0c3b5faf06ff0603ba3d444a25b404c106b3d9b0c0630e5689b4fd7a2fd3f17c

Analysis

max time kernel
137s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
12-12-2023 09:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup AERS Offline x86.msi
Size

131.7MB
MD5

c305d75dc30f38d4c69ba148d0d7f2ec
SHA1

66db1268b165b5fad49f7a242f4f25de8eb43e8e
SHA256

95809b2981b94a57a1208d9e7cd4f1cb4214a883cc64b85cb77bf5735f9e3e12
SHA512

5cc6401d860e83a320114890307b16202633dae45652eb439af35df4c7fb1fe79b5fad23eccc2cbb7606c8af9d30fead0122e3966bdf7774aca407cff0c3de81
SSDEEP

3145728:tXtdQcGWGVSFuxDsyF/3XILOLn+zhxSqCszsalxYVqO:tM9xhF/Ian+XSqCasalA

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 9 IoCs

pid	Process
4748	MsiExec.exe
4748	MsiExec.exe
1864	MsiExec.exe
1864	MsiExec.exe
1200	MsiExec.exe
1400	MsiExec.exe
1400	MsiExec.exe
4504	MsiExec.exe
4504	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\lib\ext\dnsns.jar	msiexec.exe
File created	C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\lib\zi\Africa\Casablanca	msiexec.exe
File created	C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\lib\zi\Africa\Lome	msiexec.exe
File created	C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\lib\zi\EST	msiexec.exe
File created	C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\bin\msvcr71.dll	msiexec.exe
File created	C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\lib\zi\Africa\Lagos	msiexec.exe
File created	C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\lib\zi\Asia\Tokyo	msiexec.exe
File created	C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\lib\zi\Antarctica\McMurdo	msiexec.exe
File created	C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\lib\zi\America\Scoresbysund	msiexec.exe
File created	C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\lib\zi\Africa\Banjul	msiexec.exe
File created	C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\lib\zi\Europe\Monaco	msiexec.exe
File created	C:\Program Files (x86)\AMLO\AERS Offline\Infragistics4.Olap.DataSource.Xmla.v15.1.dll	msiexec.exe
File created	C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\bin\keytool.exe	msiexec.exe
File created	C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\lib\zi\America\Atikokan	msiexec.exe
File created	C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\lib\zi\Asia\Ashgabat	msiexec.exe
File created	C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\lib\zi\GMT	msiexec.exe
File created	C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\lib\zi\Indian\Cocos	msiexec.exe
File created	C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\lib\zi\Africa\Bamako	msiexec.exe
File created	C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\lib\im\indicim.jar	msiexec.exe
File created	C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\lib\zi\Atlantic\Bermuda	msiexec.exe
File created	C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\lib\zi\Africa\Djibouti	msiexec.exe
File created	C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\lib\zi\America\Cancun	msiexec.exe
File created	C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\bin\fontmanager.dll	msiexec.exe
File created	C:\Program Files (x86)\AMLO\AERS Offline\Infragistics4.Win.UltraWinCarousel.v15.1.XML	msiexec.exe
File created	C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\lib\fonts\LucidaTypewriterRegular.ttf	msiexec.exe
File created	C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\bin\jbroker.exe	msiexec.exe
File created	C:\Program Files (x86)\AMLO\AERS Offline\Infragistics4.Win.UltraWinGanttView.v15.1.dll	msiexec.exe
File created	C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\lib\zi\Africa\Tripoli	msiexec.exe
File created	C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\lib\deploy\jqs\ff\install.rdf	msiexec.exe
File created	C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\lib\zi\Pacific\Johnston	msiexec.exe
File created	C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\lib\zi\America\Belem	msiexec.exe
File created	C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\bin\ssvagent.exe	msiexec.exe
File created	C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\lib\zi\Etc\GMT-14	msiexec.exe
File created	C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\lib\deploy\messages.properties	msiexec.exe
File created	C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\lib\zi\Asia\Kamchatka	msiexec.exe
File created	C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\lib\zi\SystemV\MST7MDT	msiexec.exe
File opened for modification	C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\lib\management-agent.jar	msiexec.exe
File created	C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\lib\zi\Africa\Cairo	msiexec.exe
File created	C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\lib\zi\Indian\Antananarivo	msiexec.exe
File created	C:\Program Files (x86)\AMLO\AERS Offline\Infragistics4.Win.UltraWinCalcManager.v15.1.xml	msiexec.exe
File created	C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\lib\zi\Asia\Kuching	msiexec.exe
File created	C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\lib\zi\America\Menominee	msiexec.exe
File created	C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\lib\zi\America\Godthab	msiexec.exe
File created	C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\lib\zi\Africa\Tunis	msiexec.exe
File opened for modification	C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\bin\client\Xusage.txt	msiexec.exe
File created	C:\Program Files (x86)\AMLO\AERS Offline\Infragistics4.Win.UltraWinGauge.v15.1.xml	msiexec.exe
File created	C:\Program Files (x86)\AMLO\AERS Offline\AERSOffline.exe	msiexec.exe
File created	C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\lib\zi\Europe\Berlin	msiexec.exe
File created	C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\lib\zi\America\Panama	msiexec.exe
File created	C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\bin\policytool.exe	msiexec.exe
File created	C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\lib\zi\Indian\Maldives	msiexec.exe
File created	C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\lib\fonts\LucidaBrightDemiItalic.ttf	msiexec.exe
File created	C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\lib\zi\America\Cambridge_Bay	msiexec.exe
File opened for modification	C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\bin\sawindbg.dll	msiexec.exe
File created	C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\lib\zi\Etc\GMT-9	msiexec.exe
File created	C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\bin\net.dll	msiexec.exe
File created	C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\lib\zi\Asia\Bangkok	msiexec.exe
File created	C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\bin\jawt.dll	msiexec.exe
File created	C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\lib\zi\Africa\Douala	msiexec.exe
File created	C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\lib\management\management.properties	msiexec.exe
File created	C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\lib\zi\Africa\Lusaka	msiexec.exe
File created	C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\lib\deploy\jqs\jqsmessages.properties	msiexec.exe
File created	C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\bin\kinit.exe	msiexec.exe
File created	C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\lib\deploy\jqs\jqs.conf	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\e59b50e.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\e59b545.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC404.tmp	msiexec.exe
File created	C:\Windows\Installer\e59b50e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB721.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB964.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{BAAACFC9-129D-4F6F-BE42-13CC834BD08B}	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000001f27edca5b4e00a30000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800001f27edca0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809001f27edca000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d1f27edca000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000001f27edca00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies registry class 26 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\InprocServer32\ = "C:\\Program Files (x86)\\AMLO\\AERS Offline\\AMFICSXMLSecurity\\jre\\bin\\wsdetect.dll"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\MiscStatus\ = "0"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaWebStart.isInstalled.1.6.0.0\CLSID	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaWebStart.isInstalled\CurVer\ = "JavaWebStart.isInstalled.1.6.0.0"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\ = "isInstalled Class"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\VersionIndependentProgID	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\VersionIndependentProgID\ = "JavaWebStart.isInstalled"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Programmable	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaWebStart.isInstalled.1.6.0.0\CLSID\ = "{5852F5ED-8BF4-11D4-A245-0080C6F74284}"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\MiscStatus\1	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\TypeLib\ = "{5852F5E0-8BF4-11D4-A245-0080C6F74284}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaWebStart.isInstalled.1.6.0.0\ = "isInstalled Class"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\ProgID\ = "JavaWebStart.isInstalled.1.6.0.0"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\MiscStatus	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5852F5E0-8BF4-11D4-A245-0080C6F74284}\1.0\0\win32\ = "C:\\Program Files (x86)\\AMLO\\AERS Offline\\AMFICSXMLSecurity\\jre\\bin\\wsdetect.dll"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaWebStart.isInstalled.1.6.0.0	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaWebStart.isInstalled\ = "isInstalled Class"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5852F5E0-8BF4-11D4-A245-0080C6F74284}\1.0\0\win32	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\ProgID	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5852F5E0-8BF4-11D4-A245-0080C6F74284}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\AMLO\\AERS Offline\\AMFICSXMLSecurity\\jre\\bin\\"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaWebStart.isInstalled\CLSID\ = "{5852F5ED-8BF4-11D4-A245-0080C6F74284}"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\MiscStatus\1\ = "384"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\TypeLib	MsiExec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4032	msiexec.exe
4032	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2116	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2116	msiexec.exe
Token: SeSecurityPrivilege	4032	msiexec.exe
Token: SeCreateTokenPrivilege	2116	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2116	msiexec.exe
Token: SeLockMemoryPrivilege	2116	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2116	msiexec.exe
Token: SeMachineAccountPrivilege	2116	msiexec.exe
Token: SeTcbPrivilege	2116	msiexec.exe
Token: SeSecurityPrivilege	2116	msiexec.exe
Token: SeTakeOwnershipPrivilege	2116	msiexec.exe
Token: SeLoadDriverPrivilege	2116	msiexec.exe
Token: SeSystemProfilePrivilege	2116	msiexec.exe
Token: SeSystemtimePrivilege	2116	msiexec.exe
Token: SeProfSingleProcessPrivilege	2116	msiexec.exe
Token: SeIncBasePriorityPrivilege	2116	msiexec.exe
Token: SeCreatePagefilePrivilege	2116	msiexec.exe
Token: SeCreatePermanentPrivilege	2116	msiexec.exe
Token: SeBackupPrivilege	2116	msiexec.exe
Token: SeRestorePrivilege	2116	msiexec.exe
Token: SeShutdownPrivilege	2116	msiexec.exe
Token: SeDebugPrivilege	2116	msiexec.exe
Token: SeAuditPrivilege	2116	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2116	msiexec.exe
Token: SeChangeNotifyPrivilege	2116	msiexec.exe
Token: SeRemoteShutdownPrivilege	2116	msiexec.exe
Token: SeUndockPrivilege	2116	msiexec.exe
Token: SeSyncAgentPrivilege	2116	msiexec.exe
Token: SeEnableDelegationPrivilege	2116	msiexec.exe
Token: SeManageVolumePrivilege	2116	msiexec.exe
Token: SeImpersonatePrivilege	2116	msiexec.exe
Token: SeCreateGlobalPrivilege	2116	msiexec.exe
Token: SeCreateTokenPrivilege	2116	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2116	msiexec.exe
Token: SeLockMemoryPrivilege	2116	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2116	msiexec.exe
Token: SeMachineAccountPrivilege	2116	msiexec.exe
Token: SeTcbPrivilege	2116	msiexec.exe
Token: SeSecurityPrivilege	2116	msiexec.exe
Token: SeTakeOwnershipPrivilege	2116	msiexec.exe
Token: SeLoadDriverPrivilege	2116	msiexec.exe
Token: SeSystemProfilePrivilege	2116	msiexec.exe
Token: SeSystemtimePrivilege	2116	msiexec.exe
Token: SeProfSingleProcessPrivilege	2116	msiexec.exe
Token: SeIncBasePriorityPrivilege	2116	msiexec.exe
Token: SeCreatePagefilePrivilege	2116	msiexec.exe
Token: SeCreatePermanentPrivilege	2116	msiexec.exe
Token: SeBackupPrivilege	2116	msiexec.exe
Token: SeRestorePrivilege	2116	msiexec.exe
Token: SeShutdownPrivilege	2116	msiexec.exe
Token: SeDebugPrivilege	2116	msiexec.exe
Token: SeAuditPrivilege	2116	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2116	msiexec.exe
Token: SeChangeNotifyPrivilege	2116	msiexec.exe
Token: SeRemoteShutdownPrivilege	2116	msiexec.exe
Token: SeUndockPrivilege	2116	msiexec.exe
Token: SeSyncAgentPrivilege	2116	msiexec.exe
Token: SeEnableDelegationPrivilege	2116	msiexec.exe
Token: SeManageVolumePrivilege	2116	msiexec.exe
Token: SeImpersonatePrivilege	2116	msiexec.exe
Token: SeCreateGlobalPrivilege	2116	msiexec.exe
Token: SeCreateTokenPrivilege	2116	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2116	msiexec.exe
Token: SeLockMemoryPrivilege	2116	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2116	msiexec.exe
2116	msiexec.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4032 wrote to memory of 4748	4032	msiexec.exe	93
PID 4032 wrote to memory of 4748	4032	msiexec.exe	93
PID 4032 wrote to memory of 4748	4032	msiexec.exe	93
PID 4032 wrote to memory of 1548	4032	msiexec.exe	115
PID 4032 wrote to memory of 1548	4032	msiexec.exe	115
PID 4032 wrote to memory of 1864	4032	msiexec.exe	117
PID 4032 wrote to memory of 1864	4032	msiexec.exe	117
PID 4032 wrote to memory of 1864	4032	msiexec.exe	117
PID 4032 wrote to memory of 1200	4032	msiexec.exe	121
PID 4032 wrote to memory of 1200	4032	msiexec.exe	121
PID 4032 wrote to memory of 1200	4032	msiexec.exe	121
PID 4032 wrote to memory of 1400	4032	msiexec.exe	122
PID 4032 wrote to memory of 1400	4032	msiexec.exe	122
PID 4032 wrote to memory of 1400	4032	msiexec.exe	122
PID 4032 wrote to memory of 4504	4032	msiexec.exe	123
PID 4032 wrote to memory of 4504	4032	msiexec.exe	123
PID 4032 wrote to memory of 4504	4032	msiexec.exe	123

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\Setup AERS Offline x86.msi"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2116

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4032
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 4DFC0F026E9E1C8378B5D006D38CFBEB C
  2⤵
  - Loads dropped DLL
  PID:4748
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:1548
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding E6C28F1D3B43C11D314B7C1CEB8FD302
  2⤵
  - Loads dropped DLL
  PID:1864
- C:\Windows\syswow64\MsiExec.exe
  "C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\bin\wsdetect.dll"
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:1200
- C:\Windows\syswow64\MsiExec.exe
  "C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\bin\jpishare.dll"
  2⤵
  - Loads dropped DLL
  PID:1400
- C:\Windows\syswow64\MsiExec.exe
  "C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\bin\jpicom.dll"
  2⤵
  - Loads dropped DLL
  PID:4504

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:1100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e59b50f.rbs

Filesize
285KB

MD5
cfc1b1d93a3186a5ab1cc73759ccf29d

SHA1
0a811e5e0a1d56d5ea5f1a0d4a78af8fd88215d2

SHA256
3bd3baae23728fe047c2bc46c7f8dc7489258e064a9c6f03e8c736dbe7201c7f

SHA512
1e4d514dd9b12b9bc91e061421526dd801b0e5b0cef16052c1296222e8ec12480dda92edae17db937010881fcbef01175d7726311865c2f525848e890345f9f3

Download Submit
C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\AMFICSXMLSecurity.exe

Filesize
3.9MB

MD5
d1ce59ebbeb76343b468f95d19e03b29

SHA1
b0bcebb1c4ad79d3cab26622ad20448a4deca112

SHA256
109fce35581de865768016c1677e3ba56f1d685f66c7cf3d1a560f7f85f7e303

SHA512
a3e1d390a0a56f36967949b3676a93943b23acc630558d2a76d7ee3bd16fbda6f73a697c22b9e8f444cfffb4f013b5c1fc410871c4b890e1566af5a17f1b1bf2

Download Submit
C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\image\icon.ico

Filesize
24KB

MD5
649d7dd171562bfa89463569b27b378d

SHA1
d247545aac82678959016e14c477ab22c6c70c01

SHA256
8c70697126d9d174c9e4a6f7fc0ddb7260af3f61b5f30f9a424372d30a5ba9a4

SHA512
9bf0be61ca471554e2b224576b112321ba95762104e930d6facbbced094604f8322ff83f2a3f7241866a8d7801470fd92787bc85e082f47622344a0d6226b821

Download Submit
C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\LICENSE.txt

Filesize
41B

MD5
67cb88f6234b6a1f2320a23b197fa3f6

SHA1
877aceba17b28cfff3f5df664e03b319f23767a1

SHA256
263e21f4b43c118a8b4c07f1a8acb11cafc232886834433e34187f5663242360

SHA512
4d43e5edecab92cebd853204c941327dccbfd071a71f066c12f7fb2f1b2def59c37a15ce05c4fe06ec2ea296b8630c4e938254a8a92e149e4a0a82c4307d648f

Download Submit
C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\README.txt

Filesize
47B

MD5
4bda1f1b04053dcfe66e87a77b307bb1

SHA1
b8b35584be24be3a8e1160f97b97b2226b38fa7d

SHA256
fd475b1619675b9fb3f5cd11d448b97eddee8d1f6ddcca13ded8bc6e0caa9cf3

SHA512
997cee676018076e9e4e94d61ec94d5b69b148b3152a0148e70d0be959533a13ad0bc1e8b43268f91db08b881bf5050a6d5c157d456597260a2b332a48068980

Download Submit
C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\THIRDPARTYLICENSEREADME.txt

Filesize
168KB

MD5
685f0df7ece33cd9aa2567c4ed46bc42

SHA1
a5578df006f4a7812ce74fa018cf699fdbdb9c9a

SHA256
0b9d59a6f41990a62c03f26beb0cc5df992d08d50155a3c6690465dfc4b0b4d2

SHA512
978c965c4f7901e2692226ac8c68e27db0d1b0d62b5f254fcec5de1c2461f0c7f88c2b91c016c4e9d2d11028e7e1235e9afe893a6796d96588d6d1b0c0eab991

Download Submit
C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\Welcome.html

Filesize
943B

MD5
c6d4e4ad306cddc3cdbb9eb7796cae73

SHA1
0e79085e5a481a92bf45dcaa3eb06123a9f90683

SHA256
d35157526df79ca80ef3f9ae5111b60df8252eaa747a3517265e7341deb6632c

SHA512
f94496073de0243d129bc997178a53fba5d6dadd1f4d99b423b2c0dfb8134f7ecad66af6d03f1186634103d4c6cec9c198861b17d30be6a1e589b92c0a70801f

Download Submit
C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\bin\client\Xusage.txt

Filesize
1KB

MD5
f4188deb5103b6d7015b2106938bfa23

SHA1
8e3781a080cd72fde8702eb6e02a05a23b4160f8

SHA256
bd54e6150ad98b444d5d24cea9ddafe347ed11a1aae749f8e4d59c963e67e763

SHA512
0be9a00a48cf8c7d210126591e61531899502e694a3c3ba7c3235295e80b1733b6f399cae58fb4f7bff2c934da7782d256bdf46793f814a5f25b7a811d0cb2e3

Download Submit
C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\bin\jpicom.dll

Filesize
101KB

MD5
90a9441b644e71c7c0f7d1ffce7726db

SHA1
2f324d877ba5f536d2a240e9e1d082060899acd0

SHA256
dd95853c5206328c17cf91b24e7c5f3331ba52281e5ce12e4283f18b3844f480

SHA512
80f4617a880f0e0251c3d6939322c9583cb0249fd5752974fa2a79e04b3c7fc5b05232e3a5405fb3338ebf6058ec99631f5f1b6de564db864b540d2463618376

Download Submit
C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\bin\jpishare.dll

Filesize
129KB

MD5
81d5188046cd33d0129a0c2ab7b35b77

SHA1
4aa0f9835175874bbac506536f58904db48bba23

SHA256
a88725422ac58bef789c04be70f41c97661eec97b5baf940edbdf15cd57e9fd2

SHA512
0466707524ea1ce8ca0bca2f7b40619f23eafbc4196ebfd57567569a646bd6de376be13f9f7aee2e63ddf1e8b505046bd2d19e1bcb35669141fbe3db65858683

Download Submit
C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\bin\msvcr71.dll

Filesize
340KB

MD5
86f1895ae8c5e8b17d99ece768a70732

SHA1
d5502a1d00787d68f548ddeebbde1eca5e2b38ca

SHA256
8094af5ee310714caebccaeee7769ffb08048503ba478b879edfef5f1a24fefe

SHA512
3b7ce2b67056b6e005472b73447d2226677a8cadae70428873f7efa5ed11a3b3dbf6b1a42c5b05b1f2b1d8e06ff50dfc6532f043af8452ed87687eefbf1791da

Download Submit
C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\bin\sawindbg.dll

Filesize
61KB

MD5
31f38abbf0a5ece9f8066599cf3a9612

SHA1
7a210495d6f05a7e658adbeb2312d71d0127e2d2

SHA256
007aec46cb7b5607f6ec3e9d5b1cf2f788e32ddedea6e1a10f7a23d25a6aa2e5

SHA512
e331535164749bb383d6717142916011905b9ec499adc4c253b3b16a2a6fb5c79831d8108c643b5d9d96d84c10276b4c4ed9b93d7d8bfea5a4fe9a1bb19df925

Download Submit
C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\bin\wsdetect.dll

Filesize
109KB

MD5
5fef9e4860fb6434d3ea745c43c14969

SHA1
06b6f85f57aa4a6d4ffaf3d44ea45c6b6637cf17

SHA256
0c5c1c924e1efb7388316b87df8f83a890fff1727777cf322a895c9e2f9cdeda

SHA512
bf91dc5008934c56918cebbfe6ee70fbbc0c8460ac78528af65dbe79ba7916200260d40247ac634f70e66c1b523ace10050bb25d881a233b7d70707ae095f10a

Download Submit
C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\lib\alt-rt.jar

Filesize
120KB

MD5
2da1488ef10c510e3710af75a216fbbe

SHA1
78fdfeef6ab4e7add2b6a1c361295a8d8cde077a

SHA256
e18f826adf680ffc49421a80b58120c65aa4bf2504125db1b694175bf084f726

SHA512
d59bbf703311a6b945a9bbb97afdf7f148045db6d4dcdeddbc161f40b9b70e8a049c0214302f36fbbc30f3879ed7460aa8570be8194c66fb488781b9a416365a

Download Submit
C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\lib\alt-string.jar

Filesize
41KB

MD5
1f97a349c7919b78b8a359343ee048c4

SHA1
c253386afca3c29de75d1fb3609668256db518f4

SHA256
e346cff3e59db8e72a002b7d2f376cad0849b4b792cf2b3464cdcc9e2c8d4af1

SHA512
157a4498d9dba1745f397858a886803385237a20dc6e6242546ad4093124b0b50aab4435f74df1de2d803219fd5218a64c59c1de46df42a6a002b3b42914316c

Download Submit
C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\lib\charsets.jar

Filesize
6.4MB

MD5
96403feb0312dbc0685f64a0b2bf3af5

SHA1
ffdc3bdf5fbdb3aa12f2fb7c6e9ad6d3a1abaef7

SHA256
f90a726a616c4eba961ac250a65eef277ada697acc2ea5fb8121970df0424229

SHA512
0c154ddf3a9cba70587d9d6de1c291a53d3291c773d88c67e867fd33991005e6b076a1e105d077e1457471e9c7df598bc9a35cb3baed35d50a06077fc1e0979c

Download Submit
C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\lib\deploy.jar

Filesize
3.4MB

MD5
dd03fee94ce3d06ca0f4f771e989f864

SHA1
05684017ebce7b1a1422378a9c11e160f5d1418f

SHA256
443b9a4d06e963cab3ba866195be8b8f07cb370f4d5e63e18bc601b750154ec6

SHA512
379b8729b1d92c7d0b586219610d634460ab7c4d35585745943b7477b3ab334cf8786b444495aa22c2c9664a3d996bb52d7a37f41c448017649734b82a31a60a

Download Submit
C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\lib\deploy\jqs\ff\chrome\content\overlay.js

Filesize
782B

MD5
20f3534d5cf5724bd86a79776e72c28d

SHA1
5ec79a1463d97a187ba92afd6e410a6a72611818

SHA256
81b95dc521e7065428f39e0abd71c429222801e0bada2b062329c103f4041e4f

SHA512
553aba4d121e7d0931e57e5af1913b90a95d2656c1e08cb771158e39c6f9c67fa45ce9999dc223d3281c09e51fa0dc133c122c5f8402c3911a4e5e2983b12332

Download Submit
C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\lib\deploy\splash.gif

Filesize
7KB

MD5
1dc29c806d69e8555058b88d6f134be6

SHA1
ec2d23fb4e2b4540ed34866c4d531f8c35f0f25f

SHA256
bac92b43f7ef48aeba16245d67bcc67625cdddff72378a5507177247b7763ce8

SHA512
67d85723c1ec4ebcc8c4453e48adc2e0de174f38c9313a6d7eea6604efec6f64ea4a369e197b7daa889afc3fc316751d24e532dd524efe7d8dd792c46af4ac42

Download Submit
C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\lib\ext\dnsns.jar

Filesize
8KB

MD5
270f54a2ea7a15072faff77249b5a557

SHA1
c2035b31f679d723b6f7ce165ec7bc6aa4fb4bd6

SHA256
e975fccb45e78871ec8c2c24689a8c8bb47b727fcc04f0a9f1ff1d6d45b1caca

SHA512
06b705fbf7b6b61b15476ad8e16de6d8b5d3c3b92407eb1952d330455e10da48305257b6e2938c9b146f2d75c035fca6bd6894fc4f06a6dbe2f5afba9418fc4b

Download Submit
C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\lib\ext\localedata.jar

Filesize
825KB

MD5
ed8f18d305590449ae3203eef7363e38

SHA1
61924d803e460c5674c41b9da5dd503e37ce7cc4

SHA256
12faa034965a58fad72d7d0f0b66ee330d396020af2fa9c757c6cfb21c76dc74

SHA512
d7079cc9a6d0f919a12d8c4c7cccc8673ed3f321034e3e7c2c29ff86e26b36f35aabe19bdca3206632b447cab9ca656737652894c875ed91b3770aa39dec9d99

Download Submit
C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\lib\ext\sunjce_provider.jar

Filesize
166KB

MD5
dbea59e0bc9dd230c943f2417203c4b2

SHA1
2357317d1e1f14937b3bda942c58791ee1dba581

SHA256
44cedbdbbf186a5fc1af26cdc9f8873384eb985d6ea41ea99925b8931eeb43c5

SHA512
8e08d0d1ff93875741889028a982b6826d7136c6af4e8bb11d0982d1d6bc3a5a1a522240dc439ac2aadb7d0ca8514160a7cd5b29c78afacf6975e519111f4e73

Download Submit
C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\lib\ext\sunmscapi.jar

Filesize
34KB

MD5
858e6301bc72dc67cdb1c0495dfb7222

SHA1
0046b4afa97bf972a1148ecd4ea3426df5a585f6

SHA256
5745b21b50a98f023b065664c1b0fc2d575857c3e9a0e749d090d0585150c677

SHA512
7c35e0aedbace992b5d327f437bbe1ccd0c829b776c238d3fabc2c98cd89673af14a46478ca7a27e36e995472dc515e123445355d1493807e96f61b7cd695daf

Download Submit
C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\lib\ext\sunpkcs11.jar

Filesize
226KB

MD5
870abbda49e69fdea495083df3611819

SHA1
f61f71496ffdd90c7b1af3c651a2223e906508a5

SHA256
f98636eac9bfaa62e3799c74928612f1c7b084a06028f98ac56a93b64f2ec3db

SHA512
24fd1be1f19d6e3f59f2e6169c4f3734a8e74e8c61743fb081f0f5a65fdae2f2c3c90871692089d7a8c6122405018c4b9119ea4a9be277ffb54391b001768e5e

Download Submit
C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\lib\im\indicim.jar

Filesize
9KB

MD5
0f0354183d9af07c02debcbc23e9aff9

SHA1
c0fa2d8e71e2086abc6025e089c563e8848025ce

SHA256
490dbdf68a6b217173d659bf451645559c878018c98553d952ca765b5e851ad9

SHA512
f9785d5a0796c0cb4afaea39227717c98125a38558426da248814d69229c46a4262bb70ef41a87e15a413f51baf7662d5a85cced0a844eceb1784a300b9f0eee

Download Submit
C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\lib\im\thaiim.jar

Filesize
7KB

MD5
f065aa2f0b6f8772d8ed4e6b008e07a4

SHA1
1fb1f4b864e986640093ee56d3ff947c7f115933

SHA256
4641d702648488b31b1cb90cf9813067132c8b0c06790fb11d110be04cd70f6d

SHA512
757a9333e2afffb0e79c3c84488dafee2a599906b260a661bfc890a5f7906acfb0c50bc2b49c99bb566145c5805baa0f82bcb5c0b6b044c4405b3023b1ac741b

Download Submit
C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\lib\images\cursors\win32_CopyDrop32x32.gif

Filesize
165B

MD5
89cdf623e11aaf0407328fd3ada32c07

SHA1
ae813939f9a52e7b59927f531ce8757636ff8082

SHA256
13c783acd580df27207dabccb10b3f0c14674560a23943ac7233df7f72d4e49d

SHA512
2a35311d7db5466697d7284de75babee9bd0f0e2b20543332fcb6813f06debf2457a9c0cf569449c37f371bfeb0d81fb0d219e82b9a77acc6bafa07499eac2f7

Download Submit
C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\lib\images\cursors\win32_LinkDrop32x32.gif

Filesize
168B

MD5
694a59efde0648f49fa448a46c4d8948

SHA1
4b3843cbd4f112a90d112a37957684c843d68e83

SHA256
485cbe5c5144cfcd13cc6d701cdab96e4a6f8660cbc70a0a58f1b7916be64198

SHA512
cf2dfd500af64b63cc080151bc5b9de59edb99f0e31676056cf1afbc9d6e2e5af18dc40e393e043bbbbcb26f42d425af71cce6d283e838e67e61d826ed6ecd27

Download Submit
C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\lib\images\cursors\win32_MoveDrop32x32.gif

Filesize
147B

MD5
cc8dd9ab7ddf6efa2f3b8bcfa31115c0

SHA1
1333f489ac0506d7dc98656a515feeb6e87e27f9

SHA256
12cfce05229dba939ce13375d65ca7d303ce87851ae15539c02f11d1dc824338

SHA512
9857b329acd0db45ea8c16e945b4cfa6df9445a1ef457e4b8b40740720e8c658301fc3ab8bdd242b7697a65ae1436fd444f1968bd29da6a89725cdde1de387b8

Download Submit
C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif

Filesize
153B

MD5
1e9d8f133a442da6b0c74d49bc84a341

SHA1
259edc45b4569427e8319895a444f4295d54348f

SHA256
1a1d3079d49583837662b84e11d8c0870698511d9110e710eb8e7eb20df7ae3b

SHA512
63d6f70c8cab9735f0f857f5bf99e319f6ae98238dc7829dd706b7d6855c70be206e32e3e55df884402483cf8bebad00d139283af5c0b85dc1c5bf8f253acd37

Download Submit
C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\lib\javaws.jar

Filesize
903KB

MD5
817ef50c0af4106176cd4471c2f1f0c1

SHA1
319bb00c5cf8803118bdab6d1f5ac949c12b4248

SHA256
d61f6ce2cbd04604e8c58918b71f1d65df803c9e786c521d4bbf37cbe92f006c

SHA512
c3d086c80d4f791d355382e8184bccb0751e84af13967bde18e606b57db3cbce26fd38f7fc6adbde28745e9a2b4d8f2e95d23e63a47637116a1bf83e0215f1fc

Download Submit
C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\lib\jce.jar

Filesize
86KB

MD5
d9eb1c27f046780d5b54805eda5e59b5

SHA1
70e3f9e76e3d5884415516c0cee0855295bcb571

SHA256
20294af3d3a80a5e3afb8f5b0e12e95547d8355eacb14b68be16ab387764d923

SHA512
aaa5401ee8e43838f654e16ec42ee23a5aece8c834d52e4c7b95edfff7336da748339312555552b7b0c113a228e10e9774447c59379f2e568cd8dbd39c0db291

Download Submit
C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\lib\jsse.jar

Filesize
621KB

MD5
8409bbfb153f225c40db190e0d7335b2

SHA1
4b32a209c644735a681c43a5b0ff408bdd2a390c

SHA256
931e22c6b6db68673437180ea8a07410379028c0be0b55280a997aa74cbce6f4

SHA512
f12a3fd20ccc5c2a68169db5a843ed2835d10ff8dc277c96784ecfc5d2e8bfcb821408e4cc53001c4b2c8d0f244a7eb6175113c4ff22e951a7da2147950bce03

Download Submit
C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\lib\jvm.hprof.txt

Filesize
2KB

MD5
e48fea91446109e6e04049b16e65241c

SHA1
647d60afc5c884c6bf2f08c48fb5506ee0155790

SHA256
5eb0d4aae7963b8e214d1e075b104192f4736318a675b57aa9d6626b6ddf72c6

SHA512
3254904807107b9ebfcbf1cb3bd441660d624bfe5294c864930962b1ad514725246a10897d4dd7378bae8e9fc3e4571393168f2057d5179f9fe79df3ecb59c35

Download Submit
C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\lib\launcher.exe

Filesize
45KB

MD5
1feabcb9a40da22065231b2239cb2f82

SHA1
c94842f897874614dde8092ea6a0a39386162108

SHA256
4a97eddd7de4947eeff1d18f9a0db8d004f610532af41b1ef2360477cca27d7f

SHA512
c6b39fefe17599ee1806b3fe2e6c7871a8204867a9220ab90e38c8f6f7a3385275b8e9dcc03527bbbe5f949ed1b9be80deb9b19cde5b602268032e63f12a77a0

Download Submit
C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\lib\management-agent.jar

Filesize
382B

MD5
9ef18b5e84872cdff7e1f4f372f4a86f

SHA1
98913e7510d25ff28928924ac4246aa4a8720d2d

SHA256
7fd4c782dba525ffc0898a97209079d0d2b789123976c3478b004d62209d182d

SHA512
b0b6c54e19ec4bbdaafb775306c012418c6f27eeec7e1388f4ad4dcf343cb8a8a4f12f1fa945852f94c6c749a997b997ef4a5d06a011b8e6945ccb1ed4fcb1c2

Download Submit
C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\lib\plugin.jar

Filesize
1.9MB

MD5
353723ef6bb9d61ee4f8704600bc3e41

SHA1
33968167245cf8e5290931b965e12f5898d12119

SHA256
bf98f6f6480c0a5e02a941699ea1468946025b95c19ae27c58c171b24aa34568

SHA512
3b2cbe25b822fbac96ec431037321c6710367c340cef07328ddd07646477783c8d9a5424d9ba665105cf8018d9bc9b873ea843998d7e2b47b01f5bb46a639d1e

Download Submit
C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\lib\resources.jar

Filesize
1.1MB

MD5
5db68435f722598bac3a6cc9d47d34f6

SHA1
8032143205dfd4bae1364311545387ed7181a6b5

SHA256
da03e13940ddc24abeb2764d04c03ba78fe54365162b6b04de5bfdf5d23034cb

SHA512
f49ac35ffcac0926f7a5ee08ece142bc1b835451f45c28c0c8173727159f6a994ae545fa0e332b175f8db04e517e30819bbf94253cad4fa3537bb9bcd5f98164

Download Submit
C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\lib\rt.jar

Filesize
28.2MB

MD5
e44f8738558bc2dfc482291c233293e5

SHA1
2d9d9c87c2a2137e10c700e1061057cb958a1402

SHA256
e78bd6280f045813fb572eaea52b91821dea7f00f8caff5994c20921bda63ddb

SHA512
d12b5c319d0bca54ad4db41b28e9cadafd45c690f656d00566c71df249dc31c4ead1867bedb0902401eed5d857e19a3354b38ddefd7124ac49f529495e282089

Download Submit
C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\lib\security\US_export_policy.jar

Filesize
2KB

MD5
b94923af60a5b4659a8df2847fe1ab6d

SHA1
1b5eb80bd3699de9b668d5f7b1a1d89681a91190

SHA256
0d63f30e607d4662c47e595900b82cafeef42fe844934d3512a08a7dce323f19

SHA512
5608d0e0e881ca653f8b4dab7136a5fc31c2ebeb537a8d10a7d81609313db5b4101c51528dd5ab8a09225b998155ad99df53dbd5ce5d1a9f45c4a72105e79326

Download Submit
C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\lib\security\local_policy.jar

Filesize
2KB

MD5
53e2a50065ac6ea39cb2aa7d3975284b

SHA1
c557a5da9075f41ede10829e9ff562b132b3246d

SHA256
0a3e2ec62519d40793f9e843da725e3fd9e022792f02aec9a47142eff60048df

SHA512
95b9ac6cf824479889d7c1691ad14a6ba18bae94f4f721cb99ca7324fe77c5291a093ce817276f39a71bc4d39f6b7c52050fc72e7f3ca37c28a3bee4927ae139

Download Submit
C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\lib\servicetag\jdk_header.png

Filesize
8KB

MD5
c2be16221bf2fa2caa4e6d34dd633fb8

SHA1
c8abac255645eaf4aaddc9dd54b6ec7b3570e84e

SHA256
d92f2ad3afc55758fff171c5733fe90eea1dd2144488d1930f545217bab6bbaa

SHA512
9663408bcc1ef39deff7837eabd3ff9e5dd1fa9fc008aa0a1b0d10d405fd9b47d1387e821c8b47fd1770428fdac8c3456291bf9605d360f0f5e12910208f15e1

Download Submit
C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\lib\servicetag\registration.xml

Filesize
1KB

MD5
3b4d1bb8dcfa8af2c12fb1b629fab69c

SHA1
65cab64da8899a5990054e9e9499bad61f1ae760

SHA256
a7e3e89491eb173dab11ed79773cf99a5dd94c65d69461769e907891c41aab6f

SHA512
f6f5b841e7e336919dcd193b72828f29ec2b0ec3e18c8e4d58ad02506b01e63c027bca1e5b103afb6851fb4bfdd4440e59129eefea4b30de6eca9f01fd993460

Download Submit
C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\jre\lib\zi\Etc\GMT

Filesize
27B

MD5
7da9aa0de33b521b3399a4ffd4078bdb

SHA1
f188a712f77103d544d4acf91d13dbc664c67034

SHA256
0a526439ed04845ce94f7e9ae55c689ad01e1493f3b30c5c2b434a31fa33a43d

SHA512
9d2170571a58aed23f29fc465c2b14db3511e88907e017c010d452ecdf7a77299020d71f8b621a86e94dd2774a5418612d381e39335f92e287a4f451ee90cfb6

Download Submit
C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\lib\AmficsXmlSecurity.jar

Filesize
161KB

MD5
056951de50aec51484947f0113e12906

SHA1
aa2c2957daf4b4d1fa57c83770834672da9f21ea

SHA256
75e3a3eabee80623380f671cb291c8624e80d81346ec1175ae6ca6927b91ec15

SHA512
7042e5b09a8665a73dc4f953977b5f13c51ced1edf980e2d748d3cf55acb74ad3847a3a3025f881a03bc10cebc8365fd0c8d94358b705cd2d87b0abf91f0abb0

Download Submit
C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\lib\commons-codec-1.4.jar

Filesize
56KB

MD5
82b899580da472be37055da949b731fa

SHA1
4216af16d38465bbab0f3dff8efa14204f7a399a

SHA256
6aa4234c74f3a1035751a25822545867c8c3727125a642b6e049665d1863631b

SHA512
640bca4f1d4dca63724eedf417d3dccaacf77e5c1d9dac07190b0a64450f7b16fcb5f8578823303e08fb6d07b9c2897226c449f2c9b448b060ff5d8f683403b8

Download Submit
C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\lib\commons-io-1.4.jar

Filesize
106KB

MD5
b6a50c8a15ece8753e37cbe5700bf84f

SHA1
a8762d07e76cfde2395257a5da47ba7c1dbd3dce

SHA256
a7f713593007813bf07d19bd1df9f81c86c0719e9a0bb2ef1b98b78313fc940d

SHA512
a1cc0feb2805e08d49229a20cc4423bb52d6800aab3f65723a28ed7d3429455a3f6ef80daaabad7aa89bfb70e4d3c362b268401e636505d1c89bfa7baf871d94

Download Submit
C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\lib\commons-logging-1.1.1.jar

Filesize
59KB

MD5
ed448347fc0104034aa14c8189bf37de

SHA1
5043bfebc3db072ed80fbd362e7caf00e885d8ae

SHA256
ce6f913cad1f0db3aad70186d65c5bc7ffcc9a99e3fe8e0b137312819f7c362f

SHA512
470323a2ee38be1b7ff8c84f1f5a5f8c4ec2ceb6b0649faa7b961f111865877dbe125409f72b1c52c7f18aa89e3469635c49ff4b83f86cc2f2eb2cc5562f9bff

Download Submit
C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\lib\swing-layout\swing-layout-1.0.3.jar

Filesize
115KB

MD5
118cab355d46b1d19228a1642ef55cad

SHA1
7773427cf4363bc4ac452a80ed646bc0901063ff

SHA256
84aa17052407dcbadc52a82c59d1dc35409bdaa8b92e4fc238b5e49c1d9cc0a4

SHA512
7f8299f55fa7c4c540ff9bcd12086e8c844a1b31b59393af235fb6cb7534221553181b5c4a6130a73761b88fca558041caf3e4cca61c6064e152aa9b2362f753

Download Submit
C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\lib\xalan-2.7.0.jar

Filesize
2.6MB

MD5
a018d032c21a873225e702b36b171a10

SHA1
a33c0097f1c70b20fa7ded220ea317eb3500515e

SHA256
bf1f065efd6e3d5cb964db4130815752015873338999d23dcafc2dbc89fc7d9b

SHA512
29e1125f123ff3f605de74b866be800e78a5448609bd62f1f6a3df13bc7668a37ad35936b7f8f0e87b60821b12ebfc86fa588ee972204bd7772d5bb077b42987

Download Submit
C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\lib\xercesImpl-2.6.2.jar

Filesize
986KB

MD5
c4c5a77f9e61f33d80780176451d71c2

SHA1
897bcb56d6b7fe2070a5f561bfc78968ecdd3851

SHA256
7512957342dc34290f27c0d5fd4313e00acb1e6dbe2992fd4ca66b46d7200035

SHA512
9219427fc6693b59a1e6d6be1eb93b9df7a717b0b450396e3e74b0092076b3f04aec7763c36dd688a94b99d9dd2685dcfaba4b770c28c0fcdd19fb4654029b91

Download Submit
C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\lib\xmlsec-1.3.0.jar

Filesize
278KB

MD5
ed82e8662f1823e70ba8f468f57eb11b

SHA1
59c4b71e0a5871f26db91eaab236e5b9bf41122e

SHA256
9d427c385a0666340d9afcffe184543386a5ee4067e2fb51e36f41725d1639f5

SHA512
f1f59192363f25549f170352f6481d37b18ef0a072fbce81b814f8acff36f43d03805de25e3a0fc320dc4226575bc480bad5a6522d5053f02f8cf2de8d620af6

Download Submit
C:\Program Files (x86)\AMLO\AERS Offline\AMFICSXMLSecurity\validate_min.jar

Filesize
12.0MB

MD5
99dc8f1cee4ae61084a70da9e0799285

SHA1
e19527d98128cd10a2ab23dc0464b17f5a8bf7dc

SHA256
211bdb2f6efab95e34fb39f6a2c6ec27e0f6a33548a463c3bc785989eb1c80f9

SHA512
8390d0cff1c39a52cafddc493d409ccde54589fbed3d212ab56304c8427c4d21d49bde6dde7629871691a6d4fadaa24aa1c15fa8c6b219e0e080e727d5ba9963

Download Submit
C:\Program Files (x86)\AMLO\AERS Offline\amlo_new.mdb

Filesize
3.5MB

MD5
27ab8d42ee6f74c4d6a4cc117861dc96

SHA1
3917717f95b36be9e5c843a3fb0331604b69f652

SHA256
d249a01346de87f99f86ebee20aee726759585785ec702c57db91f19c65ba986

SHA512
fca116a9b28922b978c2d5e80603169262b6a9550ba745380c9a0a39e7217ab2dbba14889ca5d60954cda4d4653a37a66578c52581f01d4765ab43096a531d82

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI42B1.tmp

Filesize
298KB

MD5
684f2d21637cb5835172edad55b6a8d9

SHA1
5eac3b8d0733aa11543248b769d7c30d2c53fcdb

SHA256
da1fe86141c446921021bb26b6fe2bd2d1bb51e3e614f46f8103ffad8042f2c0

SHA512
7b626c2839ac7df4dd764d52290da80f40f7c02cb70c8668a33ad166b0bcb0c1d4114d08a8754e0ae9c0210129ae7e885a90df714ca79bd946fbd8009848538c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Installer\{BAAACFC9-129D-4F6F-BE42-13CC834BD08B}\_1BF00F53453E85F9C7DB7C.exe

Filesize
112KB

MD5
159d79256eeb3f468b42cd4c82695162

SHA1
81b4d6a6785eb64b973ddf42e8a5dddf59d5684b

SHA256
c5abc9288a45f3da748192d3c836f40b8b1e826ec22c54842852cbb692f00576

SHA512
41c1bb5e428a2cbd82e7ddccb186a0dd9fff3fd66ac1035ca4a974d1c274e309bafb55bd96e42908f1683dc035d19e040c98b0e5583f940fbfbcd960a0ef8061

Download Submit
C:\Windows\Installer\e59b50e.msi

Filesize
57.0MB

MD5
9c5c97f368eaf815a8db1c27c710c7a1

SHA1
0ab0e714ad5e07c4411bfe4a41262fdeb3c98836

SHA256
2ff16c95b21cac6dcb75b207e80c1562857279972b7df6d48c411357afca1ad4

SHA512
dc7d9df8e2b77a5ad6d849943725ff09d897fdf28d4a558a220d5f889c49fa72e543d711ac1bd988aac157b25d61087b1a33829f368afcbbe87ade63ea3b18eb

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
20.6MB

MD5
7e150828cf824d148da3cc6497cbc402

SHA1
35b07c2242f07872f224b279ad5b01991c6d0699

SHA256
3a30743e679a2a54377532022066742b6d7c5a1f8231168a2bb1941d2b09228f

SHA512
fc2c56c7ffcb2be6fe93eb42e29b7076f65bf30cb024263401f89c8b1d0893c352b7dbf96a0760afc0481e36ef892bafe8d78142829ba62d7c06b90105332f4b

Download Submit
\??\Volume{caed271f-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{789ab346-9c25-440a-b839-4050291e87ac}_OnDiskSnapshotProp

Filesize
6KB

MD5
9d861c20843de8ba45d0f863ef923135

SHA1
6be39b47cffa8b4b88d33a7d5d201dfa4ad166aa

SHA256
220c5e6ea07bf5bca7efc290f82451cf0dae32618ea9ceb16adf1cf82b04633d

SHA512
db9793d73e356984523eab456ec9663200efe0bc06aaf922e50a2f7b9df82b00892901ad83abe06a901b560f1621674b602c376b69a288b0554ed6988b4a7f12

Download Submit