cebf8e8f40fe548f9a14a51082e70e0f2403e85042d88ee3226282d0aca03981

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15/06/2024, 18:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
Size

1.3MB
MD5

3839200c2f0c0211990caa389141e297
SHA1

e2e5a2cbc0a495a1b90af12a35aa0ad1bc19e124
SHA256

cebf8e8f40fe548f9a14a51082e70e0f2403e85042d88ee3226282d0aca03981
SHA512

a3429b14894f8554dde04c43955c931027afa4b8e03183a98e184b77b2890c19e164deee28d1523530947b7e76b297ba8a08a2fe5a06f42d00cdd1e6c6d571b4
SSDEEP

24576:egXZSoD9clJl9njHDlicG0y4QN+EiAkbwRobfHRFcbK3eUKUzy:X4oR6j9jDlicG0y4C+YktHRFcbtUKA

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4500	alg.exe
684	DiagnosticsHub.StandardCollector.Service.exe
532	fxssvc.exe
4868	elevation_service.exe
4952	elevation_service.exe
1416	maintenanceservice.exe
1376	msdtc.exe
484	OSE.EXE
2092	PerceptionSimulationService.exe
3116	perfhost.exe
3544	locator.exe
5068	SensorDataService.exe
5424	snmptrap.exe
3368	spectrum.exe
4212	ssh-agent.exe
1776	TieringEngineService.exe
2848	AgentService.exe
3824	vds.exe
5756	vssvc.exe
5960	wbengine.exe
2284	WmiApSrv.exe
5512	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\c624a615293b476c.bin	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{878BCDD2-1ABC-4948-8DA1-C8645DF0F833}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004007fff152bfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000b6be2f152bfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000210221f452bfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000085ca22f252bfda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ca3f38f252bfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a623a4f452bfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004b968cf152bfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009ca13af252bfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008995abf152bfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
2156	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
2156	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
2156	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
2156	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
2156	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
2156	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
2156	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
2156	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
2156	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
2156	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
2156	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
2156	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
2156	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
2156	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
2156	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
2156	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
2156	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
2156	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
2156	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
2156	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
2156	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
2156	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
2156	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
2156	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
2156	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
2156	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
2156	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
2156	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
2156	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
2156	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
2156	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
2156	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
2156	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
2156	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
2156	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
676	Process not Found
676	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2156	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
Token: SeAuditPrivilege	532	fxssvc.exe
Token: SeRestorePrivilege	1776	TieringEngineService.exe
Token: SeManageVolumePrivilege	1776	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2848	AgentService.exe
Token: SeBackupPrivilege	5756	vssvc.exe
Token: SeRestorePrivilege	5756	vssvc.exe
Token: SeAuditPrivilege	5756	vssvc.exe
Token: SeBackupPrivilege	5960	wbengine.exe
Token: SeRestorePrivilege	5960	wbengine.exe
Token: SeSecurityPrivilege	5960	wbengine.exe
Token: 33	5512	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5512	SearchIndexer.exe
Token: SeDebugPrivilege	2156	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
Token: SeDebugPrivilege	2156	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
Token: SeDebugPrivilege	2156	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
Token: SeDebugPrivilege	2156	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
Token: SeDebugPrivilege	2156	2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
Token: SeDebugPrivilege	4500	alg.exe
Token: SeDebugPrivilege	4500	alg.exe
Token: SeDebugPrivilege	4500	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 5512 wrote to memory of 1332	5512	SearchIndexer.exe	107
PID 5512 wrote to memory of 1332	5512	SearchIndexer.exe	107
PID 5512 wrote to memory of 2896	5512	SearchIndexer.exe	108
PID 5512 wrote to memory of 2896	5512	SearchIndexer.exe	108

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-15_3839200c2f0c0211990caa389141e297_avoslocker.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2156

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4500

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:684

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1016

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:532

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4868

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4952

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1416

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1376

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:484

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2092

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3116

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3544

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5068

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5424

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3368

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4212

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:616

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1776

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2848

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3824

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5756

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5960

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2284

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5512
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1332
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
25ca12a4bdcfe84962530e7272394ba0

SHA1
78e627dfee0b2e8e2be378042207f33c8651cd73

SHA256
7e07d31a48fbda0a196a396a137fb3108967e22625a7e6461b7887e0728dfd3c

SHA512
326016a0cd47f19bacd49c2f357cfc2a90e5a1d731a4c6e55f487321a15b67d933e8f934182a002e0d1bffa6bfe795ae06a411eabbe8e465e812562e89ff9b47

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
b6cf10e37bd1e8a829e2e777e0677f5c

SHA1
b3d3bfafd0028c1f6bec2de504e1f8762ed665be

SHA256
f1069af3256b925cfa0b66e9156f67b84b706452d683eef86f39b44744646677

SHA512
4e3a2b58d21de13919c99a4c008028b8b36ebc5131aa47ad30fc784a8dca2f07b05b1b7d3d697f230384ed5d96dea2fca76cf61203d5c882be74e29d70d6dd7c

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
bdc270a27b8033c2ea1966faaebf7363

SHA1
864ff2674e5b3a3a26ac8eedacdc1ccf2fa8d6ac

SHA256
7263d9f49ec347322603c4436cf6a813527a0bb418d611ace49f248bbbf70262

SHA512
d01d44db3afcee964949337b00ac442566db5a84549706f184c1c94bf6d95ef566c48497a46d25ddeab754b64ac30738af1f2d0d840c3568e78030554193687b

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
6da1c44e46e40dc47063f65924dee2d3

SHA1
6d418cf6dbed9311a80278f7ff0678bbe5673d33

SHA256
1d7e42e39706d56134ccb5d2c9a966a14a6dc2c725cb8df636f1d8d189530f86

SHA512
5e95fca2952c04677d75198bf038a3c31f8d1f711b45b4afe4f4f0f693f871f17d84a4c3f4bb65dffe1a4e395a95957b642e3221208c455ab66b0add777e0217

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
8d78b97cd2088f93263d54b79320ede0

SHA1
0a45c79ac1163de68830f3d8c9cfaf68659b3010

SHA256
7485d7c75e4c1dede0f27f30ee05acd883f5c25a8e6018a71f5a7754811bf265

SHA512
a39eb6c8b22e89a3fd0c0c84fb3cf5ba2b71746a99c0805d7e3fe2f700c6fb37711cb2ede64cfb7f0dae517fa2503364c11db2de58c4bff44db50aa36fc74bd1

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
e037bf7768a50571ab07e965923eaf4c

SHA1
8e26a1940f23f700363a94f7c8c3f977856d16bf

SHA256
8965a1e77db697dc46fbce285602878610d020c8f5ab84e79ecc56c6df2a30a2

SHA512
474f024ee32c63c5c6aa9594cc8f2b0fe85ba1e039095b19665567338ecf2c0ddf107b67606d861954d5d314ca83302bf0dcdf2df33e2b9cec67b62fe7a654ab

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
45785c5ff2bb933492890a3bf530fd0b

SHA1
7d313c3d572f63b07584e99cb0d8f3606735e539

SHA256
f9c82965f19fc452441af92584edf7717104822b9764d4b3f080145d3fe0eb2d

SHA512
503dcc0ad8735e57052cd39746cf195b2f826e48116b5de0316d5c95aca3b154640b56adacf34a57e17ff5385c27ed61b5bf01bce692604f5cdba8e9e815f8e1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
59f95f9e5c14e88d3d5c8bc88da84afe

SHA1
a97b72edf0b7b855ae8507020cec3071e1c3da59

SHA256
0a80767ae16439a2e2a9b2bc0095eb097da3e6d90e324a8be862e4ad4be45ded

SHA512
191c8143f39e0407d4cd30f9a7979a426e93419be6e47d29e9d0dc9a98aa6a9284aa29174af016dbf1457cf34e75acef0d6e1babae52ec69ef8a3b64fdcc7b82

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
94d5fb1fe8ce9f8de6a2a9a5dcec9914

SHA1
e34d23204295eaca272445ebbdf3421892adb65d

SHA256
2e6e02dbde85822fb92a1ad6f73f6fd1522663c3896a0b17856067b9c178c4c1

SHA512
30ff49db6b17081a3f54a991ade6c46cce8476b6c793d3223f1331c5bc2fda5e582db2e1185d6d5121c3ef62284bf405cf6e0858a70bedaa26782def1af1e601

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
3c3746bd145f6d6b43a3b965f634a0ed

SHA1
35d5b71d4f5b2929aba2171499ac2b064be7a48e

SHA256
801cfe23a0aaad3351f43f50000da507dca3d38c98c60312c84bdb77aeff94c9

SHA512
e432931c5a7f38435c93d1097734f7a53f870cc627c6f8b9bb62681b026a9967edcee9842ab1294019b767cc05fa71db051b89beeabf54f5eea75d909bb7cf9d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
8c5c4b178e059916a1ac51debd50c1a5

SHA1
d504ea9d812a027ed2b9dc95d18b8e0f08db4ecf

SHA256
c2d25bf898429922c6a4f2ae1c263dafefaf13a12f8fd7774de28fa55200c10f

SHA512
48b23f5485e92d2ae7b24fe533b62a9565a5fb7f6e60c3cf0e60518bf54e5d58f035634a6646305449b20be81a00eb93f7d49f137cb6c531ed9a26cc846c9ad6

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
730e268f61078a09dbb831a68a98eec4

SHA1
ea76a14ae2ada17555f94186bd936a3a25c35914

SHA256
0609ae9028bbffef7e59818bc3ecb1de269dfa166062133f02303241820ca004

SHA512
2d7b245d33586fac89e9e82ca28cf00f1488a61119ac879024958828219f8b846960403772f60470d00a80498f0edc93715c35d4ba525b388c23055b25e27ae1

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
b68295016d9e1708490ffa4af49a2648

SHA1
546da8007ae9a1f4316301bb35c35f9e8e2683eb

SHA256
813bff69f22a2bb9e28690771aa1ab16711ed329e8f215319c5d6a81f03f875c

SHA512
2a1ff4a9e16d8a67eacfed96eebcca68f230e98dbe09e7ce003106a17e47fba7a223d719655e8cbc9115ff39bcaeeb287784132e075a57e4bda74ae905893fb4

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
90c16e96a259aee26853aa291546e0a1

SHA1
c9ed4b681c1de838d48c4a836b056c4f6173919f

SHA256
52e0fea17afb667c80aec14321e5d5c954b704183b34ba48cf0755e59833a9fe

SHA512
92ac37095e1c26a9773e9ecab08855c42f9176d0e920990bfd4054ffc8a4779c87e9b46faafa121928000682f308898b1ed93295b61d6cc4175147c9645757f3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
ae5e2fb38ab97567dd625c806c25a745

SHA1
ef4e69e2b5ec1a7b5314711c783eb1f96f8de3a5

SHA256
8c15319d196a83cd4af284d5c29d55087298a9c3ec1fbf9f51470a68a2cc338d

SHA512
e8de2e03257b52ab02ebb8c30a3d4cbd9f31f52da9fadeccc9f5bf776c8d3f6bfe667887962bdecedf9b6452245a67ad7464076f3f3a17517ba8f5c87310e5ea

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
c1d6f0ad8b0840befeadb2c451ce3f3d

SHA1
b1d55132795021a54d2ef3cb272c61cf7ef6b5ea

SHA256
03d84e82aae7560e42f423d36e4a0b9eaf5ca96cc8da532ca56b25739d9018df

SHA512
dbbc82864802f11335f8d78160f3739de7857c58eed911ecb195c32b8394506bed042107e7545f6e0859c92162060ff74268ff0fc9a30ca23984dbf21b16b922

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
7d98fd92429120d5aea1e6b16f27e06c

SHA1
52b7795f5de5aada719b25bedf01f6307aa1ba65

SHA256
1df3dcb8cce992ad2767aa8d2bb73f0bbb69c0dcab407d8c572a58beeba4ecf8

SHA512
1c596c1885a0f01db881ca92e0e8eb4eedf471b92402a359856d791739c38a65eaf4ff1ab120a14ed32be3f8688495f741e70337bfafbd32b3e23e389a099d90

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
5066a33f47906e0e2bbfc8765138c203

SHA1
4ec87f1e7fd77065184c669c9dce3a24584ebe35

SHA256
57cc49670f833c52150896390473bf2e58578bbff6dcca0cd21b0a5275bc62e5

SHA512
634647163b63fe50aec3e6f00122cdce471a3c57bd4307c83b9ee66203f97f11fc823bee6c857035258b84caf919b04f45092c7e8a091e57c9f004e5886342d5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
312c41d32d46720622b11cb6e73d8ebc

SHA1
e832bc3f025efcd77593eae463c45e9ad222fa91

SHA256
cc961cc1c28ed479cb096bce510d16f491178e2a5059042bfac6d2e6aad75aa1

SHA512
49b94bd505175f42da70d1ffbdabe13cdc507cbb9df49a04422bffc83a7cbf40073d027c0595d73c797d520203dffd4c95c3c457632bb68c0beb6eb533da39d8

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
7e58c728d2adfd1d8f688897721a06b8

SHA1
66788c22a88787f33c8edefbde981ef3cec7c335

SHA256
b1ea9e397f4281351f79166ff0d1c4e5a9ada14b809cae29340f9a636f5bad10

SHA512
f5464f958380d49915e0e47ed9ad99eb9c15d7d57ec99f58c3059a231ac4a38d61f233bdc9074dbc8716e0cca528ce171b18da609fc074a55507e160037e2a24

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
9294ef3001be5be0f93cd089e54e8d67

SHA1
8c77fa6d44e53032ff2b29988797194373ff153a

SHA256
37670822214dd9d14b834a7b67b4e2d0c3bfcc856f12af0375884b7c31301d86

SHA512
a95b79f5ed68ad6ff67fc4a4e3e0b0c3b1f84f35dd23bd5bc180c7f6edf07a89d5351a2f2d1a134253aece98df0e66c3a7b8ebf79fac9e9caf66c41aa9e33b0a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
79b29cac40272f2683c699badb452995

SHA1
a7279000b235a5f015d80514a0677b186f5623d5

SHA256
8b9b29131672a68442a55178f1f6d7b1e75fea86ec0d7497ba40ed87838738ed

SHA512
fc3ad6eeda4983ef4ac553e2bd8b6e034e4f113422bc9755984eda549cd12ab15059d8fc77458fe22ecafb995ffc602d06973c1a6715862e1699fbe26cdff0bb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
40c403370f64ab951f251707fd856549

SHA1
e19301d4b143d447d05a941b70bec1a9abddfe52

SHA256
e1f2ade5e29c0dca9a7694a4e27b3ca0b9d5544d69091f7e4f7c9018d615c5b2

SHA512
cf67316c99bdd87ce7f6845bfadc656d147534f0a9b3a13cbbbea7e67cc557368bfcd178ac4a14b1b6e97654b86b27e0a223c6c8cf65bb86e4966b150ec3bcbd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
ba4174f57776953a28cfd0302e375ff0

SHA1
b46c01d9fd0bac56c6535a58cc7eb0ef6ba33907

SHA256
a803b928f922e01c6d52bb4b82c5cb23a3eb19a89d4e3af6211d996c128349da

SHA512
1a6e072d0134970663e4545d417ebe1571e6452ecf4e66aa1d90304e5396f75d623d49aa28cb6f1d00b3edbb9290b11e46043fcc89d38118d09667f475ea24ca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
513e444364e9094a45565df117f975ed

SHA1
395db619af583773ade03274cd63d317bc5810f7

SHA256
e8443be88fb27b5c4657e66179ec66ba330ee3be6efb4ec0310dc17a0b251c33

SHA512
86dd8071394fc6d5200777a89f26183d5ab59f865aabc8ae72499197321554c6d73ea4a4c837fb618f087228b088577c911127c1835a07f3d282416817b1a9a5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
6ae9d3fd68cd1a777b842ff4611f0e9f

SHA1
238e318d865c671970b5313a200be8442401482b

SHA256
f9e58b3ba512e60006747b7c4378a2d7ddf023578a516c0f3d0f32c98f4fa4a7

SHA512
8afd240e84761d1d01e167cadceef0cb6304a1972280c277df13502e3aeec7d860bc3f99e9199a52f3420def5526cf17be9497c27b41ad5ee17228421e01bc23

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
392872df8a4f01725ae242351e3c2891

SHA1
70e1c3b6883196482f5499632251bb932904a175

SHA256
589c9235001f19ce67fc6fdb0b26a5b23a7c8cc87441b5ad40f79219a6a0964c

SHA512
677403409d5947333b663209b941cbd3cb3f9ccd87c55ac4c0d374f80ad0c751433f6447a366f7f99f91d4c234448aca76df5e76072e6b8be66929bf9f1a4fed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
369f6734b2d3020172a43e9a2684d9ae

SHA1
40bf1d003c025f3c64c5a7e9701093d46fe14c1a

SHA256
b36679ddf97e89201eeb6de02457ad25d498d80381822ebf5796e4279e807bea

SHA512
60d34341123f98de07f01b1f269aa51d9b62dd705af409eec26218e6fd185faeb276a2a582c69e54037c3a3bbe7fe929f83a040871fd60625e2bdaec9a944a81

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
6b0327923098a977063a558eccb4c98e

SHA1
6c0a07ab806464d7888f2f6bae959d011a4164ee

SHA256
3ca5811c3a2b089683f84bea7cb78f0da4a3af3bb138e99484ab093ebcf7c600

SHA512
abd7d4fd1b7de86a3c8080299d8a58a4ec003af351c364c5a4ccd4f7f37d28195721b9061995050438dbb7e70a49a8f235cb2736a1597e8e47c09d96112b8b10

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
39b3b2b813b8e947a6988de06189096a

SHA1
43b1c3d4a0097e0712e413d26678c9436c1a2d8c

SHA256
0cc9e6d849a18ddf2e48c1b70cb14ce9f2dce6a7166eee0e6e4fa0c433ea9b87

SHA512
c9cb26e55b8a8ce9c6c05c40295ad8a81a56e51da184e35e1775daac31a412d9cb6d9cb9f6eb5a17928e29ab31ee498b5aa1975cf4d47fdabd565688f79f082a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
e3abad2812e6cce5cc2858b47c0502d4

SHA1
579b34ad8d9b67186733cccdc9f5c4fb8f1a5030

SHA256
1b467de1b141aea6ed7d8faffc31f791ce5b11516748ea274fd802df95e32b4a

SHA512
57c9dcc4b5d96dcc1f43df806046560e1938cb9c8c49b1414d048cd2eb4c383a2ef66a55f2a577a849aa7be7792bfa4fcbfe0f7cb4f146ef3a83b73a2036b109

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
6f4f8406404fdaca8856274e78f04912

SHA1
0b1d05afec1148f9c3440adeee7a92d55b9cce7c

SHA256
906379be27e31bdb311b812df9f8a4855a3d464f31d0880a0e558c45579410ad

SHA512
da9e30bb72afda6121015f2ed72a5d1900d2854f1168ccb8686fd9840b49fd75ae9d8e94aeb1dab34527dcfbc885548742d3c8815d94789fc9ca9e3eba3ac362

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
c3ecd6bdb5243cef666366c8b178a707

SHA1
fea3e1d32eb8c9137a893a2f9242a28adfa20cdb

SHA256
1e9053f16b11b7f3945cf2dc81fe32b39c967681ddfe08c8894849f39c35f880

SHA512
1fb99aa638c0e355be6d3ddbcbb884a16854d8ac7a272989daf8c96f0ce7ce79a7600bb16d16011906da356e52a458168d82b92ea584cd208f620547a1529110

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
21b78617e7ce1d9c212f2d7a1cf795b7

SHA1
bed1af88396148c44bebec1fff14d08cd4f2b1ab

SHA256
44c40c5fc9b2e21c3313ca903dbc43efc86128bea36a47bea7bf877a41ddde16

SHA512
e8d7d35d31bdd8bb9de052b97359c93ae00d27bfb177867154c683b6932b9e3334eb7f77f7bfe3b80001b51ce07c3c90ffb1cc4baf98433bc2eb2eb4bf083160

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
efdd93a8b8efba1562841c268f093d63

SHA1
87d9ba804647d7db3721a774f0499b60bd14b0e7

SHA256
5cc0331c9bf2f2e7b1e4d8b4fa16e36ce349331fee5a660e6bac60a8b0dabd6b

SHA512
802e4118e64b8410561cb5c1b115fe2cae048656e121aa7038396d83bb96ccb1b5246bd3d546cad6b2886b1936d020044dd0083667004c2e965cf2227bed30e5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
57cb59888ad44b8e807be8ce714db71c

SHA1
fd0ad49fd18b059510f2f727ea278ceaa7d81805

SHA256
49f82a0c555359c6265053cbbdfce24b38aaa10c34736c17f27179ac3bd4abe0

SHA512
3b96bcae23140abb88d061c0030523b7119b6f2de563d92c52394c8386fa5737038b300b147faeef868f5834119483ed36d4dce3ab205052ad22bb5847a47d08

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
6fe520e993ef4946bfb8c4e422b2bb84

SHA1
5c36f73df2a97f3f0db2035c04f67c8998a1d0fc

SHA256
4ffbb2731d76230e57668d0e7a87182d37bae4ea1f9348591904e643bc8179e4

SHA512
6d98458b9a6c8dd90f7ede40201302e401396c1dc41b8e2fa9804f957d470bc4e1b99f07c1809863ab8a0204bd6e6e921d53eb722e80681c574fb11be51df13a

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
e1bac4d20f4e0d177e7cc482bf5f0cd2

SHA1
231e99d74f53a20666062cd8a3bff42ce258c58b

SHA256
b33172137f897cee0a16a880130774b803194b940b9bd85e47abaab32e045ad2

SHA512
cbc71875289bc7b6898d055ee476ddf1bd90762e53599fea2ed21e51f8fc6311255be9c8604a6f7ecb9885b714ac6061ccd822d8e8fa3d75b9ca187442ceb3d8

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
478c39961e3848f88259fd07e396fd52

SHA1
515fb8cbc064132b5003a6de8d6efe7802550636

SHA256
0bfdbd9ccb4c756397fda48bea0d759a3a8f1c30d2e0a86f71b96595e3c7313b

SHA512
74a3c9d1f511bb434cce1c39d0374559b2631dd5439315bdc3a62cf0cc6edec65c21e1f6b8daebde7746b3a632376c52f138960f2717ccbc3a035a882eb4c06e

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
0f368d713b51fa6944c8085bb71a2167

SHA1
be4f4b5200ea8cdef58cdce05f4fdd72fcef5f79

SHA256
1a6fbd4653b9ed37468163ba6310c2d4864b28f6dad8447cfd5ec333f97b3420

SHA512
dcfa498cbaf09d90b3213ae630b2f70cedecbb1d1d128ca5c6d6a2615b273b7800774b6e113e24cce452771e629a53c5702c5fd80e4741fbc765c8bca7da7f71

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
63a4aeeae50d736fbe458d2f6dd706a7

SHA1
cc5ef7b563c0eb20ec55a979fb8e3a8cb74cc11c

SHA256
64621b62d6028b1acfb20cd1a02cdad3a54d83fb1ad52afecaa4b05498971ddf

SHA512
26b3da86c8bf03bfb1cf7e4a3bde0e6ba5d55f122818266a1ba94610731d13cfbfb4158352b2d555dd5d09d9a3c62866ae57e7a4684c40d4ff6b2565dc20e61c

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
dd7f4d8c54dd4232cf0def11bedbf86d

SHA1
10b7a11e8251cdc767bb531a45a8f55263280186

SHA256
69fc4601758da7cecb66aa3c136e66938a7711b18c27b33e656a1df22387167c

SHA512
b4fcb1d233e2ec87e7cc37fb7a6ee64ebf03c69e8ac5397668e915882c5821dcdc75624416377911a62736818e36dd0cd6f008c40c16d5aad6e9c0684dcac836

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
4a412324d9d0b716f7e02d1a38dcc380

SHA1
f263302d27c948390de4be3bdb45107856bc57f3

SHA256
dc3b28648bfc6d5ab8ada3e087458e91b22202b8f5837904ca5a1bf45038400d

SHA512
8b1f599a0465bbb3c318480a0706ca223f46ee284191e15c718ef360015fc9682412a0712b88f889c63229360adfc4dc70809dbcc429608589d4121f91865d8a

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
66d28d47203d9911753769f7fce3cd54

SHA1
c746ea260c1d3c23792a7af13f76a6005f6c65aa

SHA256
9c7f5eb30e98fa7479a227511b3306ca7b387be522c9ea22749cc4f8b769c7cc

SHA512
06b392810d1cc3da0316652d7261aa20f5d20395552a930a718498d617ae20ad90bae2ec6174d473410ddfb348ddd59d90dd9020d7bf3b4172d60a08de75ca3b

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
cf0941f0552fb312fa5ef34c6b2d636b

SHA1
608814e5b36af9e9e2c096399a9f03bafa817b14

SHA256
97e43e09bfd633761c4c6d948266253c28127a8a69fcf1a5b298ca15df906bbb

SHA512
a8d5262fe3297d81cc2b0685708594d73e1c68645f9a79918afe4a8301455b8e502bd1a17231fccf5dfb2280d346120bb5ea65ddb3e2e0a7ccb8ae3682ed4809

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
9eac90d9244f52546e7def673b9381cd

SHA1
4827c0b58699889fe0b2bb427dd39a9915f5ecba

SHA256
b697784f400d56751bfe17f156d369b30def117857a1bad4a81f078971983943

SHA512
9134772ef00e348f96940ff0ea67db8a9b7e02cd0315ba9c47ecaf93569cc75581cd370497ce7eeafb49ca17c96bde9e40f94f3b49c11e5c7253660f02514125

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
300f5e6698a8367c4e407c216c67efa8

SHA1
cbbd0904ccaa1210055951b4205a342e227d42ad

SHA256
92c3d4f824df951f6cf46cc844b20764cdede160b26a3a27e0e9cf36f8c162fb

SHA512
4639b6438ab96c591c6922bd7911784a6c53201d406539c9bf89ce3b0a6abb3bb7330c8f0f9f60e1ce63a73f1fbfc24ea94cf6db3c428374018b9a0c800cb3b5

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
6d37892d1d4cef6d0a4db693ca900946

SHA1
ec2ca6338ae61a448e84071534cfd469b5f4c319

SHA256
3765a56b8f7824330a3b74ffe1f8e9f2e6710907cfddd38f3ffa0b8298c82189

SHA512
f33c764f49f2b6e6c1c89abf6255c24aed6390606206a53a02cbec0a4e154514577a83052c02574cc5c755b18fc4da7e49b6741ced85c3f7406ea3b54b05250e

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
3feb0fd70f41334d21bd399f4085cce3

SHA1
e624a57539816723be40bd8d6d1e483449afdb9b

SHA256
bc622027771bfee7dda395e55ca05f1314884b4d58d8450cfc2ff5f58431da73

SHA512
817b6a844f0a3ebc11f37dbd625ad78aa624f3afbf8aef77ff1a37a835ad64d2ecd5cfbec9ec60a15693664289b23ea0b09f124cad5c6cc9dbddc6c11b86d1e7

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
bc60be6907f835cd6a6f372e74ae2ef0

SHA1
8350cb90be65ac5f55eaa87cbaeb24b1abff7e1c

SHA256
0313a40ff4a94034822e13bf4748c5ea6631adb85de3bf41db704ad557259f70

SHA512
b720261bb30fa9c3ae542efab3c51b5cbdc1330261f12743a48ae1c4247029ff3892e50661f959dfa1092501c7056996052cf8dc4b7ab4068e229faf1c87f22d

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
bc1300efcab3fafc187b38675c8a8d7f

SHA1
ed104a7b3b6bef3c83299a8acad90975d705de41

SHA256
7443170baf3ccb4f1755c73495d9307dc234df43694b4db21f2190da12d372b0

SHA512
ba71ce04be0d29d3c98c771dbaa32814a2ce2cc8bb09ae1911481e151af1fdae9ea0ef2810ee4a99d442c0938a6acbdef84f4bc46798a706374f6ed7a62ad86a

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
bdeeef305773981db7dba578307aecc5

SHA1
7b18e5caf66e915d5b79a87aa282e1f3d9549183

SHA256
a280dcbebdbe6a87813b03893a56a92e4cab24f672c9d09625cc47f0b0649187

SHA512
b562663bf6df7d2d90d587c3285e3c363cf1090b02b049dfc74863383d1a6aa49a1c20a543861236c8d095bcf02c67bff5c92a76cd7d344787b4beedf53f7ca3

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
5d8c3b7021248363d584a4122fd6d84c

SHA1
eaadb0ff2b20df2c5e133c839d0bfa72f24f6b40

SHA256
23bd2d5ef44642755f8a5a5deb2ca30b3a4df9935abaab2bdcaf6908028cbe61

SHA512
e1b63cedaad733d5e6e7c9f5c7dfed42b47db195f27272c0b33a0dbce3c295bf922d3e28dcd587f5e929dd47b585b8ced41a5b9dbfc7d06d576fa578ca2d42a5

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
2cb1ece3bd9c0e94e6e1d8f50309ef0b

SHA1
514c408e93292260275d3e57ffaea551453d49b8

SHA256
be72eb41fb7e9bcc06236488afc09d85c628132fcdf45a5662ff66cf01090adc

SHA512
f094c4a6e0a7c1c64d469693e6c6ec069b745ab1314384c73d8477672bf0f95a230f97bee3734ffcae9eaebf529e89a1988d51084009408d842bc89a9a880aee

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
c31fc1598bdc9183ef98935dab541792

SHA1
dc156b245a89791dbb3f0a577ee0d226b1f26c95

SHA256
a013c31feef39f8f26e8817d0c1280bd8b48d080cc435e7732669435d12afc95

SHA512
ee50d737e6b6c65a7b256c81e8147b1eb57783e5cdd143a1c1a54e61c9be4dae8d1bc877697d17c00bf11ce49d0657630747c1b55cb791c028fbc14d9293c935

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
d3551f7097262ddef8612210fe903558

SHA1
13862bbffb785b9d3b8057f767585985640a432a

SHA256
09f38a52fcca9ed637a9f5635286fe1c2190421a994c9540ab6f5aa690a1c915

SHA512
c6f65dbbc58e96575b1d0e72b59df7947a909a9e6c6118895204727c34f8d071ede7beb9bb1d72cd92b3bd3ef6346a037d78f3a03d2b126a6297ed5733167c12

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
f1341c790640013fe9cf3012f5a50da1

SHA1
f520ce655607730dfaa03e1c0a8fba1a10d3bc4a

SHA256
a65fc0050c89fe5489911fd7207c8dbb48e09661f8dd18040f375e06292e7f79

SHA512
558e84debd62f1a4d5e27750012aaf398eb47e0e94186a3daa0d24339233d2161b7af7f9741efb4df60f2225797a9a2010870c2a672fde64469ea9939a129d0e

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
f77dac51a9e8db61cc9850884a17bcd0

SHA1
dfb5a22a46d20529c100b6a23acc3ad1d761095b

SHA256
4d76e7057403c712d8b44a4e9e7472bb0d5e144539e6404af9da170d164e8f74

SHA512
59a7452c4d389a1ea5d57dcd2959fdb6cb3245d9c7e95e672d37e84cfdfd02ebcb72df41ea1d87d8e44d5e5cc877b4d3e1181f1813a757ad3e9f8b93c4287aa8

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
c478aa52cdcdeba108e0fd7f562c9625

SHA1
ba68797783cf862c4aafb8364656c9aad3fd5369

SHA256
2ae143fbd80af009f4c950bc7f286a20d6c40154836c54e251f4ce742a43f883

SHA512
8e668bbc691e5addd9acd54cba6e0053d244e78685e3e11cd37b5f57f775a17451576dbe367f0910055d5103c41b805a80b5b809e554fc42cdc2e8b3e45086cb

Download Submit
memory/484-223-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/484-105-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/532-50-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/532-49-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/532-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/532-38-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/532-44-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/684-34-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/684-32-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/684-26-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1376-208-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/1376-91-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/1376-90-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/1416-84-0x0000000002290000-0x00000000022F0000-memory.dmp

Filesize
384KB

Download
memory/1416-74-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1416-75-0x0000000002290000-0x00000000022F0000-memory.dmp

Filesize
384KB

Download
memory/1416-81-0x0000000002290000-0x00000000022F0000-memory.dmp

Filesize
384KB

Download
memory/1416-86-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1776-197-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1776-625-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/2092-123-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/2092-235-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/2156-1-0x00000000009F0000-0x0000000000A57000-memory.dmp

Filesize
412KB

Download
memory/2156-6-0x00000000009F0000-0x0000000000A57000-memory.dmp

Filesize
412KB

Download
memory/2156-0-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/2156-89-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/2284-630-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/2284-260-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/2848-209-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2848-221-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3116-128-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/3116-247-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/3368-173-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3368-518-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3544-259-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/3544-138-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/3824-627-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3824-224-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4212-194-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/4212-619-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/4500-116-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/4500-20-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/4500-15-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/4500-13-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/4868-52-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/4868-59-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/4868-172-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4868-56-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4952-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4952-185-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4952-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4952-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5068-280-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5068-537-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5068-149-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5424-161-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/5424-389-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/5512-281-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5512-633-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5756-628-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5756-236-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5960-248-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5960-629-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download