84f87dc77b19eb7ccaee79d67a55223ea90b9d68a2ec0920b284e9be5593569d

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
05/07/2024, 22:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-07-05_066ccf7c18b0e8ef0baafb5364c5331c_avoslocker.exe
Size

1.5MB
MD5

066ccf7c18b0e8ef0baafb5364c5331c
SHA1

78758d948ad6648e401e13853321f993573dc900
SHA256

84f87dc77b19eb7ccaee79d67a55223ea90b9d68a2ec0920b284e9be5593569d
SHA512

553e451e8be580927fb7aa5c5843f3f3684b300db30af0833629d73905da9d7528cc14a1b7e3032fddf1e8dabe9baed46ed2486079f2efcca2b61151edd65815
SSDEEP

24576:q+l0nPsHYHOQrE0/1edr2UT1g1at0xXatr0zAiX90z/F0jsFB3SQkl:q+ls+YuQrP1ecUT1YasXaB0zj0yjoB2

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1036	alg.exe
3524	DiagnosticsHub.StandardCollector.Service.exe
3820	fxssvc.exe
220	elevation_service.exe
464	elevation_service.exe
3516	maintenanceservice.exe
4140	msdtc.exe
1376	OSE.EXE
1320	PerceptionSimulationService.exe
4920	perfhost.exe
4316	locator.exe
3032	SensorDataService.exe
4272	snmptrap.exe
1240	spectrum.exe
4828	ssh-agent.exe
5100	TieringEngineService.exe
264	AgentService.exe
1144	vds.exe
1652	vssvc.exe
4800	wbengine.exe
3384	WmiApSrv.exe
4940	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-07-05_066ccf7c18b0e8ef0baafb5364c5331c_avoslocker.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\9cdb6dd89a4da0b.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-07-05_066ccf7c18b0e8ef0baafb5364c5331c_avoslocker.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-07-05_066ccf7c18b0e8ef0baafb5364c5331c_avoslocker.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-07-05_066ccf7c18b0e8ef0baafb5364c5331c_avoslocker.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-07-05_066ccf7c18b0e8ef0baafb5364c5331c_avoslocker.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-07-05_066ccf7c18b0e8ef0baafb5364c5331c_avoslocker.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-07-05_066ccf7c18b0e8ef0baafb5364c5331c_avoslocker.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-05_066ccf7c18b0e8ef0baafb5364c5331c_avoslocker.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-07-05_066ccf7c18b0e8ef0baafb5364c5331c_avoslocker.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-07-05_066ccf7c18b0e8ef0baafb5364c5331c_avoslocker.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-07-05_066ccf7c18b0e8ef0baafb5364c5331c_avoslocker.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-07-05_066ccf7c18b0e8ef0baafb5364c5331c_avoslocker.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-07-05_066ccf7c18b0e8ef0baafb5364c5331c_avoslocker.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-05_066ccf7c18b0e8ef0baafb5364c5331c_avoslocker.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-07-05_066ccf7c18b0e8ef0baafb5364c5331c_avoslocker.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-07-05_066ccf7c18b0e8ef0baafb5364c5331c_avoslocker.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-07-05_066ccf7c18b0e8ef0baafb5364c5331c_avoslocker.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-07-05_066ccf7c18b0e8ef0baafb5364c5331c_avoslocker.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-07-05_066ccf7c18b0e8ef0baafb5364c5331c_avoslocker.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-07-05_066ccf7c18b0e8ef0baafb5364c5331c_avoslocker.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-07-05_066ccf7c18b0e8ef0baafb5364c5331c_avoslocker.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-07-05_066ccf7c18b0e8ef0baafb5364c5331c_avoslocker.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-07-05_066ccf7c18b0e8ef0baafb5364c5331c_avoslocker.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-07-05_066ccf7c18b0e8ef0baafb5364c5331c_avoslocker.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-07-05_066ccf7c18b0e8ef0baafb5364c5331c_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-07-05_066ccf7c18b0e8ef0baafb5364c5331c_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-07-05_066ccf7c18b0e8ef0baafb5364c5331c_avoslocker.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-07-05_066ccf7c18b0e8ef0baafb5364c5331c_avoslocker.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_101453\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-07-05_066ccf7c18b0e8ef0baafb5364c5331c_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-07-05_066ccf7c18b0e8ef0baafb5364c5331c_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-07-05_066ccf7c18b0e8ef0baafb5364c5331c_avoslocker.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-07-05_066ccf7c18b0e8ef0baafb5364c5331c_avoslocker.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000082901a729cfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000adcaa1a629cfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000d36eaa529cfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007e59d5a729cfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004b49dea529cfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000965dda629cfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3524	DiagnosticsHub.StandardCollector.Service.exe
3524	DiagnosticsHub.StandardCollector.Service.exe
3524	DiagnosticsHub.StandardCollector.Service.exe
3524	DiagnosticsHub.StandardCollector.Service.exe
3524	DiagnosticsHub.StandardCollector.Service.exe
3524	DiagnosticsHub.StandardCollector.Service.exe
3524	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1124	2024-07-05_066ccf7c18b0e8ef0baafb5364c5331c_avoslocker.exe
Token: SeAuditPrivilege	3820	fxssvc.exe
Token: SeRestorePrivilege	5100	TieringEngineService.exe
Token: SeManageVolumePrivilege	5100	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	264	AgentService.exe
Token: SeBackupPrivilege	1652	vssvc.exe
Token: SeRestorePrivilege	1652	vssvc.exe
Token: SeAuditPrivilege	1652	vssvc.exe
Token: SeBackupPrivilege	4800	wbengine.exe
Token: SeRestorePrivilege	4800	wbengine.exe
Token: SeSecurityPrivilege	4800	wbengine.exe
Token: 33	4940	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4940	SearchIndexer.exe
Token: SeDebugPrivilege	1036	alg.exe
Token: SeDebugPrivilege	1036	alg.exe
Token: SeDebugPrivilege	1036	alg.exe
Token: SeDebugPrivilege	3524	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4940 wrote to memory of 4520	4940	SearchIndexer.exe	111
PID 4940 wrote to memory of 4520	4940	SearchIndexer.exe	111
PID 4940 wrote to memory of 4780	4940	SearchIndexer.exe	112
PID 4940 wrote to memory of 4780	4940	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-05_066ccf7c18b0e8ef0baafb5364c5331c_avoslocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-05_066ccf7c18b0e8ef0baafb5364c5331c_avoslocker.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1124

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1036

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3524

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3316

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3820

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:220

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:464

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3516

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4140

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1376

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1320

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4920

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4316

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3032

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4272

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1240

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4828

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4112

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5100

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:264

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1144

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1652

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4800

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3384

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4940
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4520
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
96962c9b5669716ce18c3035f4f83070

SHA1
a0b42deda26425dbb201078a34f49510545f8df9

SHA256
3fb19090419c612d0c68f287b38a0f5579aa07c1286aa08832f6f44cf748508e

SHA512
5d44e8027bd2f5d5812aac8fe79be043b32141f926a0b9cd273160b7a3c0448a9dad5b85dafeeeba390792fd0f6603be143f46da751c7b512e7c9f8362471ab1

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
ffcec9f8ff8b549f3a4a05332272952e

SHA1
1f5d7da7728c30815c5871249e84fbefef59f28b

SHA256
909c7c9dba99c7f191a38208b63d5ca2f8cc2caf477c4844b11e4dab9029978a

SHA512
0c113ae4d8f17cd3e5a46b5119d753c2e352a3effdc8ad0ec15d4e20e0774671f3937cdc303d733f7552045cd7ce41a6be454e81e035850923a7e94894d85fbf

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
81f3cf83a50cb577fa221f647357b6b6

SHA1
dc7ec82cb701ee08351124c22d2fbb417aa91ef6

SHA256
993e691d3e1f785a9c78fcd9d6d9e1530d527716fc1afb6f2d6fc6e05a9670d4

SHA512
e8640a7aff28d8071d656f2f57ca0c2494d57e48e653bf9e0f64b69fee94f5c61c5d1a0f12ceaa564738cde85369ad91da19431fcd56b96e2e38791c5b50f6db

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
bf701fb60e824cef4c7874b92480f9f1

SHA1
a2855ecb7b08a9942e11898d61399f3392a129ba

SHA256
458a0a2498e58c57f28f6bde42d795b65ae503005a3bf0c2ff41196e8ec0045c

SHA512
b219e8d1056494285fffd46b81e4f06d2aa66aff093eb15e66bd66e9979d614a891cb003376f71157e3ef533248ebfdcdd16d54730799e69f7301b3718ed5e92

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
8eeec64e099324e1ba278e1c205fbecc

SHA1
760aa964f3706f1fbbfbb9f89713560253ed7112

SHA256
55f41411e5eab85361aedbcceff8368cd776309b4f064a1ef95fa3bd51dcd742

SHA512
ff10e41b2a76fc98751829b78fba7a0281285b6b7af95f00a92e867d216dea6d146c3b9704359380e4f3cc357bbe8925da7285d7be414b648f4c4712a85e8c6f

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
6f5e7e6fde83ad6c138fdb124f3b124e

SHA1
228df932d34ba576d8d8a9773837400a4619c055

SHA256
0a2649777cb4554b476c4d2a6df5b372a7129fff80a0af02aa681862dfa7877e

SHA512
addd94e1f7ed5c386f2e79d0220e434f2aaed64f0e84f81f527eaf927a18530a9fdec221a33cd52aa17b8f414e109d21041be2fbf2e15b99378c378c70fe8726

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
a499f550876ce51935981e9d4db42173

SHA1
9831975a1929d8498839e7484833c9738722971a

SHA256
5960eeb35c41504346fee38a164107161f99fdebb5a76dbe53c899e4f41dc809

SHA512
3af9559d122ceb3a3c0de1e762dad32d282f669e155171982cd88dec0cbac19782097d113f59368ff60bb35f8f44464d674a2cd59ff50110fc65b6bf6cca2d03

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
d65eebb7e150901a3fb43d5d3e3ff4a1

SHA1
263b8a76e23af4cae52b754c3c3a22b4edfc9005

SHA256
ff680c0dd45312c98bf5b6f8cf53748c592576c3eb5f00a3df6163c0cc05f6fd

SHA512
73397832cc243de503883009ca354a3d5b5ca863cf0257a883bc9f06521da37ec04d56073c46257c35d515f4a0ca70d1e18ea9f9b7d8858c41cba3d35b7cad7a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
38267e8feda80ae6eb9296363a120d54

SHA1
8fcf8181bb0cf93290fb578612b3ad945f19358d

SHA256
b6e073e6d5335b64c30f343208429ab01dbefeece72bfa0e7eac7771ab060b3f

SHA512
dc4b18a28872cea0a52b7c1cfb7f34feda205ac53a9deb03a8e6ccae53f60db9a439a1b1e0ae376966480a2f2ce510a6eef4dde974109aa83bbf600278cf0101

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
65d3d5ccc133101ae74bfcdb2cc12288

SHA1
cc91a0fedcf1c3e19dc0cb31f8bf43454301d02f

SHA256
fa6e5556b151305f3db73ae903023a608ed3315744cb8450d749a3d19e951244

SHA512
26b5775fc2223dec76fa6e86367906ce1e38102240ea176309747434c2118ae1bc8a26d76be19c3c90020ec3a2feace9c9077f6085c6acd9865abfa77f7da55c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
4cb8779cd1150d2cef6f90b847926859

SHA1
246edd85877673c7c2ae22c511100104a6b1634d

SHA256
99c0c7faa34a6e149368159dace75c19a741c81744527427881e9672192a6d24

SHA512
38040db5a4a9635f499f9aa555133e1ae570f723dcac7b8a3133e75951a4a4f8c3208e81b0e2c3dde19af0bd2623b05edce6f95c6e5504322af53f19d2cd03bf

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
08f32cdc5ca50f99b19a0fcc746e5ea0

SHA1
4674078c0a889e7674fccda7a7d37703fd9e64d9

SHA256
de7bdcdcdcabcd683e88145a2fc0e3fda25cca46d45035ed69fb9473160f6913

SHA512
e3a15fca5c3d762ea9eb081fb99957a1f04429cc7f8a1182e8b463aad54c8cb34ec1a526719fd3eed90dab7b65e7aee998e59c4cb7a1a5cc98e9a223e934f05a

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
a9eb2935cd5564585d2c52d647ca6474

SHA1
873a63ce716a1ca770cf608d8f68ddb0c7515cb5

SHA256
0df8da8a43088dc6a13a9ee4a7bfd3233e72d1843576dec80fbbbb641f3695aa

SHA512
c3f58eb7cc3cbd41035dc7b1fe33ee63e0e920b5c8fe851728b81cfa220f0bf6d03480391bebc93f6a6b2c329abb1c836515891f20ec2dd480b71840949537c9

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
8c2ee2350c246a40bbd4b2a0e1050ed7

SHA1
0a49cf7426b9bede4b50c727b015f1193c185056

SHA256
285a73b2bfcda8971068b0aeacec827aa639eeeccb26065309d4f5f981e24702

SHA512
3ae155905e86e4828831e522f09af0c44e8b3e0bb3a9c0e058df1915de9ab2a62d3917a0e249b35df965f4d9bf8f88b5533976e2babbaa1e90357d084d5f4f33

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
a2470d4355e83d6bd64261d66d190d24

SHA1
2113f35d8c07e6248d8c50823fe0f943e4913db4

SHA256
3c512a10043d5ef778a4863af21f8551f2afcab6b0b239114775f0958df7d2a6

SHA512
01421c2d07a44a57c77cd5cb3de2e9665f5661c3227b5948f6b1455e7cf87bc715682f93720c6b234ddb0dd19b801bd570425bfd8e0ae4bda77896e1c1e8a00e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
e52710abbc4199441d6134ddfc6d2408

SHA1
41bb7d4124595a014a04bb7b1a52c74d6093d855

SHA256
3fee749515e9ca82c5febadbefdbcea50e37915a9b5116b14cb5744bf0044afb

SHA512
0c43247f953f1073ccd04e6c07b5c00c237a3c8d5d6781d55117e8cff94346d2a68caea45d9fda03f85c219677cf05fa90ad541eb9c049b0bcaffb1556f1d718

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
9d59222036c5c56d7653207aa7fb2d82

SHA1
e41744a8b2c19d38b8ec032cc7f4fe260a39b338

SHA256
1adee926b108ad51919eb70c9d907d4d03c1b91020168b52fefc367297ed75e7

SHA512
bf9640ec5230cc11e5efd08ba86044895e189f569aac308af92600de81ed19579ea1192afa4f7ea789b160781604f1cffa56d383744b2db0c0a9b6da50b6314d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
6d497e1c7d05b59178a9cd328ac6909d

SHA1
37aaacfeac80a733050df9a4b2f1129faec67d9d

SHA256
2729ef87007e25a0317f7fea9c9005d95f2c9717a4587bbebf89bed3e6b97499

SHA512
f91fdfbeba6f2896857c8a4bc532f56cb8e84da1bbfec90c5415467cb60a2c35e55d55382be35178aef09feccceccb5da529f8deac5f6165dc5fe94cb941770b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
4a2a232d20b30c2bd0fab769821484cc

SHA1
7fb94d41ef1b9afcee3c270a0b74bc822fb2df89

SHA256
72e94da94b8758405eae817c6b822ad2d7582704ce5c43104893efcf10e0f118

SHA512
f60feb914fda3016843901108015c9eea5e40587e4aefe0f437917e2c2679ce2c3d924875d4065fb39d21e973144893944e864c5a68dec95537b1de59b7a8a7e

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
6a2fc8eba6ac696deabfb61796f15ff5

SHA1
770dbb17702ce5a6d4c47c425ab4c0cbd2944a0a

SHA256
19d979559f48ceaaf2f115c08ab98434c457d897613e4779d96463d83f05e664

SHA512
dccf866855288d1c9200f160b91a0b0f1bb9712dd6df52f124efad0500655b32873d96b971e520466c688cc9f737f3bdf71443210c7b86537c8d7aab17d2c62a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
204021fb496679a2e50ad8b51bf49d51

SHA1
fd1705bc9ef5474cdd58774f663eaf87d0cdcc73

SHA256
106353ee6e301f3c74d5867cccc1195466aece7325436fd3fdec39ffc1089bb7

SHA512
bf404fe2df4bb783da4561fbbdfb679cdcf40b5b72e2a339ca4b851ae3e209bbf4a6963bcc4d6c16cdb572048d039a76e205789878cc31c1020b56ff594e92b2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
87f9786b294ecb52cf058d3e19e2bc64

SHA1
2ba54432953061be45a7d2f2f48b82fdf3564ef5

SHA256
7744ca74ee7899e2c0f706dca82912162d08f6d46ef1f23a5f000babc14e17db

SHA512
baeeafb3f3c11d93c54af859e42dbc40159adc915050713dea5b897f99e1c82c126d4f30bb336b113415412cd4d89f3f7288e31c1ab5d3651c109750ec1d308a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
0bd098fcb815b8bd1b30cfa42997fba6

SHA1
6d1569f7dff3b2958f693c92631cd42584f5d6f5

SHA256
310a7780efe471cd346d6222770d75cc3930cbac8e79fdc71927a245d5ea8490

SHA512
1b5acb7d118702a99a36ea54a1e820a69cd0dabdb5122ede256bcace6ccd2fca8ca0e1ebad51baff31d4dd5be220147884f44b62c603944d179268770988f623

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
2c919df82e756fd8eccc643aa1727cae

SHA1
2162ace414f84d7120ad5ddaaea567cf76686347

SHA256
5f29a1914a1d94227380c89279b16992eecc901ce21250b4a1342fc6bc22b99e

SHA512
c09a4c138851e6ddaec33fb56b4b2d2be25d59e8b452ebe0ec84dd9a71b2864007226fba36d501f75500d514a3d2ce580b013b15edcd8dd26c8c177d2977ac7f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
705199db388a95bf1e9dec143b677d4b

SHA1
6260caf53abd8c952abb353d926bba68b0ea987c

SHA256
c7956796cff1b1c2a51de89e1b44d95fa8986059ee42fa5ebccaa180cd132113

SHA512
d29142158f15252fbd9718b41db4dec6af8d2755a76a064729ab1c650866199422dab75092f0c905178059a04ff2d806412e78f5c576309537367f7185c68bdd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
f7457175d2ee15013b7b64ef52176022

SHA1
2dc3e1f838a37a1feec008f13014ce8878dcec7f

SHA256
9f77e0375f2667625a3a1bb2c6b71d80363b6aaf2ca2739b93e814dfe9c7fa3e

SHA512
c601a3fe8eff207894dc12b4408e5365f52ef7d95c94a4de9b141e13b90ef085f3a9e07237425c586169b334fe9b05c310cf6e311ba8ce7a59406161075afff9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
565485dae1417569f9a9bf225f2a00e0

SHA1
c158e921e04123bfe01af371eef5bf4aa560bbeb

SHA256
b5e047a927fbf5d0b810b9500954e20ed7e6a42ba17a12832054a6e8bbbc845b

SHA512
75d25e451f0d661fde71068ba3049c02c1d422f62e0f5bf8d9a3892caa2507c03d54812b9c492a521e45a2641e78c144454fb4b8e6b0a9096f7b25fc73e81400

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
52285541f6d4af1e78dd4a48d5abf300

SHA1
9ece1a05ab3898eb27fc1a2ca146d4fe53d25552

SHA256
4e0fe27a2e752759db9d399e4cbec0a633ace6c509b392d568676cb23010f67a

SHA512
616c17c23cf0ee704c63b5b79737dad46bff45a5cce6724973944369dffbdc8e743fd9b57e6be2c32a1b4ccc006a7fe83c576335fd32e2d1400fdf73e602ed60

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
c46f4775a51b6916dbb65721209d99cb

SHA1
48565b5c09e61016e08186907c831321faf24bec

SHA256
6b5fec57a458de0c3b27aba36ab0583510fa660fd4b14d8dd3256c0c8be67daa

SHA512
41db1b532183c3e20038843f4cfd7a720f50c3c312faff6152ef86cfa50deae38dc0dba3f2e832f87aff65e142c73a398b3469dd21a20f8588fb3b03b65cf9cb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
548c1494e1822a5145839c04b37bf261

SHA1
cdddb205269bfa152d43e36ba48d06ab9835dc8f

SHA256
c726d4f56456d02c854827d180b14e9e1d4f5e016d90933b48ea247683936d64

SHA512
aa999bfa033f0e56ca62dccc190f6b23c0c8467fc13a44b5147a733f9fc87edeaae9f1aa7c68282e068f4e974791d30f0956d1592c8a0741948630d606757ba1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
35213fe01dfb30c6bbf16c20cd8fef0d

SHA1
fdc789e2e01b3743d2f2ad1936c5f5240730623f

SHA256
b04eb19392c69ba60328ce14840249af5ba917c14f8207d48f2c4b563cc14bc4

SHA512
07a5850baaf774fd7ba0e8a98a20f622958e9e526306205983ec0f9ee4464bb41b0e7a0f83650e3bb072418ca5420bf84c4198182d5d9d62404cfb5cfd3f7c59

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
bafaf10cb3491d29c79304509a1e0a60

SHA1
3d8526a4c07c2f1d7328039d6beb4710a35bb0b0

SHA256
d77164630e8732e70747f105d04f8475f987d29348cb660336ccc7bcdcdd10c2

SHA512
d2e589d75dc1e931658884633cedb0370b29dbcee7584de92cc5a8108acd33a0cac9ce65b30411a5e79ea24e151757fd49c6314885adce8fb1366b12e6450ba4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
df6c05fac5ec097749a3f751c4f8ef1d

SHA1
1cd8a0f769a0c1542862bafedbd679976f212164

SHA256
93298f9ae9925ee717d5fa2425d9e53e4408af48f1420fb7ac42715625cccd6a

SHA512
002e1bc7c04c17b72b4e884a426b67817b6dd6aca0b7d6bc8c5ac56f52970df1d468ab0e1f0a2924dddc0794a773637352c73b58f5211e7a76f14ebe4071700d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
2a6a54c259701878bfc33aa825431875

SHA1
a1b14dbc68651a58c484ad59f3ecf89e6764656d

SHA256
a1e146c248ae23e59c03223f2c271ceed653d3f6df5c69f51014dd8ec26b4c33

SHA512
af5065e4d308d264cc2445debf8e09ea00e7599b254f2d05c4fb01a150e18816cee1399f3995a9bded87d4cc984a50935fbbec186dedde230d685d1b8c942d87

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
6b95f915ef3c1fa447ab4d3e0fd91f8b

SHA1
378e223b6ea21b08157de7630d097b4bbb781f27

SHA256
180f20c882d200439528717a461d17b67d853ff9653ce92f971ed4491881f72c

SHA512
ef7a887846f92b0cd4037ee96ecb6f96629b9356e52de16cb9e07bbd3e1b934837ff8c42064c3ab6eaadecbcb0d8e2fd5390b4f18d55121ac34b8527cff0fbab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
dde4ad51e59fee7721151e7e12da9023

SHA1
936ea5c370f3a2af8c320c382f2d3b832f51ada8

SHA256
fc48de12c1fe50c01c719768bb196f1f821fb66b3e0563549d234e999cfa521c

SHA512
60f7e9485d0bfb43ffda5d5ad456a497386fcd5cffa8cd45b85e20a3d96854eed2c987aaec1469deb31c8ce352efb0555cfabd82a852f4727d62ce18ca541383

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
8ee710a0cc2a15bbf3226a29c2b88c2a

SHA1
ed5cfa5948196bdfe3d43861d9222d437d87c14a

SHA256
d160c9e741544dc16ce94527a3ed8f25fc6dda79e4676fe1941e9ba6f781dc85

SHA512
5d39e6039d03e95bcd96215492e5e29a1e18e697e40d0097f12ec91a9cd70a4cff3e34f4a4bcc26e9d60ba4df05820226c685104065ad00e573320e3580aff44

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
74ed523c172bcdfef14a334fb272829c

SHA1
b00e8a738d3b33c54e27563fdc51e6fbde3aaeba

SHA256
38e1d222c0080df2ea66e9122fcf27f2c4510492e694dc1ba27a96e817c1a556

SHA512
cc4c4d1bc0ea8d4517cce56eff2afe15009eab3d39c51285f86f924000f589446d1ef4a10aa8ec27a47adf2f6166dbf90a00275f3cf4b203bfc77f0387b8418a

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
55b44df97e9992e5020aec9a6dcb38fe

SHA1
349714a901ff467f97daddfc8228a5440096cd94

SHA256
faea785f197e33f2bfc2b1d9cc976df53256bd77481fba5fdc154f8fb77e1b77

SHA512
d94dcf8ed800e2c0c14f78601e61a08c2009fde7cda3a5002a57b529f542c03d7c72d752698e00dc931967354f74c1ed7bb978572c0a70c06490555cbffec0a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
164KB

MD5
9f0c6764324dd89d5cebf881745c36f3

SHA1
77e6749e54c2aad18cbf029cb810cbcc50ac589a

SHA256
399cf9d3ac26889f231d014f16dbef88d1523c02fedf9baa810b3cd2e13cd065

SHA512
43d436d84df0aad41575866b27fa10ff466bec4b0fd0e6794e1e6a4d3aab70b8c359a414168d1bb444d5568da476f5ce4f02fb3f89f5dda5c9417742a519b95d

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
cea5f3622a4437f80b8ff33a8b983978

SHA1
4a69dbea59d04e023850bad8750cb7a4703c72e8

SHA256
db7749878ac8037113fab2c99f939291ef9e3e2cbf1244a20fa94465b9577813

SHA512
f1c649d9754eb3976df8d579cbc74dd1cc54faebf41cfe1f65e049aedcb171ffd0acedf7a90b50c1860816f8ef63bc9961741a259b3ceea78e7b70e5969fe198

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
7cbac6acedec7d2f545f23d207321051

SHA1
3f2783f027daf5bcfc24db2e9683d2c5ed2103a7

SHA256
57fe8c93bfccefe5a55f50ec62fa3cd78ff0ddef30a932552c18e7ada398ee79

SHA512
e16c3b68a855823069a901c55daab82dbd4a437188eed068befe148606b8e2c55a1107ab150bc39e399275e270c9a46a8afd7e5c8e86b9654ffd60fd200baa82

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
5dee5ec8066e5e318b614177736c6d0c

SHA1
158117ac2ea50adcc5930ce4f651239b399b8c2a

SHA256
35046cd14f646cfc7178392c910888fd2e3dcfd26e54dcdd3475480feb7b276d

SHA512
797ec0c3cd5a98250af05b927daa995876704e12d8ad3c170f3496185fa1ec523a8653dba0b1453400fdd94c00380dee04df59480348959b4e25f1ceb5822c74

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
fbd98dc7df9fe99987a268c2df8e768e

SHA1
7a614686801e85ab275b82caa6ffa8d0f1bbd259

SHA256
a9e930a15beec9d3b6b68be4b4c812fe7b2982d174f43a3ac7c7040e303fe6e3

SHA512
6bf09f25faa25a22670a1a6116f6cc72e123499600006b579bf7694eec793e4c18cd5955d6dae5e56afe3996c24cb3050e0639ad5e9054eaef1e2e912c33df11

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
cb5ada12cdb1dc0c14ac2ab06afbedad

SHA1
b63db8a722abb736d76a38f0dddc8fa61748912b

SHA256
27f5009835bcaab1f68d82a5de037bd16b9d18c64c872a23325f52a62d9ef47d

SHA512
3703165f7dc7b6bc358643d299560f93c65437d221086aac066d4173b4acfa48bdf2958a193c2a4e4eb514af49ae659c48ae30f7774cac5eea8ac2ae592ce939

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
dcd61b252b0112a16f0aab1c24cf627d

SHA1
6ca7bdaa72e69a426368a29dfadd8c6499e432b0

SHA256
1e7481723195cfc8b1b19b91b5d2690a1413d07936003570eacc976f04227b9f

SHA512
cee3f5d73aaeee07678019181088ba20fc06335544a2b3593b9245615f7cdaa10755e189a6d6d77129d7ec0f2214dd8fadaaafa3ea9f37e7b23fed757e1d6e41

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
5e3c5f250bfe485208bfbb2eae48453f

SHA1
b7c5d9a4fb8cb7d465805d753526e2d8d7388090

SHA256
5e6a79a4736b3584c3b38e23b10090b5600a53a5c6f1f379675dbb45686a0216

SHA512
1b0a5b261cccd10c65bb10f9459f5289f1fc2628911ac387f686e85fcd26aa4a990ddb4be4e623d33d08d49886b21e8161cdd9dbcd6c23463e10e3dd773fab73

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
2fd6560135adee1ade4950eb7c2e57ea

SHA1
aaaad82a734037f7ff00a23baa37093ed98dba6b

SHA256
569f8ad4cd87788d13ceac1a4e3d46d7d1f0691d849792ab7e9c677696ebd185

SHA512
152970a375dd9e69e1239bc30b378023fa8a97c07da07d2bc1ff9e9ed32f15830635653397e724771481dccfc90af37d8a90c7bf0d1446cc2df55a6a2c249dff

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
f04eca027a07057ca715ae2c8b24fde2

SHA1
824ecc8eab95a9b04ce3a623a379e76775748197

SHA256
6580a8543c2f8e94e745bb96d6e241a5cedfb8588d2855cd9ea09346120f4852

SHA512
21c43b438bcd91f0a9bb9cc757fc8a64ebe5445745810d479363a0872c19e31150cca5f8cd0fe92c50df076ea18ff2687fe07538d7070a49213337a016306503

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
d0613c201ed1a8bf9cc6243cdd18425e

SHA1
c30f1e51256e4b4e83c46bd708503ece0ee402a9

SHA256
35bd112c9caccb99a535f71bfbc2528ba11853bea56b53af4680632a615e4463

SHA512
0324a2c3553e6035d5610eadedc5c1d3c182fa0454c1c79303606c5c8209d231e833923d737f895ff02b01d441f1eb0708f79bb501eb0e0fd6fda4dbbadd9068

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
0d7c63032cae36be2c9a4dfc1d9bf2d4

SHA1
ee40fdf87a9b8cb75735c0bd231d6b3a474ff5a2

SHA256
26f015cce67244e5c4ce97a202b1619c73ac87054c30056b7c4941073c5b0137

SHA512
1dc524936d033b818c07c44be656da91cde8e7dacd4f35923d310394b37cc36485b16cf637fc9e01baea9f530ecad6ca83c4790509ba12a57ac74f6055684a02

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
3d7e7aea606e09c19ecc9a36f2cdd44f

SHA1
e4df87bd9545a4a1e132ee65e6bc218109abd33a

SHA256
fb608b358dbfb94c4d91b3fa28295213d7cc7f07f3007614de07bdee0a0302d3

SHA512
2866fbf31f8f91b25c9210a01f90c57d6cf6c0205e89022f7899f7c2b581a5b41a3ba82404fee650d4c30b34ebc0720ca1102d276de8cc287b88f280a4ea5a12

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
8182b69103306681421b41535065eae2

SHA1
ecd0f9a3d7249dd1c29a26b32852152f0f96b219

SHA256
2dd4c6fa03651615df15b404b7742add4f131f6a205581b7c38764b702de93f9

SHA512
b69677557e05e59046d37152131ab308cda676e931599a7ef859ea82fb0655e100f463f86e65d7d0c488315a1ebaeff91f133524e0182ffd2f1333ffc8592619

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
91148ea57309b57018cce0090ac6a525

SHA1
e00c992716e1258b0784a9ddd7d4a31f83fef1db

SHA256
2d780587db0f2856c590593d65684162b0a3ddd99c9934b705e82608357c6580

SHA512
f32511eb889d3d59f4657a441c85cb8ae51c64a2b2d5515c2ded535d2c1a9f8dcfb5f88b4f4501511214792a2b5c9381d3538082f05bb8baf2ada243f8188bc2

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
3e992e6c08383ae316f779636ecc30ef

SHA1
c9b534e79ade5f66a998424497379be0faf6d43d

SHA256
aed84e044e35a26e76ec6035dd5a1ae5091bf5a01b98e96923ef218a73852fbc

SHA512
61f87eeea08b66b5b0e98e3c4858252e6171870b75fb1071078410ef8154381c776e5ef98dd5f77e9649d0cbfa5e968d8ede9d0080af9481cdfff216f3dc5cd3

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
1aabd0867abaed3e026e3ffdbc90fe0f

SHA1
5dea01ffcee4ea93e4c6f5aae8d2f47a1a069ad3

SHA256
b598ce7f3341d3f5c74fcaf5f264b3262e9aeaf2bd2cd400f98cb33c68694aca

SHA512
368a53630aea68b1fa977418cdbb6475d09c5f77502d33ab68806d2ac0fddeb2a119858857f64efc83b82095b24d1e421a0b0f12a012e3184a3fd6eb7f872bd8

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
826c37292035140ad6371ce85629ff01

SHA1
b0786825a891f1004974b2ea120857038742e6d7

SHA256
69df70d2d8814feb79dce4944d931b088aeaeb7c1b8b41b44beb2b2a612f536c

SHA512
c22c0328af1d90eabaca99c0f64053a1863fd6c46157f914d163ebd58e6e39f388f80efc2ba7b6a3911bd6bd60b40e1ce456b535cc2c3f4b6c736f76fb688831

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
6e934df35e390fb0489104c96df9db9d

SHA1
87278394fadd73fb0d4f3a11b04129e03f25edfa

SHA256
30eaf45e86a1027b6e60439a30838d24a0cfe8329bc6143029b94e511741335d

SHA512
473c8e999d14a4f6515b4ae98423ce0e241e015bd5af6eefb690c744159083bc492860d1116832653959063c149aaca5532b3ca153cc053c0cc33e57f0bfde08

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
cd42175addc06c59cda24fc7350cd6aa

SHA1
418045a2ed3734f2bfe05e32581fab0285e94ded

SHA256
a82212b5b078b73faf97cd7e1143e0641c92a7a9276d3a6623ec6e840a966d97

SHA512
8e4efb9bfe839f75fe28fea3926d36832c1a9ca06477e818cb82dd4fd93bf591b8a43333899c547ef74689a2a3ec9abc8d6aa22ae5309b833b4efb09867c038e

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
b68f0745b7a630e5d2d843c363ed4301

SHA1
11de67e29f269daa486b1a70bb9fc3338b8d24b5

SHA256
69d51f94b5d6b63ac33aad9a05de72431adf0e3de7e49737f111273dfb59d190

SHA512
5874bc229684ba7bbc7621aa3edbe24cf8ba0e51e584292af25922bd854a81ca5e0bc3d22ed29ec7ee785d8bb4e535c36859f973e2702a070e14e50d620b9be7

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
de78141f3bda43442fba927a4a3210b0

SHA1
d824aa092c80f78a47f20d95516c56b9572b34c4

SHA256
3be62c52f8a868131bbbfe44d691110f23fb5083573d7892650f855773ac5f35

SHA512
f0bd06a131f86fb97fd684d8be2b2f188556fca38c72b5052dfac6880e1c588915ac293a2958f9b5e42939d1879c5de736b6dd6fb8f4ea0eca516cf36cc2e03b

Download Submit
memory/220-69-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/220-63-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/220-70-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/220-187-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/264-236-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/264-224-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/464-83-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/464-85-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/464-77-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/464-200-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1036-18-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/1036-25-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/1036-19-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/1036-130-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/1124-412-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/1124-103-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/1124-0-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/1124-1-0x0000000002310000-0x0000000002377000-memory.dmp

Filesize
412KB

Download
memory/1124-6-0x0000000002310000-0x0000000002377000-memory.dmp

Filesize
412KB

Download
memory/1144-239-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1144-651-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1240-643-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1240-188-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1320-250-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/1320-131-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/1376-119-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/1376-238-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/1652-251-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1652-652-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3032-164-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3032-641-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3032-295-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3384-282-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3384-656-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3516-100-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/3516-98-0x0000000002290000-0x00000000022F0000-memory.dmp

Filesize
384KB

Download
memory/3516-95-0x0000000002290000-0x00000000022F0000-memory.dmp

Filesize
384KB

Download
memory/3516-90-0x0000000002290000-0x00000000022F0000-memory.dmp

Filesize
384KB

Download
memory/3516-88-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/3524-49-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/3524-48-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/3524-142-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/3524-40-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/3820-74-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3820-72-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/3820-59-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/3820-52-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3820-53-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/4140-105-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/4140-223-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/4140-104-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/4272-542-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/4272-176-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/4316-274-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/4316-153-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/4800-263-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4800-655-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4828-201-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/4828-649-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/4920-148-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/4920-262-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/4940-296-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4940-657-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5100-650-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/5100-212-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download