d2ddb61e463c83eacb618486bcf67ee39099dd4d6bbc52f4acffc379373ca174

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 15:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_ff02e196198a7408aefd84831994beeb_avoslocker.exe
Size

1.5MB
MD5

ff02e196198a7408aefd84831994beeb
SHA1

ea816f384f751209d2ac91cfd2b368d2944a9cc6
SHA256

d2ddb61e463c83eacb618486bcf67ee39099dd4d6bbc52f4acffc379373ca174
SHA512

bdda1405871d9af777abf71df0708791f845508b4a5cae21f42f3acb0842b5604e9d4d02c538d3b3d4039146789f6b4f0a61a440beb66d21360c26942a869f0b
SSDEEP

12288:1Dl0m5IJlPo8hnBA4zAXjzazqXjQ2wXl/7vX0gMTmkJR4Do07Y86gw5CtCjX+NLt:Q1kMojzaWXFol/j0JSkQ/7Gb8NLEbeZ

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
2484	alg.exe
920	DiagnosticsHub.StandardCollector.Service.exe
1844	fxssvc.exe
4312	elevation_service.exe
2792	elevation_service.exe
640	maintenanceservice.exe
8	msdtc.exe
1968	OSE.EXE
1996	PerceptionSimulationService.exe
4936	perfhost.exe
3044	locator.exe
868	SensorDataService.exe
684	snmptrap.exe
4808	spectrum.exe
2768	ssh-agent.exe
2804	TieringEngineService.exe
1876	AgentService.exe
1548	vds.exe
4668	vssvc.exe
2380	wbengine.exe
3444	WmiApSrv.exe
1400	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exe2024-04-28_ff02e196198a7408aefd84831994beeb_avoslocker.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-28_ff02e196198a7408aefd84831994beeb_avoslocker.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-28_ff02e196198a7408aefd84831994beeb_avoslocker.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-28_ff02e196198a7408aefd84831994beeb_avoslocker.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-28_ff02e196198a7408aefd84831994beeb_avoslocker.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-28_ff02e196198a7408aefd84831994beeb_avoslocker.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-28_ff02e196198a7408aefd84831994beeb_avoslocker.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-28_ff02e196198a7408aefd84831994beeb_avoslocker.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-28_ff02e196198a7408aefd84831994beeb_avoslocker.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-28_ff02e196198a7408aefd84831994beeb_avoslocker.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-28_ff02e196198a7408aefd84831994beeb_avoslocker.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-28_ff02e196198a7408aefd84831994beeb_avoslocker.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-28_ff02e196198a7408aefd84831994beeb_avoslocker.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-28_ff02e196198a7408aefd84831994beeb_avoslocker.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-28_ff02e196198a7408aefd84831994beeb_avoslocker.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-28_ff02e196198a7408aefd84831994beeb_avoslocker.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-28_ff02e196198a7408aefd84831994beeb_avoslocker.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-28_ff02e196198a7408aefd84831994beeb_avoslocker.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\77435f717489627c.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-28_ff02e196198a7408aefd84831994beeb_avoslocker.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-28_ff02e196198a7408aefd84831994beeb_avoslocker.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-28_ff02e196198a7408aefd84831994beeb_avoslocker.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-28_ff02e196198a7408aefd84831994beeb_avoslocker.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-28_ff02e196198a7408aefd84831994beeb_avoslocker.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exe2024-04-28_ff02e196198a7408aefd84831994beeb_avoslocker.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-04-28_ff02e196198a7408aefd84831994beeb_avoslocker.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-04-28_ff02e196198a7408aefd84831994beeb_avoslocker.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-04-28_ff02e196198a7408aefd84831994beeb_avoslocker.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-04-28_ff02e196198a7408aefd84831994beeb_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-04-28_ff02e196198a7408aefd84831994beeb_avoslocker.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-04-28_ff02e196198a7408aefd84831994beeb_avoslocker.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-04-28_ff02e196198a7408aefd84831994beeb_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-04-28_ff02e196198a7408aefd84831994beeb_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-04-28_ff02e196198a7408aefd84831994beeb_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-04-28_ff02e196198a7408aefd84831994beeb_avoslocker.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-04-28_ff02e196198a7408aefd84831994beeb_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_101187\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.106\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-04-28_ff02e196198a7408aefd84831994beeb_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-04-28_ff02e196198a7408aefd84831994beeb_avoslocker.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-04-28_ff02e196198a7408aefd84831994beeb_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-04-28_ff02e196198a7408aefd84831994beeb_avoslocker.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-04-28_ff02e196198a7408aefd84831994beeb_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-04-28_ff02e196198a7408aefd84831994beeb_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-04-28_ff02e196198a7408aefd84831994beeb_avoslocker.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-04-28_ff02e196198a7408aefd84831994beeb_avoslocker.exe

Drops file in Windows directory 4 IoCs

Processes:

2024-04-28_ff02e196198a7408aefd84831994beeb_avoslocker.exemsdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-28_ff02e196198a7408aefd84831994beeb_avoslocker.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exeSearchIndexer.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001939541c8499da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b13a351c8499da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ffeafc228499da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a08357238499da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000006124d1c8499da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005987621c8499da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000086613c1c8499da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
920	DiagnosticsHub.StandardCollector.Service.exe
920	DiagnosticsHub.StandardCollector.Service.exe
920	DiagnosticsHub.StandardCollector.Service.exe
920	DiagnosticsHub.StandardCollector.Service.exe
920	DiagnosticsHub.StandardCollector.Service.exe
920	DiagnosticsHub.StandardCollector.Service.exe
920	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

2024-04-28_ff02e196198a7408aefd84831994beeb_avoslocker.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1012	2024-04-28_ff02e196198a7408aefd84831994beeb_avoslocker.exe
Token: SeAuditPrivilege	1844	fxssvc.exe
Token: SeRestorePrivilege	2804	TieringEngineService.exe
Token: SeManageVolumePrivilege	2804	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1876	AgentService.exe
Token: SeBackupPrivilege	4668	vssvc.exe
Token: SeRestorePrivilege	4668	vssvc.exe
Token: SeAuditPrivilege	4668	vssvc.exe
Token: SeBackupPrivilege	2380	wbengine.exe
Token: SeRestorePrivilege	2380	wbengine.exe
Token: SeSecurityPrivilege	2380	wbengine.exe
Token: 33	1400	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1400	SearchIndexer.exe
Token: SeDebugPrivilege	2484	alg.exe
Token: SeDebugPrivilege	2484	alg.exe
Token: SeDebugPrivilege	2484	alg.exe
Token: SeDebugPrivilege	920	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 1400 wrote to memory of 2684	1400	SearchIndexer.exe	SearchProtocolHost.exe
PID 1400 wrote to memory of 2684	1400	SearchIndexer.exe	SearchProtocolHost.exe
PID 1400 wrote to memory of 4412	1400	SearchIndexer.exe	SearchFilterHost.exe
PID 1400 wrote to memory of 4412	1400	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-28_ff02e196198a7408aefd84831994beeb_avoslocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_ff02e196198a7408aefd84831994beeb_avoslocker.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1012

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2484

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:920

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3912

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1844

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4312

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2792

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:640

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:8

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1968

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1996

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4936

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3044

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:868

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:684

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4808

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2768

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2332

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2804

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1876

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1548

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4668

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2380

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3444

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1400

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:2684

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:4412

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
99ef94458caf505b320551163c3037a0

SHA1
e33f45512b77ed5c21cfa39b2c70eb7b3197e914

SHA256
618c87d2704ffc5e12a2379d3fa5f729f5e1ddd513425f5b93238811914373a6

SHA512
c9d31c85bf1c06afa1f5dc9d9d17cc2048b7e765162d09377b776da5afc218ad0c426f3fdf4a531b39ce96387dffcd9264e435e4390a0652e24e91d9d29e75e7

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.4MB

MD5
1b3a841641db8cf0e2fca8978803cc0f

SHA1
6886f98eb7edbb72384057100ac3c91d23e1a99e

SHA256
c4c49fc140e0b8e4f73a5d9646cbb3369a69931712e2eb563029394444ffa2b6

SHA512
37b03fb0de5b5608e04651308253cf72efb1050e72fa78b996a49132c647cc1ce396abd0cc71a59eb342be72195bf64667bf57b777fa492f98716c31bf21c5c5

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.7MB

MD5
b8bd657c0ade76b50ef151ec38951867

SHA1
b45fe99c5619f20dbb45f31387cfdc9fdff33828

SHA256
fb0a0fc99b11dd949a662e1c53984aac7a9566ad7cf3296aabcad50b954ae1a6

SHA512
aab086a1b0b7ae1efabc83f1d2bc16385a452d1cb233448844a37cc5d7b41a3ab2ce92841866c1fc4f8c9c5c0f15c6fb4ff146e86eebb254e0d3037b5bf3484d

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
d15b45f69bd60783862cfeb44978c9ba

SHA1
7ab919a9eed8ada330b25f50c2554030516511e7

SHA256
01c41f54162052def72a50e5cdd8f1255260063baaed557fbd8212c04b57a027

SHA512
bf2470863a5bb7bfdf9cb1320bc4f116684c34ada99cfe657d7c927d5e0e88556763d646310e58c8ec94d2308e51faa5ea0383636c8a9bdd0f2c88e12b715bc2

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
66e6b819aedc70786afbcafd3f43bbb1

SHA1
64beb50551a07300af9aff782d5fe7aa84dba561

SHA256
f6b90fb797ce9d4cbc52047f360d70562d6e2811d2ef961dd83ec57c2b343b2d

SHA512
005023c3dfad73182d4e39eee547ec052fc5a205869d2f6309b9789504e925a69e5bef657cb3147f85812d529b96f6d872187155cfd352ee984ac2c922eb02f5

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.2MB

MD5
d3f56526b6141e7052245827f0ae06b0

SHA1
801799ded5ad7ec9fc15c552918856a24568b61b

SHA256
921cee3198fb3863b32a7b62a1161b90df00d2380e4a9088d146ad91da3cfb9f

SHA512
0a30e8422db244e9e1d8fd2f1503829df86f4e44dec30d09a02e4c8aca9fd023eee1ffe6a3d557ddd10c79a8337fe109f54f4d7e8715ea15cf3ce57210c2c412

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.4MB

MD5
b0c95955d4316208a5b3cac4006f5dc2

SHA1
2d351b821438240ff95f9747f8f31a7330311719

SHA256
937965567b62d23b92c190cc9ab3399c20ccd0b8180c02ebeaac4212ca5f1123

SHA512
4cf6f68b5da5bf9f67cd01519c3fe00913dfca1853c5cc4a908250877a62744524adc300dd895aa8082f951ad80e599dc8587f92bf1eaac9fffe4f26c2d9092f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
036627a31a7170f564640516f9e9f466

SHA1
45d4c4eab522695a5cf4c24e0740e50e11d651ff

SHA256
e5fe55ad2feab50f88da86cf2aae3afa2c180603d5ccee92b38d0b6718ca2949

SHA512
69e329ef4c97bf55cacbee38b4a23cb52139904aa4f068b8e9846393df635ebd31e93062536fd96783988c900ed2f92109c443cba7630bec16723953a5b37e11

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.5MB

MD5
684c3409f4a7ca2823e6cc1e88591964

SHA1
7047968bd45b801d9c105285f46ab62b48b8a9cf

SHA256
abbe6ee939e5c6ef0b06f117859e34c81a72df17c7036dab4180ad4760c3a8e6

SHA512
70883238659f1e8ee4a18a60783fbe2bcb61857e87199b08c598614ac40c3391734aa2d9de84e549523303e5adbbb51aaf4f83752b78454fbea2ca2b51737e23

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
69a04dd0ad1c2b2cd334af01f389cf01

SHA1
2a95f04fb4cf941302b2cfcdd79af0f272f3e2f4

SHA256
38dc16c33450adcc79b30ae8225fb118ee344d59e3c8ad7f53312ad107c2dfa3

SHA512
4da0e9be7eca89425141713ac340a64d4b50b4f2f7828493febf047b95f1950db55538119bb07077687cc6215c6ec15bb40f87842f17d68627be9fac2efb2f9b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
70b0bf3d78b3b00d67c1935902791786

SHA1
0e6be92c8bad59e75e570d572ff0bd445d023252

SHA256
ae066269f28aa346bb4bf846941b02cab0a77fb38db2a722c8f4e16485ad2337

SHA512
f5a0af202b9b1051a4d2df20fca50d4c842c5f74ed20f954dbc8ddd7d747e9ac02a212a44619d1c9e25731f87c51b94d35ba3c80d6f71fc69287ce35a1ff3215

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
2d74a05161ab3a1f8453b3413e84e2f8

SHA1
085223cf625b0dbc87c6ae22c27b74aa2178a027

SHA256
199986b6f5fc64367e8ade631e177d1797f14035fe849e6864f9cf7b9c53a786

SHA512
5a154c49c4f4990d534c10050419db3eeaec3802cf28ad2175c68d478974ecc8cdba0a74490e42166b6e71a20ac88b99750cad92abdbedc9f63919ec9e8582bb

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.4MB

MD5
2979250daafe99450d463d060bd0009a

SHA1
27a2b00d1b490ddddbf65056bc2cecab659cea7f

SHA256
38f6b678578c12d185e250796025690a953d03fa8b9fb5c80b9975f955a0bab1

SHA512
2807f2b2d54ddcff1349b12bd6c158e0232652d2ad49ac386fec3db6df49a00f61fafd305a1d946025c3583b940b69b0aea60d5c2c0e71c63808d90da846df4a

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.2MB

MD5
bd0fa13ffef36f9ff610c03dbdd3d743

SHA1
a1ece497aed0b2c539a0c5805a722f20d0b2dd35

SHA256
0844b787b504b78eb2e4fa52740ab743d5f8a3cf3e5fa0afb7c65d5a3fdaae27

SHA512
c18b12f692dfdbaec4aea108d51be20ea5fb9e627396cd03b680c3609bdb124565fcfb927b531f3540cc3b523828a004579e47b21946f7d5a43106b6f43b6e5c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
Filesize
4.6MB

MD5
cc7565b8fe7e354a76cda6a4c5f2716f

SHA1
c40227d3bdb04bca66f4292e6341113fa2740435

SHA256
e8041b536b9f2de9ca0b09817e2aa1dc7708c82551284aef737c704183743b96

SHA512
9f0a7e5a6368d7bbf91188260d0bebefa4e0141dc5e35bef6b76105b123fa32f9cc79f7392be26210285fde62832bdea960f3f3f8617c120d07441d31f624ddd

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe
Filesize
4.6MB

MD5
5bd18616bb91b4b612af13c56a348131

SHA1
4e05d8f5eead4efcb926393cf1ab9e3ea77c83f1

SHA256
fa045263f16b157dbefbc4a78da0e5ab9e0b8a632c385892c6ac20a906f48fba

SHA512
61ce41d3e629762d953dd3550ccf0a75859ba35d1cc0a7f76a7003fcdcf46f10537cf97cf842a335cc1d110f1c942ada9824c292f65aba0cc10c36ad399b51d1

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe
Filesize
1.9MB

MD5
aa11345d4e9b3860be4af1aa7946b3c4

SHA1
7ea91816e93f792b2effff44d7121cb298a71289

SHA256
85ecf36a434ea79ce3f6a19513ae5462642572f9fe462fb4a5fcd62600314954

SHA512
256eb5284da7afd459d2774da62d213eb9f71564d9b332fb3f8cd762d3658ce5a3bd418e193dd2ed6bd04767da8afb466315ae793e93032469c8fff25e8756bc

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
Filesize
2.1MB

MD5
535b46f4beb491160645bd6c3079b365

SHA1
cd91ffefeda6233a2f76209c3ebe680d8b4ad35e

SHA256
49077998048f90adf0a13bec0fb637ea95d2af8b15420fa80bcdafdc34ee1f55

SHA512
f527bd319be9b24713840d88b96793610cbdf028e513ca59b5dbe25f4b1a9cd93220299129373b6e85d20fbd677821884df520fa47f805140ae2e079049644c7

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe
Filesize
1.8MB

MD5
28c4770d23318523bcbb552a8fd3f7b7

SHA1
586e23f96ae6de2f1b9b9b126d53bfcb55e61b09

SHA256
d3655f1a3c5a9e9a6fd5b391d9450f92efa58c4d6f5a0a2794d66c908b28a919

SHA512
c30f638560db46e6a08910545b8d4cd44ae775ac76bfdb2fe925aaa30f49096ea8923c1b9ea9dd177dc9bcd01b4f4eb1e8c16e56ff36bd3a3e59dda528f0c608

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.6MB

MD5
cffb0408c9226a3d51d049440eb8bcb3

SHA1
a5f01b86ca386a0eb6cbac9195a830471bd2193a

SHA256
59edf3f2922a325edd9d7b9f75fa12e40ff67554edd24558df0b8b22a2dab3a2

SHA512
2812e38e1209247083dd6f29947265f72cddc84976a99a03bbd327a6d636763954a45a5cc4dd01132de4dcbe283cbf54811696333e6488e0c8b514c6d6e2be5e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.2MB

MD5
52016fd9b3c6cc9e7e301a81f6d13b09

SHA1
77057f9aa7845b0b9ce2323a923781a0e2275686

SHA256
a30b0d97e6b3a422d1d1b88df68bedff76f45f0b25f842a7c525028d356be8b3

SHA512
d273ee663df7e5c8b757c848bf9fa0d9999e8ccbe9e49521c6b0e10f17979ed1ab6027ccbc7c52eb0564e7b47b6c9b81befe546f9d82d34788c5a6ad1f181546

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.2MB

MD5
90e6b6844a157c5eb0f7f1385a61f12b

SHA1
9a353bfd26ae9b8676c9bfa5c40e32763151090c

SHA256
5d42dbc23425cc1873e2870f6b21b745ec058dae46e5d8b0b5dbe3fb1d8d1165

SHA512
06580cfa59517a1502dd768d235a6c879ec68eedd24a08027bc8493b085d32c9b3c535b0807bc63fc3b7d041a08dc25e3b9d50e764f2c29b5c8a3bf99c490a7e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.2MB

MD5
ca5bbb87d7e3e06f8f115ddda6b36174

SHA1
1d1b24c3c41bd06c7dd02c7bacb3753cd58b1fda

SHA256
08cdd455b8af4866fabe604f1905e84b02be9ff186e5947fba5fd7461f8b66d0

SHA512
a1e7b8208312ff1ac1f354ed472288809bb3fd2e70d438d763c2e7cd74c57d545cfe13b4482b089c9587574d0a6cf0e482b037ba17055898ad92dae85a5134a8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.2MB

MD5
af43c5099541aab213149e96294a11f6

SHA1
6070fde3ad923784e1423a5083fdc6bc225af3d3

SHA256
b45c2114dd41cab2dbaaec1c1b542f1de2fa9585c4862190b07966b15560d05a

SHA512
d8a105a757b936d97b0fd96df54c88fcb3ab42452fdda651042adc01c0156b817ca463d8f3244d27b37f5be40a5e8194bdaa23b0c21200b24d398f24d20d769b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.2MB

MD5
308cce28f9433ff312fc763d0b0234b1

SHA1
21b3e9a88f043a606aea016c1887a082f3b170a2

SHA256
70fe376517be93185a7a2981c6c3a29f46c9974d8e94dd82e4970bc4adc4d174

SHA512
025d3b95e5ea29669c6f96e45c115c0a11a86cbec2142b87aac43ac148da07abb284fc77387b7b959fcafd4a23a64f08d91e7edb45f27cc894d42035a1d55a87

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.2MB

MD5
a76f302ff5c54d4a6371528c51f1e241

SHA1
cd236fc7c6fdfcceb1b8a7e11265ecf0cd03fc94

SHA256
1a48b263c2e7938119db3ddbeab4f11ec4c0bdf8e403fdd909f2cfabc026a889

SHA512
c40fb09e1d67557ade9a9d451cb2fedbfa40f83246e5d386644d5324c9db001795c4dec5bad5d0688567ce64e7784567d91b8be38ff3df630289c0bcd1a0d9e9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.2MB

MD5
821938a5c88331b99392356ddfc4e634

SHA1
0da1207b34286330ef6fe1d9639b6785dc5b081b

SHA256
f912cd6fe159953da292bb1c49c4c8e6f97389a5fef064499fef53a008758082

SHA512
54d310826dc22cc21b0a27c46fce40bf523ae101df3057b74c67b269084f51b7a6f683656252058d9a1de5e2d0f1c6d279a816d9b3a3f8549ea20caa66c3d862

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.4MB

MD5
b92d7d54566fd6c222785e569b53ed68

SHA1
35d9e0a8ae1bb48296c708073dbc79357b05ccff

SHA256
1583c2fa0f2f1539d79c60104d4f4a8782917c17b96260293f5ed9d217996691

SHA512
d3d17ac934c19e32989d2e3a412b0789e77a92e4e7cc6ff1a6aee239d562f1f709b2f2f9d6c86c529f7ad92140ec6e4c79be537962ffdd75a4559b04c71cf2a5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.2MB

MD5
12cd273d399d484ee950f9e9b0f4d8e9

SHA1
dbc32b409c75303582b547e34b13d3df5863c0f4

SHA256
a6ac5ffa7a47fb28c1e864e6f5305471bb495a2ee8eb595473b8e7e5b6107ac3

SHA512
8d563a1c8c8896f4e9a6fcaf37ae796e3fae90ca1a55a62b9960ba01ecd197969e34f3a85c68998226128971ffb5a057ffaff10aa3f26093ecb1fd4592a6ba07

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.2MB

MD5
77a260b48c3bf7459ccb64430f3100f6

SHA1
28c6f7bc3135d25541176470393cbe36343289a8

SHA256
c9e0eeda96f3b3799f22d9c5e422cb9b942411a9d359bcab021edee395875850

SHA512
fbf55c2d30b8eeb61ed1e0e857d382e424604ad445e6f35258f021e1c00b8e303ae69a66e2c2be376406d325f83ce3b8b3725e992cca8d45df64776aedb71feb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.3MB

MD5
852fd606e7a39beac5641fbb98485185

SHA1
ebd9dc77cdec1ed7603e7f0f7cf26e39025a09eb

SHA256
6717bed63cc93b5e45e32a5e0dea03808b81abc9429484c909793ccbb6253caf

SHA512
6cc7771b8bb36f41d8e3acd5ef91214753efb042977d411979e877a90a01695931a41ce05a7dee15d4894202a5f90854f491af09a598c580c9074e0d75b5ed23

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.2MB

MD5
d9ce5d1117502bec381f021bac189f59

SHA1
4858e06f5d593c598974ed91c43b853c8f351e47

SHA256
c93cb27ac14dff12ff4efea7c8f76b49c016b6dd975b16acfa36bf66c182b3c5

SHA512
03ffdb6eece02256525c43a05f682744805798b8c26328406e3b5d4af223cf9539e0a47160f3b027c538d5d33c4c56474466905db0f14dbdbc754a310cd77d15

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.2MB

MD5
8eff2ade836c3046fadfe27b6ffab8e2

SHA1
ab7189ceb6413fdebaf3b1a5971246a931be93f0

SHA256
2b3a30d6ef34d3094eda1d1b0a6c0cd630b7c39bfbcf4eaf07790c961a318a28

SHA512
945d6ee8be9e8239c68f54e8b2a138ef8d2940221d0028958e231b034208fc71c211001aaa79e9f1e67555d42a169abe43382a2f04fb0c9b4bea647a281d2b40

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.3MB

MD5
6b57d5d94cf9875a23eaa81671d7049f

SHA1
1d066fe4b98bdc4eb9e3734241ac9cc4ef0eedc2

SHA256
3284f7ad2fc85c513a3f7eaac655cfffad3d3d04414ee15efd23d705d5d8b68d

SHA512
eed665e3d04cbd3a1215e68cd4c0ef3af0a956d06e55c008ef97ada93f75786601ee2e1ae66e76eb7d6e70bb82b9f352f050a33cf59bee080c0e3d0173208371

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.4MB

MD5
9498b73f8483a6451cd3261c63fd027c

SHA1
8a9b29f9fed0aeb3b17409adf81203b324fdb50f

SHA256
b882e7ece4f801cc2b9d12ec3797b91515a1d15bc3a2462eaddfb13354bf4621

SHA512
7cb61d9cef860aab92ff1b9ec7186bd1ceeb7d588d5bed484d7e97d65870ba6e3be1f9b9d7c0d7009d58caad039de7d3737ba2da542a1f3d1ab5ae0a12a2f2d4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1.6MB

MD5
15a0ad816a0964084ace194c6ef8228f

SHA1
2fbd63a71444df7a9f3c3b57b8d6875d36029ed3

SHA256
9d179ef08f4683de57b6c0d585a2f74157e9e1dddf2f05bcaa2b653e907d8718

SHA512
629a9db6353b68f87eadaa63dd17108c185102df95c0345feb27453723395829b560d60c7e8fdfdf7048b0b3b2e8c1de7931d7afac02b4eac10c8fa9c9ac0b81

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
1.2MB

MD5
77da24f8d00195a3ce89e9149851b41c

SHA1
d048e47ab3fc926f3b5b8cece05581763173f57c

SHA256
3c14743742f3c68d7db3bfd679aa238d1d35bf92e2039380f6b5aaff801121ef

SHA512
f7e640c675a235583fe627db3749bef292063c078f9f093777b91264f7ce43e99f3333f3d767a854dee1e8ffc9c8628fc905d0aa269783e7f9a815f60d7520b1

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
9db569ff5299f8b04ef9d00274922966

SHA1
08b534a5e5cb45984e6bd01f18d9f4840e3eb84c

SHA256
e50a07c8944a40ba2ad1a731f5ec3759d96d9af24c86f7c3a801f7a95f29b374

SHA512
339fb54cc385fe53b111cd877ecef88ccbfc93a05da1458cbc105c1488f489500c243b5aa28cef0eb0b30add738e55f782357393bc07f37c1a8560311602e307

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.3MB

MD5
a095614f2f5a91211351474a3bccab1e

SHA1
65bdc1059839601b696d97b88ef30a0daa82f511

SHA256
59badba9b154ae05804ff91eda219ab3736c1dbae6867802d084588e9ff9d67d

SHA512
ab254b2b060d22db557615872ac128828fc900bffe2000c6e490711ac60fc06388dab6c8a51625bbedbe2bf202fa646887e4379a343fee221908a73eddc2a311

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.2MB

MD5
a167006bea635657eee9a4f86ea81da1

SHA1
bb8fb6641281d5fd759daf5839ee614db66d4f18

SHA256
c4691cde3ec71061b3c2926e85d4b00cf064b0e42cdf805348ac13c67617d2df

SHA512
5040d30bf6f3704dc3997c22496789bcf7ca4de0da54fb1295b83224ae01ed1b87f8f0985d09328e32ecd02ebeaa0fde95666da00f371e6f5b69a1d91af39535

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
309a4ce7c888a359b9d980eb891dd0e1

SHA1
48711300928c6256b710556d7e3af89779050c1a

SHA256
637b9281c62ceedff2c38c38467c5f02fe6739276da1a09bb1bedc706d94f58c

SHA512
a204629f52c42644a0acd2ba8150a2b67fdb11ab7423faa2d241309dffa103e9826ad37c67f0beb12dc9762bcfc8c71d9bb3f2bd1e0992ba764a57b43e716135

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.2MB

MD5
5ab88f905498ebdd98272676f79bbc9f

SHA1
d4f01246b709b9e7414a5eef4885ac63704acc16

SHA256
4b553dfa698856b0650199448a802a37b8252d4944243bf3b1f2336c505962a8

SHA512
a8136c90db7664403e0fdd00fee394d52a09789dc4280fd3d77768187bfa825a47003eb596db5067c7522e289a5ea2197ee0b892db5487a6bcd084cebb4863f4

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
8c6acdf0e9504dbb392fbb591194f5db

SHA1
912b6ed22e8c751062c547889800279fd9a730c9

SHA256
7375e72311e79b495d7f6772062b53798d003b8e90dc2419a3a2e0678bd097d7

SHA512
7632ceb02e694a79934b185f6e170297b886817bd8131c100a5db92da10eea5e5f0f8feea4a88464c284fddc8a11dfc36a7194a859d3ff25b20e90fd00cb10c0

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.2MB

MD5
3be0ab67f7abc45e80a84b53466f6191

SHA1
1323fff934922fc2cef66fc8441fb794cca2dba9

SHA256
3e23fb1a02b412fdc38cc890ddccf767f628ed1b8d46a8dc907a8f60f6130100

SHA512
c8c6f7164ffbe3c036421e42ee537faf3024a616d3b98b7de8c4aa01b1333cf823d7521b0020012d94e103ad649e4b63ba0f7a0d0452339b5fe9bd437f2232b4

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.5MB

MD5
3da9de28383d74b4bf48efa9165bc684

SHA1
038cae338ec6ff118ae9ba3af48c0f7afd151823

SHA256
533c4a8d7ba59b70175f7c8f55d34b4d83a0209fab0217f713c6df51a010337a

SHA512
99175826b12ffba4c12a8eac0deb311ddb9a1bf183340efbc0aa701ce407f8e1e191f2cd0e6aca7ccbd909170700227e95ba67caab49ba66993fca1432d600f5

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.2MB

MD5
1691dd603801b76eb7c4164f51eca901

SHA1
610f697b55806189081cfbafe359e29d95db5227

SHA256
8f0a76f409da2a87dc0096869d2ff2c318781151d0dd7ca4819994503ff4cbd9

SHA512
4f9879073ba7de282337c611e7e61ec3a6be2d2d41acfc24d594ae0b99f7b301958c5108ac0608879562bae750ebc72c577600e91997778ba42225bebc4cf9ab

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
86330c5b7741a9dc99d75c716fad68ca

SHA1
df27f27c5671857c26ae14d927d7d57a2719e8dc

SHA256
22e2263a2ed938cea6db98e304bf8979454ea25d45ef473872f3b0499c8a52f0

SHA512
5f3812217c7041d6ccc50c30f8b201876c880b8d37316a7761994ea36d08c0b77e47cdb66f215c726d0ad62837e5e5a2fa00451e25abc519fcabb5ce33bb86e8

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
2fbb7724b2b8d8bdb9d75e07c38bf81f

SHA1
bf3e0b8590f15a8d4b2929af064f33c15804b047

SHA256
7ee07be69c167086199caa7f672a0ae8e744529b0ec0725ef8a2b9d5ded4011d

SHA512
25a1f5cea046245a99d99586590ffae6f72a5ffdce653ca2fada07a31fe39b3f0af9e4e1ba0e3240665cd8fa37817bcec635129b46f00df936f62ad6e8beb41d

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
6bc084f98bbbebd4e794ecfe50eb2123

SHA1
271208e3920d60fde0d595a4009a1e68fa009b17

SHA256
e5f0eb6799510adce967674ee6cbc8a855e7b88176977fb791f7c41a72678121

SHA512
463e0bbd0fe6e2da1de5560fbe5022d6a085b5826c229971fcb2d6f579ed51fbd2e414914c58e267aa6dd86ceca36174c09175e6117928fd67963cab0d100abb

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.5MB

MD5
f0ea29b1f889ee040ee6e8a2e311f450

SHA1
d880e8093c21aa1ae9e5aa0e6cf824cec71edf41

SHA256
87750d35913f68c2e55fd9eab50cc3903fa2c0175d1bb6f9d4923c748adcb8cd

SHA512
9185f4f4b96b8f30c6967a6bc0e8c11298f572d225be8c1c731a2e5952b42eb2a650c6c4c9b333869147befb2c2e123badbaeea0466210397af706f3b630c8e3

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
c1f3a15c1ca0b5f6b3438177e97355d4

SHA1
066820601d24f616035a1b700770d131293172bf

SHA256
06a506209eabe8c5b52ba6cc3dc77aa4a3a2d06edb36a708f69f0ba56dbbfb16

SHA512
4f1d85b63f3daa16fc24ac7031a9af4508f166d80af7b27edb2ccc2314741e8063c5ad8aeb8a6009a3cbeabd81d817afe81235e0afbe761de7f0100069bce895

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.2MB

MD5
c6eb468cc0ee4940659ed32d8316f3ca

SHA1
c95bbf6fca7c82c6dd82102721384fd6c18cf7bb

SHA256
1950ec9186244e89326136192520b6c95e3a1f748dff83d7a7abbda996791a92

SHA512
c183dee9b315de9c0a10c7e610915bc7212177c0b189fd3fe53741cdf434c1bf00c3654ab857df6e0a3c771f9bf56b366150e2c212ddca092bb218b18e841dc8

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.3MB

MD5
8683969d0888195d8d266cd3866d058c

SHA1
12e44e813b07515a094d931afa0480bd196912cf

SHA256
88b9011bdbd6c6e58ef916f6d67517023191e2b15c311a185609d8af14d3b372

SHA512
06432d4de2e2533d07e796026035c53bd42e6b59442786aad030449e311e8e7da1111bf8d1c3bed3e3c997eedaa862848a5e1a1ae5bf62c77abeee8c3bc925cd

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.2MB

MD5
0054d0e1632dcc7e70a99f82771c84fb

SHA1
e09ca4adde8da2ded356278c4d91dc4e7f19b603

SHA256
2dd0decfdd6ef42f59fc3713eb86e0acad3f60083a187427452a14080da4d5fd

SHA512
935653a200cdebd1986e0e1a98633ac8c76d902f579bdbf0cda0ad88ec7572e4932179d3523a1086411cd46ad1a477d28d62a5decd216313c6e289a118211022

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
0a2c92cf53f4edc3c7f905b8c143e703

SHA1
fa360a1aed761a84a2a320390d83cdbcdc1a6128

SHA256
657c504ac78d28a9ea04f8f89e8cf5ceaef75895f1333a04b4b5a3a0fd22bbdd

SHA512
372eb0cdd44213b26bdda8d5a23c7225a61430cfb6a96b8673411663b23bdcab7ca956caa04055be5f7d110795d873621bbacbf5c823337cc57f828f66b346fc

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.3MB

MD5
2320c2266f0bcee968587c382b99c241

SHA1
980618d56e7fe92ebe81eea6f9ef071004dcab20

SHA256
e3f103376be9c5be4ef8c29c625cc48b0e5b50f5633ae4013b0d685b9909935a

SHA512
b41b10143a27f029acec6dc9ab4b94ff15b396d8b6e9b98093e8d6346d10fa7a54fedaaf485f2c232108f1e530c59f3eff83c95eb88f7e617a6eb52e16042456

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
3ba8407c3291d9e71cf780ee802ac277

SHA1
4d774401d09f53ffb7b4e8fd26e10440a5b0e8aa

SHA256
48c0ca8ac237649fd71816e3e5602b9b382bca6cd140eb2b7fa753950f28fe3e

SHA512
2847a52338618e854b48ab174d5249d72f712943c00ea9e52e9f04b6924d470851ddbdbef5d2035fbfef162972ba45e4422b6ecee09e49e9e76cd25e1e908026

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
116bb68b1ad023685bfa03056818f36c

SHA1
df46d504f0be0c2554cedced39ebf8625877218a

SHA256
d5f74c6c70408d713464d6e73c2161eddc8b3a249d9a233bbdac75a56d883a7c

SHA512
b3a470523611bc313e67136053f3b353a1997782caea9a5a489e9ef6f90ad9bfea6f2c34b323ec8669595f5094eb83c5dbcc86dbf52774a0cb029fb404b9d15b

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.4MB

MD5
addd0257caac9bfd5d3178f6cd5b8a91

SHA1
7ec9d8e6503bae5dffa7412beaa5201af7100ab7

SHA256
74a93497f85b0b7b20a9101739af24ef3b355e1e6735f0493bc80e0d67edf722

SHA512
b3967cc80b03d81bd9dd04df1b40b5ebbdd2f63a0e105981317bcb48b0b948b7fce00ed35ced74a6ef99a79a5e74532fd18a40fd29b68cbeb049b88099a5af15

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.2MB

MD5
fae8619ef0b132669957dd7a2abaadda

SHA1
93a2c0b2afa25f71b60030097601e2d8785eee69

SHA256
3125e88b28bdd981c773f6c12daf4470b41183f5680b26a7a4c5d8f87cdc2568

SHA512
9984e0d0fb0d330cc9855b99e3dfd1b58c668e9f9f9c6564e0de8d8a13d3236cf15ecbd0c1e984d25565cddc1ae6e8124a0f282a869035d24e4ed8422625f7ac

Download Submit
memory/8-100-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/8-90-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/640-87-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/640-81-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/640-75-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/684-272-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/868-543-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/868-271-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/920-26-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/920-27-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/920-35-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/920-442-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1012-83-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/1012-8-0x0000000002450000-0x00000000024B6000-memory.dmp

Filesize
408KB

Download
memory/1012-0-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/1012-1-0x0000000002450000-0x00000000024B6000-memory.dmp

Filesize
408KB

Download
memory/1012-467-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/1400-597-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1400-320-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1548-276-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1844-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1844-45-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/1844-39-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/1844-53-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/1844-52-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1876-209-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1968-112-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/1996-268-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/2380-317-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2484-12-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2484-21-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2484-18-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/2484-101-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/2768-274-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2792-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2792-72-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2792-545-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2792-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2804-275-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3044-270-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3444-596-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/3444-318-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/4312-55-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/4312-49-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4312-544-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4312-60-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/4668-277-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4808-273-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4936-269-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download