58fb929ea1ad269ebd8b035b6aff1a7e670eb5682ac418de3efafff23fff57e6

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30/06/2024, 16:46 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-30_1786edfe0a8353c14ab10259fbf48389_avoslocker.exe
Size

1.3MB
MD5

1786edfe0a8353c14ab10259fbf48389
SHA1

cb95de3a283e98a815775a4d0fd3f8142bef9f1d
SHA256

58fb929ea1ad269ebd8b035b6aff1a7e670eb5682ac418de3efafff23fff57e6
SHA512

f47fccedf850bf662f5cdb10b65faf21cddace1fa614d70f0ac8d5130b4f1a40304240708e76e13cf4007766d693b64e9b580372abe3c951c4cf2a9fa96e2018
SSDEEP

24576:H2zEYytjjqNSlhvpfQiIhKPtehfQ7r9qySkbgedPCks7WE9F5pwg8zmdqQjC60jI:HPtjtQiIhUyQd1SkFdPCks7R9L58UqFe

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
884	alg.exe
2836	elevation_service.exe
4440	elevation_service.exe
3404	maintenanceservice.exe
3448	OSE.EXE
1516	DiagnosticsHub.StandardCollector.Service.exe
4388	fxssvc.exe
2728	msdtc.exe
1532	PerceptionSimulationService.exe
3456	perfhost.exe
1328	locator.exe
4324	SensorDataService.exe
4116	snmptrap.exe
1292	spectrum.exe
4932	ssh-agent.exe
5064	TieringEngineService.exe
3128	AgentService.exe
4300	vds.exe
2552	vssvc.exe
1464	wbengine.exe
2284	WmiApSrv.exe
1644	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-30_1786edfe0a8353c14ab10259fbf48389_avoslocker.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\9b5fae53c3136770.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006eb7fe330dcbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000073f2f9330dcbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004ded75340dcbda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f61cc3330dcbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a12df5330dcbda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009a2690340dcbda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ec54fc330dcbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a006ee330dcbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fcccd3330dcbda01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2836	elevation_service.exe
2836	elevation_service.exe
2836	elevation_service.exe
2836	elevation_service.exe
2836	elevation_service.exe
2836	elevation_service.exe
2836	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4340	2024-06-30_1786edfe0a8353c14ab10259fbf48389_avoslocker.exe
Token: SeDebugPrivilege	884	alg.exe
Token: SeDebugPrivilege	884	alg.exe
Token: SeDebugPrivilege	884	alg.exe
Token: SeTakeOwnershipPrivilege	2836	elevation_service.exe
Token: SeAuditPrivilege	4388	fxssvc.exe
Token: SeRestorePrivilege	5064	TieringEngineService.exe
Token: SeManageVolumePrivilege	5064	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3128	AgentService.exe
Token: SeBackupPrivilege	2552	vssvc.exe
Token: SeRestorePrivilege	2552	vssvc.exe
Token: SeAuditPrivilege	2552	vssvc.exe
Token: SeBackupPrivilege	1464	wbengine.exe
Token: SeRestorePrivilege	1464	wbengine.exe
Token: SeSecurityPrivilege	1464	wbengine.exe
Token: 33	1644	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1644	SearchIndexer.exe
Token: SeDebugPrivilege	2836	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1644 wrote to memory of 4092	1644	SearchIndexer.exe	115
PID 1644 wrote to memory of 4092	1644	SearchIndexer.exe	115
PID 1644 wrote to memory of 1336	1644	SearchIndexer.exe	116
PID 1644 wrote to memory of 1336	1644	SearchIndexer.exe	116

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-30_1786edfe0a8353c14ab10259fbf48389_avoslocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-30_1786edfe0a8353c14ab10259fbf48389_avoslocker.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4340

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:884

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2836

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4440

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3404

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3448

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1516

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2064

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4388

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2728

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1532

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3456

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1328

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4324

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4116

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1292

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4932

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1768

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5064

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3128

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4300

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2552

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1464

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2284

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4092
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1336

Network

DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR
DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR
DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR
DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR
DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR
DNS

pywolwnvd.biz

alg.exe

Remote address:

8.8.8.8:53

Request

pywolwnvd.biz

IN A
DNS

pywolwnvd.biz

alg.exe

Remote address:

8.8.8.8:53

Request

pywolwnvd.biz

IN A
DNS

pywolwnvd.biz

alg.exe

Remote address:

8.8.8.8:53

Request

pywolwnvd.biz

IN A
DNS

pywolwnvd.biz

alg.exe

Remote address:

8.8.8.8:53

Request

pywolwnvd.biz

IN A
DNS

pywolwnvd.biz

alg.exe

Remote address:

8.8.8.8:53

Request

pywolwnvd.biz

IN A
DNS

ssbzmoy.biz

alg.exe

Remote address:

8.8.8.8:53

Request

ssbzmoy.biz

IN A
DNS

ssbzmoy.biz

alg.exe

Remote address:

8.8.8.8:53

Request

ssbzmoy.biz

IN A
DNS

ssbzmoy.biz

alg.exe

Remote address:

8.8.8.8:53

Request

ssbzmoy.biz

IN A
DNS

ssbzmoy.biz

alg.exe

Remote address:

8.8.8.8:53

Request

ssbzmoy.biz

IN A
DNS

ssbzmoy.biz

alg.exe

Remote address:

8.8.8.8:53

Request

ssbzmoy.biz

IN A
DNS

cvgrf.biz

alg.exe

Remote address:

8.8.8.8:53

Request

cvgrf.biz

IN A
DNS

cvgrf.biz

alg.exe

Remote address:

8.8.8.8:53

Request

cvgrf.biz

IN A
DNS

cvgrf.biz

alg.exe

Remote address:

8.8.8.8:53

Request

cvgrf.biz

IN A
DNS

cvgrf.biz

alg.exe

Remote address:

8.8.8.8:53

Request

cvgrf.biz

IN A
DNS

cvgrf.biz

alg.exe

Remote address:

8.8.8.8:53

Request

cvgrf.biz

IN A
DNS

npukfztj.biz

alg.exe

Remote address:

8.8.8.8:53

Request

npukfztj.biz

IN A
DNS

npukfztj.biz

alg.exe

Remote address:

8.8.8.8:53

Request

npukfztj.biz

IN A
DNS

npukfztj.biz

alg.exe

Remote address:

8.8.8.8:53

Request

npukfztj.biz

IN A
DNS

npukfztj.biz

alg.exe

Remote address:

8.8.8.8:53

Request

npukfztj.biz

IN A
DNS

npukfztj.biz

alg.exe

Remote address:

8.8.8.8:53

Request

npukfztj.biz

IN A
DNS

przvgke.biz

alg.exe

Remote address:

8.8.8.8:53

Request

przvgke.biz

IN A
DNS

przvgke.biz

alg.exe

Remote address:

8.8.8.8:53

Request

przvgke.biz

IN A
DNS

przvgke.biz

alg.exe

Remote address:

8.8.8.8:53

Request

przvgke.biz

IN A
DNS

przvgke.biz

alg.exe

Remote address:

8.8.8.8:53

Request

przvgke.biz

IN A
DNS

przvgke.biz

alg.exe

Remote address:

8.8.8.8:53

Request

przvgke.biz

IN A
DNS

zlenh.biz

alg.exe

Remote address:

8.8.8.8:53

Request

zlenh.biz

IN A
DNS

zlenh.biz

alg.exe

Remote address:

8.8.8.8:53

Request

zlenh.biz

IN A
DNS

zlenh.biz

alg.exe

Remote address:

8.8.8.8:53

Request

zlenh.biz

IN A
DNS

zlenh.biz

alg.exe

Remote address:

8.8.8.8:53

Request

zlenh.biz

IN A
DNS

zlenh.biz

alg.exe

Remote address:

8.8.8.8:53

Request

zlenh.biz

IN A
DNS

knjghuig.biz

alg.exe

Remote address:

8.8.8.8:53

Request

knjghuig.biz

IN A
DNS

knjghuig.biz

alg.exe

Remote address:

8.8.8.8:53

Request

knjghuig.biz

IN A
DNS

knjghuig.biz

alg.exe

Remote address:

8.8.8.8:53

Request

knjghuig.biz

IN A
DNS

knjghuig.biz

alg.exe

Remote address:

8.8.8.8:53

Request

knjghuig.biz

IN A
DNS

knjghuig.biz

alg.exe

Remote address:

8.8.8.8:53

Request

knjghuig.biz

IN A
DNS

uhxqin.biz

alg.exe

Remote address:

8.8.8.8:53

Request

uhxqin.biz

IN A
DNS

uhxqin.biz

alg.exe

Remote address:

8.8.8.8:53

Request

uhxqin.biz

IN A
DNS

uhxqin.biz

alg.exe

Remote address:

8.8.8.8:53

Request

uhxqin.biz

IN A
DNS

uhxqin.biz

alg.exe

Remote address:

8.8.8.8:53

Request

uhxqin.biz

IN A
DNS

uhxqin.biz

alg.exe

Remote address:

8.8.8.8:53

Request

uhxqin.biz

IN A
DNS

anpmnmxo.biz

alg.exe

Remote address:

8.8.8.8:53

Request

anpmnmxo.biz

IN A
DNS

anpmnmxo.biz

alg.exe

Remote address:

8.8.8.8:53

Request

anpmnmxo.biz

IN A
DNS

anpmnmxo.biz

alg.exe

Remote address:

8.8.8.8:53

Request

anpmnmxo.biz

IN A
DNS

anpmnmxo.biz

alg.exe

Remote address:

8.8.8.8:53

Request

anpmnmxo.biz

IN A
DNS

anpmnmxo.biz

alg.exe

Remote address:

8.8.8.8:53

Request

anpmnmxo.biz

IN A
DNS

lpuegx.biz

alg.exe

Remote address:

8.8.8.8:53

Request

lpuegx.biz

IN A
DNS

lpuegx.biz

alg.exe

Remote address:

8.8.8.8:53

Request

lpuegx.biz

IN A
DNS

lpuegx.biz

alg.exe

Remote address:

8.8.8.8:53

Request

lpuegx.biz

IN A
DNS

lpuegx.biz

alg.exe

Remote address:

8.8.8.8:53

Request

lpuegx.biz

IN A
DNS

lpuegx.biz

alg.exe

Remote address:

8.8.8.8:53

Request

lpuegx.biz

IN A
DNS

vjaxhpbji.biz

alg.exe

Remote address:

8.8.8.8:53

Request

vjaxhpbji.biz

IN A
DNS

vjaxhpbji.biz

alg.exe

Remote address:

8.8.8.8:53

Request

vjaxhpbji.biz

IN A
DNS

vjaxhpbji.biz

alg.exe

Remote address:

8.8.8.8:53

Request

vjaxhpbji.biz

IN A
DNS

vjaxhpbji.biz

alg.exe

Remote address:

8.8.8.8:53

Request

vjaxhpbji.biz

IN A
DNS

vjaxhpbji.biz

alg.exe

Remote address:

8.8.8.8:53

Request

vjaxhpbji.biz

IN A
DNS

xlfhhhm.biz

alg.exe

Remote address:

8.8.8.8:53

Request

xlfhhhm.biz

IN A
DNS

xlfhhhm.biz

alg.exe

Remote address:

8.8.8.8:53

Request

xlfhhhm.biz

IN A
DNS

xlfhhhm.biz

alg.exe

Remote address:

8.8.8.8:53

Request

xlfhhhm.biz

IN A
DNS

xlfhhhm.biz

alg.exe

Remote address:

8.8.8.8:53

Request

xlfhhhm.biz

IN A
DNS

xlfhhhm.biz

alg.exe

Remote address:

8.8.8.8:53

Request

xlfhhhm.biz

IN A
DNS

ifsaia.biz

alg.exe

Remote address:

8.8.8.8:53

Request

ifsaia.biz

IN A
DNS

ifsaia.biz

alg.exe

Remote address:

8.8.8.8:53

Request

ifsaia.biz

IN A
DNS

ifsaia.biz

alg.exe

Remote address:

8.8.8.8:53

Request

ifsaia.biz

IN A
DNS

ifsaia.biz

alg.exe

Remote address:

8.8.8.8:53

Request

ifsaia.biz

IN A

No results found

8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

330 B
5

DNS Request

8.8.8.8.in-addr.arpa

DNS Request

8.8.8.8.in-addr.arpa

DNS Request

8.8.8.8.in-addr.arpa

DNS Request

8.8.8.8.in-addr.arpa

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

pywolwnvd.biz

dns

alg.exe

295 B
5

DNS Request

pywolwnvd.biz

DNS Request

pywolwnvd.biz

DNS Request

pywolwnvd.biz

DNS Request

pywolwnvd.biz

DNS Request

pywolwnvd.biz
8.8.8.8:53

ssbzmoy.biz

dns

alg.exe

285 B
5

DNS Request

ssbzmoy.biz

DNS Request

ssbzmoy.biz

DNS Request

ssbzmoy.biz

DNS Request

ssbzmoy.biz

DNS Request

ssbzmoy.biz
8.8.8.8:53

cvgrf.biz

dns

alg.exe

275 B
5

DNS Request

cvgrf.biz

DNS Request

cvgrf.biz

DNS Request

cvgrf.biz

DNS Request

cvgrf.biz

DNS Request

cvgrf.biz
8.8.8.8:53

npukfztj.biz

dns

alg.exe

290 B
5

DNS Request

npukfztj.biz

DNS Request

npukfztj.biz

DNS Request

npukfztj.biz

DNS Request

npukfztj.biz

DNS Request

npukfztj.biz
8.8.8.8:53

przvgke.biz

dns

alg.exe

285 B
5

DNS Request

przvgke.biz

DNS Request

przvgke.biz

DNS Request

przvgke.biz

DNS Request

przvgke.biz

DNS Request

przvgke.biz
8.8.8.8:53

zlenh.biz

dns

alg.exe

275 B
5

DNS Request

zlenh.biz

DNS Request

zlenh.biz

DNS Request

zlenh.biz

DNS Request

zlenh.biz

DNS Request

zlenh.biz
8.8.8.8:53

knjghuig.biz

dns

alg.exe

290 B
5

DNS Request

knjghuig.biz

DNS Request

knjghuig.biz

DNS Request

knjghuig.biz

DNS Request

knjghuig.biz

DNS Request

knjghuig.biz
8.8.8.8:53

uhxqin.biz

dns

alg.exe

280 B
5

DNS Request

uhxqin.biz

DNS Request

uhxqin.biz

DNS Request

uhxqin.biz

DNS Request

uhxqin.biz

DNS Request

uhxqin.biz
8.8.8.8:53

anpmnmxo.biz

dns

alg.exe

290 B
5

DNS Request

anpmnmxo.biz

DNS Request

anpmnmxo.biz

DNS Request

anpmnmxo.biz

DNS Request

anpmnmxo.biz

DNS Request

anpmnmxo.biz
8.8.8.8:53

lpuegx.biz

dns

alg.exe

280 B
5

DNS Request

lpuegx.biz

DNS Request

lpuegx.biz

DNS Request

lpuegx.biz

DNS Request

lpuegx.biz

DNS Request

lpuegx.biz
8.8.8.8:53

vjaxhpbji.biz

dns

alg.exe

295 B
5

DNS Request

vjaxhpbji.biz

DNS Request

vjaxhpbji.biz

DNS Request

vjaxhpbji.biz

DNS Request

vjaxhpbji.biz

DNS Request

vjaxhpbji.biz
8.8.8.8:53

xlfhhhm.biz

dns

alg.exe

285 B
5

DNS Request

xlfhhhm.biz

DNS Request

xlfhhhm.biz

DNS Request

xlfhhhm.biz

DNS Request

xlfhhhm.biz

DNS Request

xlfhhhm.biz
8.8.8.8:53

ifsaia.biz

dns

alg.exe

224 B
4

DNS Request

ifsaia.biz

DNS Request

ifsaia.biz

DNS Request

ifsaia.biz

DNS Request

ifsaia.biz

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
ca8a65c912145cb70b2c59b767ab7b48

SHA1
eabf7d7c5aba18ca97a33f0c850ceeb3b3785efb

SHA256
ec80e3ae72d4f084688467ab644d834e58d40ba2fbb0bd2f4330a6c25e155ff2

SHA512
fb7bd07095a115fcb3407c84b0635d4c50e19c1ca895740af79fc78b1111a3741f2a63b9b2e2d432ac5ff93869fb16ac39cad448e7791024ec468ad7eca2986d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
be8aefc69ffaf38db13906fd9015d156

SHA1
c86ea67c2be41324d74e8a68e16436eabc6181c9

SHA256
dda8aa0e2b059014fdd97c5ff4b8e4703f26ccd06ebfceb156c0d87b5792c5e6

SHA512
c75c02cd9daae61a54edbb772abbfd77e46aa9d83f37d2170d9a7236324ff3a8d0423e7dc790c8662aac20db30417014bd95e96b2cc5dd367ec9d0945c32cabd

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
4d108352b828089ef0a1e903f8865820

SHA1
df588c6b4e2527989cb9265285289e858b42578c

SHA256
39a118b02eab2199791abd61d50f57c0b9090e0fa4f149d03ff5d73ab45030a2

SHA512
5196127e46e1e626634ba6351270a35175ed1274331a2fefcd429fb68a29bfc645d18a5d8ff72d3525a7ffbc415d04e013b7aef9e9e671b2d6294fe52caa58be

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
3616bf8b06e4366f562f55b85bb91ad1

SHA1
80edb81d079b87415fc751bdb576ec248f9fd0bf

SHA256
47d98d9ea72154544384eafd11b0f2802a9e3fb32a8620f7ff923161b495c9cc

SHA512
66c133af19a22a1cf3733d8b5d6561ed363ddd8d65709efc34bb674902907e6a1fd7fdd556da655d1d719c5e4ed3c44dfabdb21971f3a17556977fc73b21f882

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
f800f46810a506319fc887cb4fb6ab51

SHA1
28b59d4731fa11763ae239e975d005ebe5d28cf5

SHA256
8e90b42b2ec6c738961231916a5cc72bd18b1c3adf540b7fb9d294ee72180ce3

SHA512
7f94890c6154cff1c9d168f987ff2293c224ca652024d305e9e0474231b85a9bd16fcd78624ecd5910868aa3fcd5d7bd85096007fe0397e368d65e5f39ef953e

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
fce711e98a4ac06b2751dc9c9fc588fb

SHA1
d8b5d6585e491693f726db2f7470dde7e96da116

SHA256
7ec43363d1d082dd9b381e131cd8034c88231cf214c6a7e74f40330dc879d6a7

SHA512
30090f66e3709fd7059d6ac76181d5160e3c338328742e6498db9668c04d1a200232ed73766b44e2b2fc28a525c0f3520e6690153cb0d1e3d0ec2930f7224052

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
fa2ad3d62ce1a3282dd8d768abc1db5c

SHA1
7f4af319187c812a3ad3834fc0d0826bdfaef5b6

SHA256
c69190c4c8e650d2eed46161bb05217409e84e807f37d78dc7ac09c6750287d7

SHA512
0248586d641043c3ed90184308f46dfe7a497aed037bd1a3f3a8017be1ec9f0b401906135c6e09d91d9d126ec6d1a23440f80bf62557b05d637a0c2a65a1ea43

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
a683cad2d3324de0118de7296bb514ea

SHA1
26a9593a61e602c667be642d44d12cb92fd3d681

SHA256
789b75341466c94d832ea569120485352e84808d1edc14b926853debe819df12

SHA512
94d710a34832866ad80556a726125f262c0ac5df49329b335cf2553c4e1dc9bec8305ee8c5117ca947fb4dc4d5bfed4931bd405a4107a34c591d053334a97868

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
7d082cbbd09660653f95c4d85ccbc332

SHA1
138115ee427142333ca6c1e355426a641b44d7a4

SHA256
ef66ff1cc9a0c322e2931710b5c4ad450306e2bf09a7e8718b9bb5f0f5064553

SHA512
78f4f50666084d18528727476e4cfee0ab0f94d4729ed0f805b7f94849a84ade3ac43d24ab8180c8c452bbf45965126176e9c5968ece26332d2b5b48e702f00f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
2df33e3a96074791f17dcc256ec95df9

SHA1
b8a26ab693a63d0ba188552da434cd310d150948

SHA256
3ad32b15fd533efcb3c78c635b7f8b24c52212abc1109f42fe2b134420563991

SHA512
f6179d6fe5bf309f40844f4031dbbdfca2d58aeca96d6661831c60c1e4c2b773e95d33226d5b168cff4d241e31df5430719a3e52e87080b715ff2dca89f31c7f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
24c364c5fe081a01e17e07f9bd0aad43

SHA1
f306ea37c1a6a86e9a3cf3cbb584c3ac44a8e15f

SHA256
19131eb8b59e73a0ef96ecd613be123264dd5ce4b95f8e4246af3398a9480847

SHA512
295264940abc6c557e02a6b7fa6cb1499754b99389eac8a813ea71d1ec36de0abe463bd1b1431545799e6f25d44780a9626e40219748a919b8ecdcdf3747196c

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
6bf3677fdcbfe750aa9febb0fd9d6349

SHA1
28643618ece02a1b2ed4194669de502296046629

SHA256
08cd8a2c9b6647ec2a57547e1f381273921299eee54e0ee5318f57e4b284219f

SHA512
a3e1c8208c2ae8dea3632422bffdfd429028615d458a4299b33cbc0ef9bd039ee798c0202a7afc363cd203b99a4ea8f2837d02f884dda460abb7bb13fd47ae96

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
8657169d53a7ed829305f85f0de2d9ac

SHA1
28496719f6dd08797c0a1ba5ff7840cffc133c99

SHA256
09c0e6357bb1cedaffdf5669b02a33228b190ff74ec2199f8d43794cb681d90d

SHA512
5121d5c85deeeab6a45bd41a5a171c33734970b9db76c200622ece18e3ff6bc86517ecf1c5db8d3c3fb74e952e16f4098ed9f6d4aea6fa713d2d5ac1b4147a60

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
76cfe25cdadd993ed9dc0b9ff791c58a

SHA1
54ff7f51189ec5c004476daea0e279310d5f5fc1

SHA256
959812ab4275b4590bedf7824d10234eccc5744defe8c357653a854600fdf8e7

SHA512
3e5cb54875979ce1e8aec6bb4e80fb3204b65022459262886dbae3d9d0dc7c5634f1b348d1272e5aa15f95aae35b7f30b299412cb6a175fa432af2b36478d164

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
c30ddaa7680ab2955c8fa1a72b74fd79

SHA1
f7dd5553d153674c532cb6e97697c0b32dd3b61a

SHA256
0c67b75491fd7b5cad977220d54c4ced5b2a2e826ed8d178b7f632d6efd1cf05

SHA512
7c997fa2a7da733325166cbe142a40197283482db24dfa41c045e8fe340917957e252d3e23afdcaf44b6d911b509ad3aa89a4560e89ebafdc9268989ea444cad

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
d43698671a4b75e953e856b0ddcc4c90

SHA1
94a20da8612b0c65b7bf626941ac366455133f58

SHA256
7a63345f519b4770eeebd141503033b523114b1d66f6f1b64b7720d9e61bab81

SHA512
97b7d33211f93dd69a3eee32cb3097b2a6e26251cc05a242a3dddbb21e556f0450fc20223e8c995151aec7c0f78db6bd437a961af2d57e33b085641b38368618

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
6fc6f7e98039d8b6a1e73072ca71e7be

SHA1
abc5889d60320e624066ece9866c72cc1446bf2c

SHA256
7c66577f66e4d8687f0a4f31e010371f93987867f72e4c6affd4ada4d647cdee

SHA512
731a4c192785f5646d9289f40b925b5de8855d2fa6fa5d4a12a4891d04421b67ac0ad517e0edbd22ac85ff691c2cb510218e971bab37d6c89028072919373dcb

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
ad687f4e106ac7a258e76c6ae358bc10

SHA1
7201934edbb1afbff13718c15c7648a364c4ec51

SHA256
b2f7ab0c079e9fa5e14d74613be24d3b237c31d6bed7c30a8de2b9d19b965ff3

SHA512
a41872380244423710cc7eabadb485f7666e648442e4839ec7c62bcd5dcd305d26f14dd82d21dec4762107b8b8e69bf7f3982772854897d12c3ca64cd31d8d54

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
8cdf6461cb4da818f715ec18cd22f6fe

SHA1
febb0d1d245943ef62f7c266381db04804cb5be0

SHA256
1e633d8691018d70280ed0926a2eaf1bb8ea201d2e43ae29529f14d2977dd217

SHA512
6159bc7436eccf9435c933c50e239fcf69db0dbbfd0f09b97f19181df68690f61d9dcfd4efcb6b27ac093f5f8d24a8be10ccac72f942ca8efff30aff4bd17450

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
fdc1378561da58034128c64067ce9549

SHA1
46de9043d3267462c0d7bf0b3eda35313c0b9712

SHA256
84be2fdd3ab8fb83cbf6c417877781426cde3f005938320284d744c2967c51ab

SHA512
8165d55a7b841dbd163b288948b2d9741223c0da03a38872e43173c44b50ac413e77b676b9ada0a8c3ae2cfb0915d7904b9fbe735430f284bf4eff3a90ed3c89

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
f0729e1b1730e489475175586629181e

SHA1
b145a7443b293da0d9f45d85c99b0b3cf7dd05a2

SHA256
e83a36e686c4f30a086a1855dbc4db56710d32acbde42037228ac3466975cdd0

SHA512
c9f2d82a089f230fb35fa9ae6f7b20c1ee0cdb992d330e1fb716154ccd8ca812707c2eb1137629694754d24aa2cb27be03d51de76285a69c08c1e36137943bd8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
4439034bdd5671b48f9138bfcbcf0340

SHA1
0165f755fbf1ec598e54f78d186d8c01b6850d2f

SHA256
1accb2d71642aee961d580e09a73ba008dc5380e74bca09abae5853fd2d95dc6

SHA512
011e524103e8e846d388a353e74defe8a859daaff7c9aaa57e3f8019b1292b32686ae172b8177fd67980d569e94da5cfbe5aea2a8f80de5f83b07af472d449c2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
67a6c20e297a7b28af04297ad6129374

SHA1
b112f2d23a966bfcf385b03c4c765829626bb282

SHA256
0e4a8a15e252453d4e88c8d1688415a2e3c3d8a1e3cd6daaefccf79eb5fdb824

SHA512
71645dfb963d518061c79449d1bd3d7f58c91bf2e9e0a23375075934b6d59c0a7e9c72080ab22836ec2544ac82e31fa809c04a7f777cb699994cc01628d242f3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
d8ecf89e91bdfdfe80059e2d8a6652bc

SHA1
78ece5ed4b28307547f1236463c5985d07243371

SHA256
77a63629b327cea11ae6c332714144c3388a05f7cc84313b3e3700db94377328

SHA512
1fe096c9bf2aedcd0cc2b764aca75d639be8f703d219272d7bba6a062fe027a52925830f0ce626316d99646477be6fc75a70311a5877e31152d67768cb73ad05

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
d1ce74e40718d4c63a0104de853546a5

SHA1
801a054e071fe2021c7720b3580ed0c7f6ec2534

SHA256
39c67bb57692eb749bf64c51c029e08647f7d0cf28d64e1de1761c80c9535d1b

SHA512
8a6a027eba4eef16652d5f1ab9e71c838cf5ba984372ac4ec519ef08510c16e4376fd1fd78803b067c9e333eda36de7506ca86ab494e4ee8d72b9587326b902b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
127ea068004fc3d50ce457985071a7aa

SHA1
7cfa4194327f593730811bebfeab99168ef83473

SHA256
7b5be562fb0aeb02dfefb5ce63a30931e231b8443c4b0127aa43ae8104c5ceac

SHA512
4c29082b5572b88b11ce9b5ebe083c75217951d4fe4380f774ced4f82f0e1f845011d59324aa9a4691678027f754fa57827d7714bdd11b2248407652d143ba28

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
25372d5d6111cb6a36455ad450d4ef64

SHA1
7b63b2ca81fb065c513c3a708927ecdab731a387

SHA256
99d41bddb4840b0565e206de9bf71d8c6823b76025cae5111b9ef3128b94f88d

SHA512
f929d7c5bd757e308ad2a6c95ac14e90406b8633a9b2f1dfd33424a51b718b607653d2d35d32502b5c039bf0a35beaa4f33e7056a3e4ffa70cecb8c67e228a02

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
f4e8f9f69e0fb38f8ad376a887b790e3

SHA1
0e163f9c4277a6159fc31133b3488df55378c667

SHA256
b8230564ca7b3b6c24b7e53cc80bb00fb17d2b2008ee9545709ab3375a0369f8

SHA512
47a304c67f774d91718b128038171ff433355445459b4120fee0d2e97746c8583682bb0bef1616eb0ef64680ed8d16723887948016be216c63465108fb60ecd3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
3ecf072b328a3c3de75dbf8b222e9f86

SHA1
31509987bc7e9e75b9e7e9f6f7ad821291c4d26a

SHA256
deb129a8aeff0e8fcf59697f70de7821da98e9a058806f33df72c9c49e9509f9

SHA512
c4db36c60df5d4b43e2f55f811d01afdc8913868b40ee3be0d27735fd186f92a472fcb0bda71f130d164816efc5de856a57fef5f511e9adbbf9ae0497ea1261a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
1a601d897b23c8df5221e7bfdee4323d

SHA1
36e92998b2b2358d918d5c29bba7bc201c808a73

SHA256
583f45443c18b97f88350f1169352baf44c6d0c68284dfb582a5e2ce37b2f3e3

SHA512
5029980d1262f91624f82d0c5fd5ad6570cd120831491b0bf8bc1ed8e49f924f5196c0b964f5cc02366b82cc22d16e43b276df9bc279a9f5f05fdec8dad28e7e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
0e5f5312008171de2dbc232877ef1d4b

SHA1
2fa64328c54058edb9ed1dc62728491df86fb5ee

SHA256
2c557c13a1eeaebe36edbd76b10588b1d7c6915e5f2592d112dbd31f678d4c80

SHA512
557c45ce631ef60c106af1b5b369b69dca5b5cd1566d07964aef2f1c212f08bd92f9149d5066fd431fe4efa1a8c54c53914903247a41a7753c21f81ddf20c581

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
27a61e405d3ef8e151d893a5183ba575

SHA1
1c82c93ca4a5426e4604374bac5d97fdefdd26f6

SHA256
d82805c40d2b09f2c9c4ca6d9f7da5719a293659f550ef4fe40c84e5701c10f5

SHA512
b4a01b5d8f9eb12c68762b07b60b8ff911f684314c134c04bff97b52d5782b2f2258243383ed79614b8977b6751543bf4c950556b22b888bd0c95f6adb0dbfec

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
62c9dede3d51f70eb04e4a1f176077f1

SHA1
e11f596eba69a39ee8bad009d6f9a021ed72800e

SHA256
a95ce6cdb34b1b2505e3738aee29427253e2ecfdee8f85feb1b3d144eaf776bf

SHA512
fc3c6d148f5b3cecac7e06310b44d936f6ccaf5f83cfe529334714aa10168e03bb69a283293de0117b6b26ea635d835c125cfd89bbffaec57717353f1dac95f0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
8120ad9b7d3b8abff3f6aaeab40469d2

SHA1
2723869dbcd616aedc8279bc0f1d4e70bd854999

SHA256
8da8a8e6201d5e3e1f7b1e657fb2f674fe06c124f8c1f37135619000d72fa71f

SHA512
37bb1caba90d53d0a5308b4b97c1443cb35b20db269bf83bbf93442c22618cbe05629380ab922f91939a101a3fe507cf6cee07bbcc638f7567699320e5733cf8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
bebeedb7640f8d4bef16368bda4cb876

SHA1
d41ab305450f1004d555f67bfa8b7ca51b9b7791

SHA256
bf45a55b6e4f73df2a0f5985c3181d534637159f1d473531d153c924bdcdd979

SHA512
fb781993b4a305a7130fbc7001b40d5389fb78f0f2287d0e901870ff643af76871ef28e41e30d925b3ecaf48901787353fc03bfe37c913393c2f646d1fe68d85

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
6fb26a0688f576f61e72d29a177ebd10

SHA1
08d353a8adcb4ed2da712265a63aa0511db21df7

SHA256
b79a344a73eab008785b68e9271cbe95ae10e2044ec208cacba40c1c877c1b5d

SHA512
f85642ef1725818a15d3f703ff2a06d4f16bbc6aafdc1905f2469030eb8797bf1ffb171c8dff751bf107dbb70cc4b5316285e98205077d8ff9cc8c35392c36e7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
f1fcd087825e9526ed3491a323d9aa9f

SHA1
29fb90ab4c7f681a0a1ef1bb708e30cc4a923439

SHA256
2d11528cc1c59a468daf0f3ab82664cfe638cb29fa66150cc2c91522663b99c8

SHA512
c40c3f3209ae262582c547e1c0579a3b5e88080a4de785dea8352b13b565947c598ce9c01eef75d84415764871a6aa12f92d20cb2929b597e18a85a6c895c720

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
83bfcfc9ab74e09b98d588062673cf0b

SHA1
7ee082a2143ac2e29995109c2b34029b7bf7ab9d

SHA256
956160f02b2659131c2e3e303bd2ead2c3c45b9017b4540445544d90c7a862e5

SHA512
a62774617c9773db385197bc8232d2d8108799cb974c7eb8670df8089bec4cbeeff0aa84cfbdb8239f08d160135dfcb409a6fe334de73b716d726e14cad238e3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
b44f02c819679d92594dcc2892e77ae0

SHA1
4c0ebda4b24f1d67bb70f1484df28c3d51d967e4

SHA256
41d880b1cce627cef5a3cadc97a01eed6e956895e7089dd0c50b4119b4c7a732

SHA512
ae866cd0136c227ac8c111e93b99f03665abd360392e0ecd22289baf090ec250cb51992eaba9cfab5b63d18594063cf334ce524397cc65b38a8c082a58200dd3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
17c779b3c02e56eb1068b182bea734cf

SHA1
73851b32e441221990417f7f5d218985226f29c1

SHA256
09cff7fe1c18bd714e4a1036e61b8273ba007172f28370f7ed6cf96c3b9e479b

SHA512
ce186884e855ed418c044706f021583dad684b0c03d4f775223a8ef229a769d12b3bb71bf8846b7a246d5f9bd11b6aa1bc18db741d01be71c313d4cd1342fe1e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
37df08bc418894f3657c842228c91814

SHA1
593094291b80644ba6fa7f43dfbc7fe027aba06e

SHA256
2509b6c0c4b48b294e089882d380d6da3d00160624bacfb58c354f1ae7c2d99d

SHA512
c9dadff29fa778b2518c7a90deb76c2e2afc3fad9cd84e155834d597d59e24fc7094623583e3d5e0f4ceba808740c530f5c2c7f365d81d55aebd22a1698daaed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
4b405de9e29becd329bf3e736447471b

SHA1
d2ee2038f803379de66c1df9b4696cb579b7a93a

SHA256
ca4f5147dae5900cf8651648ea3ca5cc452c00f9e852770149ef8516ae77d45e

SHA512
05a59d86f8ef26f7ecddffa4d6a648b092af9e9cbb3ae7eebbf27a71879e5a2e8d7c3194a531b0440624c0f4bd9750d40c44f5730e3e522a41646edb2e375e50

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
581KB

MD5
96798b28bf7e18ca9f9a15fcaae5db95

SHA1
384d21d3864dfa66578d4853e9e66e0d203466b4

SHA256
001f6772228adc065d17a84333a0e134ae5f66e5169c6eab1cd5187a7f4c2bd6

SHA512
493b933d0c79162c6cbfc38e77bca7691a93c0d95dca15cd2fa41fc3727f9f9d498a33465c678c3e5a24fec1c4361b2346cd12931108273ab1e704c22d65c603

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
d3bda45119530d413cf64eedd3b858d8

SHA1
2d3d1e222500ea97bb477c231e283825d6681591

SHA256
00eb8b2d7023a382c52b4b365d0891a5bfab034eb75ae2122dfd3e06eec6c8bb

SHA512
f4ed28d59376afb8e4103274068760701d8c9bf5aeda7a7e4cd2512fedb7917183c700cf39115e318a59b992c24180d33b5012b7e18fc4f19843be409c39b0c0

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
ba3b60d057172fe49f90d2ef40b410bd

SHA1
69b51a4ca0fd7acc44e8477efe16774d7ff1cf3a

SHA256
3cfaadf6b5ee44a547f6f36397d9b5ba769a4bff8631f613ffbe85813eca2d55

SHA512
d4820cc1e6fde30c83f2a810576a51adca054f4d9812517381669b7cb3990ab9318fd249b7fdd574bec00c8ae16092deff33fe7fd3c76ddb6d09c0b8649c5839

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
8ae05111a4c11a050c680bff871808cb

SHA1
0e575116be3bb604d0a9c963c95b035cb8e6ff5a

SHA256
4e87328401769de89cac9b69691b4a1c499c12d55e6ca891b45b4045649ccc96

SHA512
bf87d4e7b285f5e010c18ea8b34f2bcc39970e41c84d11e6274d93b6dfe91c66a79c064f28a20978241ed1ab1e6a19e1e6b80af07e10722dd19da8cc5a10f51b

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
8c4543a96188709241504280ffa507cf

SHA1
e2ef7ad61acf4470ce33fc144c8ce6a0220dbcb1

SHA256
7ffe317502948cfe350115a8562118edec31cf661b307321bf780af36b0d9cc5

SHA512
0f16bdb64b3317055b8919a6dcc46f3a298ead86ace2cb40593f8b1473c90fbdebf0d4907b684cd0f93ca1cf9ce43cee19da3afd90b3e58800a050b5c95119b8

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
796c545bad30120b2700b8a836f59dc8

SHA1
575730fef87bafbe2c2d4ba07956b99b4a392be4

SHA256
aad1b89a3964655c0884d4aae725d8fcd86efd2c455a2e18a7c9969206846506

SHA512
f58c9a5a8079f94631d65ebb751956177f5a0cbb6024e99c09ab480829addff1eb8f915902619787ac3e9a2bad8af555179028ec3ff713f39e3fa121f2589643

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
bd4c64456b0632c6d9f2910bf7a04f2c

SHA1
ba404751423822ec8f1a12922927ceed5d8611e5

SHA256
9cc81fe2740e1f4df59cc664355b2f32ba8f7158402a9c3eced611e0023ac8c8

SHA512
fb090b97858fbd9ca073d5e4bca7f515219ae5cbf8b78832402b21f0b2869b0d7f8000c573531852d7b6315f258caac3c65bf7fea8aa7a8b631c5868a51eb25d

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
0e5653a0d63d1c9114873b1519db47fe

SHA1
2378003e2737d5e50fadf7f3d127ce7a4bcf2fbe

SHA256
3f533a4ac1ab07c9dabdcb3bc85e7f117572d2267bc1cc64c65fdb2d904140af

SHA512
bbee915afe627b0a8ff3ac9d6ca0bdf341fa413c2784af1e5275ac72c9e02af3c0d037aa027fd2048206a03b4db4c0a5d19ad2d7d42f0515026c4b48a1daa0a3

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
02bafa9fe8242d748be58ac5a1e40b43

SHA1
87076288e1b7844fdfb734871e7fc8c3015dac0f

SHA256
0ca93dd495707d00062a1b8a2dc947460f07092cf237695c0942f232f76494c7

SHA512
9eb074b069c1bb4f1074c3afbce421333189a842cb389112feca4447d82278e22c64f953872718c8a04998785e2b3b7bf53bf3cdfc2992bcc3b4ffbd616a147c

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
d607b0db09922e2c2f4655abd72fcddb

SHA1
b0d3a0f5758ccf08b19bbdb1b8dbb39cb5583198

SHA256
21023fe306dc7c8416573451d935a2f8b3dd48c15fbbab1ec0b8b3a618f8295f

SHA512
23d3ce92d9737704e47435c546888fbff75a33ec178dc2eaa64aa5064c971fe95d683a355df86c1075e1cba1ab7cc5e53cbb1cecd28567052e87524acad50494

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
f19e061ad837b051ff771c1b90092409

SHA1
65fe41568ac1029394b5eb2750d893819a922cf4

SHA256
9527cfc0b9ac6f49a9c6186792679ea43abe5a69f863e1f70c080602cbc372ef

SHA512
9a595cebd1842a44b474f36cffc350e879bc5e97283fb0e985ce61dd93b15c89691c86eab44186d82f43258d4fa5a17b89ef97c70f824780bce432874ad27d9e

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
6b009bdcc10f118066f0ea95438ae9c6

SHA1
902718539bea46368ae757ee59ba1ad72dec5940

SHA256
1c0604f32ca3ba9868a7efd977acbc0ee8d7e43411650ecc1f8d7f942cb5c87e

SHA512
973f31238bf17986da81d50954ed18cf74162995371d39cfe236847177f1b783fac808409ff760e3dcee82f507ac8f0b281dd8613bc6516e8557b2288c267faf

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
cee5d6080d58374563eccb1791ee322b

SHA1
c3190e36d46ae91252f431946233274dc816b9fc

SHA256
55f3316cb1eaddeb3f2b130b82be45b9de416e2615f6766f7f1a25d214112e5f

SHA512
4b5b1ff564c3351f90e313a3be7113631b2d764b4db7ff6524096e265f290e3eee08d8a20ffe63206f4da2776ab5fe808afa27c4f66321e78c6b8708ed685dcc

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
2d3066878304ea4d4a20f0a7181f013e

SHA1
0aa3f349ab8d55bed689dba7fb7e5ff1817916f5

SHA256
1f31f885f98cf8cc1bb22507e367cb9e1634ff1caae82cff1c3a3b6ecb7b575b

SHA512
2c3223b4166644a431de246e499ca3941d215629608eb2cbcf1e2d9f9523a4fe54b0f5f8423b41e0fa765d4f6fff3a1e2f06ce44bf3345c73940e24016ccf497

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
dc666ff48d04a4a5064d72393b3b886c

SHA1
1b02171d0ebd6480f63ea7e44364deb0f15e7bce

SHA256
8111634448da6d9f5773ee822b35010890d61d330d801f328641ffd2a0b42c74

SHA512
ab512644c4b1068464dcd9c71c576b8268e19cca5ca44950e22458ff7bc325bf9fb323b23497a68d35404beda1e2ad4c97cb850e55216ecc3c09fefdfd18972f

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
c5c740e5fe4860cf62ff417f57f9541d

SHA1
d46c5e0d9e02e93cb0d3c1879d805eb62055bc9a

SHA256
53e630ca37d3c57efa7fed48bcc92299bf132fc62ee90fa3390bc98b59344914

SHA512
4c05f32d81a0253bcdecc23f5998ffec3ffc0d383bde4d56f4917a1b18c6da6942e4c92f43bd5b1facecefb7f90330e12e255f6402dfadf5bb31f4d819ed7b37

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
ebd48a83ea8c844d84394dbc8db72a3f

SHA1
800324b2f109e788644ac4f9d8e11c129c873047

SHA256
b84545706293c61c7c1827fa5dad7740d43ff800472f8fa5047e4c2a3fe119a0

SHA512
f7771a3eaf09ce1b4cad37caac47c88fc00fc0c2c632ae6070305dec67e0cf157208eacaa15a59171cc261a63db8537b22b9dfd0e86801ceae2e39eacb998b20

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
b6a6ca03a6ec20b8fa54c54aa537010b

SHA1
9759cb609da414e9a6aa38e9b57953632a737eba

SHA256
21717ec3b7c992b3ed1ce4b18a9cb11b8f2cb9734830adc223f3716625e4d4d8

SHA512
24c652a37fa1294131b12b1369a727381fc6081441582071ec689d498f702de46a417e68155416fc410801614ec78fe4c548d706a71d69f9e0da14c24f2ebebd

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
c18698727774c8893f867c3f3bb0f372

SHA1
82cfeef7eb456e1647bacd6b3bd475746e9f4c03

SHA256
289870a9c18c83e1ae50a47ca8c39fccc8a13040ceac46aab754732f2b9994fa

SHA512
cb5a1c25c41047fbc283b635b0ade597e509e5f8a53420cdf6c11dd3cbe0320ce98ccd1e96071e816d9f3a026fd9e182969076523255436de71e97e3058b057b

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
8ba7bf2a4d45b52656037074f7c50b97

SHA1
7c3be508b565ffc246732815f4d24d3bfa5c591d

SHA256
f67a3191a740d733acbda425da19b52366bb44ab59de5789cf6274247cb6a8e4

SHA512
1748759a62cb55f084bcffb110136dfbe9b60fab9a684f6f1a50e4f47e6c7dad47f89a986d50123ddaac5f08910c701734225d5e5b45f61da0765448c7bf0e2e

Download Submit
memory/884-25-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/884-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/884-234-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/884-16-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1292-333-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1292-630-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1328-418-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1328-299-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1464-407-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1464-642-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1516-245-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1516-244-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1516-251-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1516-356-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1532-394-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1532-282-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1644-644-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1644-440-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2284-643-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2284-423-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2552-641-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2552-395-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2728-382-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2728-269-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2836-37-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2836-30-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2836-235-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2836-31-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3128-368-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3128-380-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3404-61-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3404-58-0x0000000000D20000-0x0000000000D80000-memory.dmp

Filesize
384KB

Download
memory/3404-73-0x0000000000D20000-0x0000000000D80000-memory.dmp

Filesize
384KB

Download
memory/3404-75-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3404-52-0x0000000000D20000-0x0000000000D80000-memory.dmp

Filesize
384KB

Download
memory/3448-63-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/3448-239-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3448-72-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3448-70-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/3456-406-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3456-296-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4116-629-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4116-330-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4300-383-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4300-640-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4324-318-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4324-636-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4324-431-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4340-6-0x0000000002280000-0x00000000022E7000-memory.dmp

Filesize
412KB

Download
memory/4340-26-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/4340-0-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/4340-1-0x0000000002280000-0x00000000022E7000-memory.dmp

Filesize
412KB

Download
memory/4388-270-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4388-256-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/4388-255-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4440-49-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4440-236-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4440-47-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4440-41-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4932-633-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4932-345-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5064-637-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5064-357-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads