a4b0762948689f5e387c5f

SHA512
8ea27f219def320bbf1932ba622d0a7df34f2d0c2bdb60ca89fddab3846d0c0fcb7a211a7d36734d4bf1f409ef439909c2ef95fdf494857fbba31d6e644e9504

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
36fadc0b0538dfa01da9f15ec1280cbd

SHA1
c09ff63e540ccb6b0f9955316ba73451d4511de8

SHA256
007e1f5031cc75d0c8ce239d708f9b03cac44546364b6793c17b8a1209061bd7

SHA512
455b6fe5429a1115087d3ee013df27d6c3dfccb84af4ea5e013cf6214e93f547ed180b248080610270c07a7cf40031d4a694b13056452deae8ad113ba0070d9c

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
00f22d7000a0368ccbbc07b9380305f4

SHA1
64e4dcf86ca27c888ebcf59a60a20877c2aa7496

SHA256
73949ee01935fba68b17ec5b920a0582e1c3b07f2e8423b6ca8f0f7b0f5dbd85

SHA512
ae0cffb50bc0a994a424603532dbd2b26fedfc9d1d5ba272a55e42324715fcf811d1b14a7ac64802c2be54de4d28d87e09c5f3f3bbe9b2a6095ec70e7ea0060e

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
dce02f1c6b4809d4adfb1b0765f2015e

SHA1
5dba19a408bf289e9da83554dd0ec8cc51ac048d

SHA256
5f9009603d9d5f5597a5a71bb6be0d63368a7e91488d4733fb3af748b566715c

SHA512
fbbd753922cb1bfa3aaf6733dd83dc871ae54a477abd08781f405152e767d6ea610dc50011bf4085db053bc2df0e27c03e9b8ac4051466d224385984a87384ff

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
efac22bc2409bc7992cff0c3f2ca87e0

SHA1
57dc344678bf9e4ab1fae4d89a96197353f9590a

SHA256
e7cdb4026d0058fe78d46ed8827b95d30a9dc9545d8059ac5c5eadc08c65cea7

SHA512
f6500300cd164fdae93d7210e5af34b166522e23242256f953cc41b38011793cac7d7de2d30fa2faa236aa9c1b681814fd05d1aeb023f4facbe4118694307fa0

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
29f15f5a1fa8655cb3643b089e0f520c

SHA1
2e80b6f5c1801ded26433d790c95d8d8cf113800

SHA256
166511c570935e2f1496835142fcc81ad19d0a6a4135eb7f4281bad66b018591

SHA512
40cde45873cfbd967d7db74b4cd33947506e240e8acc5d69082bfc5f89593d386bcbc3206cc73614761470d29d08f0855f728f6a33c2e45d00f38878de954b7b

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
b754eb4b9cdf3473171faae60330c64c

SHA1
5a027dd98abf70c8ef51b6beefcb602a01fbedf6

SHA256
587c3421b1fbb864c8ec4eda07d28b92294cf75ad2b43f0ecff2d17cca928c50

SHA512
4b0b0188763b1fafa4984159c6bf218150eddab5382c2581e53f658782931b06a1987ddcf9e2a04c4e23611ee31b71c62f7a2c71cf3c3a486e79df8df57b4500

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
07089843acb753f8673f75e4d8a19012

SHA1
e280109dedc0c6713744ace7fdfe96ad1043fc54

SHA256
87fb333e46fbe87763e1a03fc0da48046ffbf7c33bc7e0f89fcba210bbc5fbe6

SHA512
fddb91aee50c8193cc0e16f8e3fb3097236c3f6c206270a69f9211aa23d2f88463f24037964c4f14a32ec46c2fe36a5764c133cee7ef61aefcc5cbe0a212057e

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
e5d530fb8f6e755cee1dc2e8e3c96dff

SHA1
1a19e63f69616be9195b9b4d775679485b08130a

SHA256
17a14a861782966a1873129a760b7623f55408b4d108494001282f26155b12cf

SHA512
4ae3e20b62e09027c7e06cb7704e3dee74c3f7619d4699d861c3d9a1b1731cc130645c03a66746546d6d093bfbb14553404ec8beaccd6f349e3972954132ec2e

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
37ce8c2c770948f06c7029f3804b1c88

SHA1
81f3f8fbe43fde018d933ed440268d3aeb88b68e

SHA256
9841893874695532e9fb1a40817d601ffd4f5d6a5d41895e9c5961bb5be67ae7

SHA512
d95962b869b5e8a09f5029311700dd13a8eb12d32139488890e779153329dec04198eeff5b4d4f10c9815ff8f4ff964da8c41a744d4516a90eeb50d6f0c59b69

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
34c7bcedd4c9919272b57c42d24d5f0d

SHA1
99b8283e93474e1f4fdf9046066b02eb6683e768

SHA256
43772742529d798372e83323ab188d4b8c29f3ce43124803c49e37c8f41135ca

SHA512
22338685e063b58af28d13bfdf8628ec035ca9c7e65a833e286b6afa5d88a9f1a6da513fb9a59408997022a5af8a34e67ad0fa1d13681b089a3077dde75b71c0

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
d1157915a5eaa7d5ed3683b3c6f17f6d

SHA1
b0f98cfce638510197dc4c4dc5e0a347ac448a9a

SHA256
a1c92b71eb5d2576ef2efac506a58ba645d00c532033b03331e9485c754f1f31

SHA512
efa01a5c43e3fe303aa08fa1aa66d8575ea485a7429bec80bad8863c6b75f5ea829e747536526841dd90736bf39193fa23780b8453a9dd1b37debbff2ea9cc28

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
8e3edecdffbc2a94925509a5b9462ffe

SHA1
726a6a14b3540f5ac8e649360d26a3b75f184ccc

SHA256
c2f10c33fc7238f20f821d6be34efe341d0f9c2dd31198bff86b5b39480894ce

SHA512
63031b37a54939e1a821a3c0968fc1062d83b1492aed9acb594e3c6bf1d8435c682636c51f61386808e8df3211479fd067a4ed044f68dbf7c46dd022b49eb441

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
a59642b0a60d2ed2dfa3f192424f9bd7

SHA1
bef1db1cbda36d1620e4f1f19b94551f5c701c0f

SHA256
13ef3e7ea8f4b32d7c48a930b5d66c2c148c43eac276b15ef0b14e7bdf096bc4

SHA512
8cc53fa289791bb36647f7e46ea8a98a2c2c6087f435cbfd10aa08bd597ae69f459ae10a087201abec22ee89562c37fe090b21e593cecfb56dae5d15d89815e2

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
9055da6cfaff78239d63088df26e00b5

SHA1
39e8e22cf54a0fdf0fe52e27fa8438bffd12718b

SHA256
1b40fa7506cc15f4e80bd771109f9d61d64ff8ee073214ca336761f6031a328f

SHA512
2de26a3f3cc6e686081eb021ddd59e7614eba3fb1fc36434bc5f02f999a3a22baaa81712f91868c341ce2e9bc5c85a87da65a71aac47dd0eb946ae2a71d1f8f7

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
c9bc1f195c9fd44f28fdacd882b82a67

SHA1
17386e35456841ac3aa60c17b46c15ef67f05f78

SHA256
88ffa779e9d2eeb3a9bdfd5bc80fb95a483169186ee76590066a8526640ca65e

SHA512
b4d6c50c967e0f7c70186ca24fa9082322351faf0495c18f87cee8c7b9b618fe134cedcd8d462d09f2c7bee7355876251637e314921992d2265bfafd89d56fcb

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
8fee74074dfb1cdee91cedf686054d01

SHA1
65ae702c927474ec0cc90b1ab8d95c74ee391b8c

SHA256
683e4e94c5a40257c393850ea6b1d6f63477a2b6564e08d78c54d1ff464174a4

SHA512
f19311a5ab55c5153ca79a4c555c98e8596c3544c72c8f5c274109560f503dad2a0cfb47cf8b33b3e0634cf8d2b95ecffc7132a55498e2a8969fb7336330ce36

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
a37c8f130753dd8f673be0b85e69db46

SHA1
e1a3e8410df013f5ba4e21660805a67043950874

SHA256
b8575cf75745833ee74b7f8608c5b5243dd8659e7287da742beaf38a38ba319c

SHA512
b4708c313428da3831bc3386f7ecf1437ae1de86496440981263e2bec630e17fbb0d7551b2ef17755bb665b588e67b3d7d98829e9784833989328adefe1b9aa6

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
5fc2f569dd2b7043d02a2895b9407942

SHA1
89290046c99fba470e2076da0d8f03dae91e824a

SHA256
043d0c9033ac6bbde6e27e4a14e0e9534f1ebfcdcdc6d1d79961ebc296246dc7

SHA512
3e9e9753f1d49b9768420476a664d742c31f64ad01c1a2156f9423dfb58f74c4b5028cfd4c06b9f42ef20c1edba6bd3f26427e40b1b94bf0d68b7ad0fc69e3d2

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
cdcefbcfc3e083a45e191503f9f5b226

SHA1
ce820f35fc215b4cdc15c8f04fdfe189cd181380

SHA256
d7af659a7c13dc541bc86ba75ed037cea27ecf4045bac7e762ca3bff972fad6d

SHA512
81c33c390088dfaee7a9e11c0f15018c74a63004025a9e6296256529494e00b6707813aa5b94edf9d6281b4b68c7f17501c2f161e50d5fbb2ffab30c87d2a78d

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
dac3e8dc848586592901f1ae5a94342d

SHA1
307e23955be21d5966472cc233bf6ebfb46f69a0

SHA256
2fb9ebc84c3687447fdb1865b39511d2e044c11f40bd59548ccf24a66a745a53

SHA512
635353ca9d24329b498c83e02ba1baa28a38a7427854d5e4c693335c72c88a9bfe290ab71c9bb780df96554f580ad1f23bcb336511b6825a771e63331fc023d3

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
7fece3b95d02d5b5c2000d500950096b

SHA1
3ec78e9c60a6d9bd2b0712978265a4de1aaffaf0

SHA256
76388ab82b0a91a59141e8e2d5e09cf45e84060b0f893c3711ae22eab9ef7569

SHA512
dcaf2e8a48ee74e11c7fc55bce53d256c5e30398ee3eee6270b2ef920d142797f436ae408c69d23a1e1a220db2fe7e1bceb23ce13c82c09d6e26b77397dc7058

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
1fc0a4e701cfec18e05f7733479100dd

SHA1
2345f95acb2883567b51452cb7a5b276573926cc

SHA256
c7e07a2b890bc3d8c980fbc79b169e05f2bb7adb76231fcc149f81fd1f5bd444

SHA512
6ff797190bef5df61f3d17c892feaa72a6547e15c611f5eef6aebfb9e2a46c3031cc9ee7259359b0695a3286c352772122a27f6fd3bd0c5e4fa78eef6728fa16

Download Submit
memory/896-456-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/896-99-0x0000000000670000-0x00000000006D7000-memory.dmp

Filesize
412KB

Download
memory/896-104-0x0000000000670000-0x00000000006D7000-memory.dmp

Filesize
412KB

Download
memory/896-108-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/976-145-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1008-147-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1052-0-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/1052-8-0x0000000002210000-0x0000000002277000-memory.dmp

Filesize
412KB

Download
memory/1052-1-0x0000000002210000-0x0000000002277000-memory.dmp

Filesize
412KB

Download
memory/1052-107-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/1052-359-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/1052-6-0x0000000002210000-0x0000000002277000-memory.dmp

Filesize
412KB

Download
memory/1192-455-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1192-142-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1220-458-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1220-154-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1588-82-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1732-143-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1972-463-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1972-166-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2100-79-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/2100-73-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/2100-449-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2100-83-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2112-144-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2160-462-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2160-161-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2868-55-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2868-56-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2868-62-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2868-68-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2868-66-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3272-165-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3272-44-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3272-51-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3272-45-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4092-146-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4184-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4184-42-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4328-157-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4328-461-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4492-150-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4492-457-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4556-97-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4556-87-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/4556-93-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/4564-141-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4700-149-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4700-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4708-24-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4708-25-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4708-16-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4708-153-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4912-38-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/4912-32-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/4912-40-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4912-160-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download