ec9cd3f7604ca27314a993641a4680d03aad1f0287a11dcba44ecfba054b846c

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10-08-2024 00:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-10_1675c71f388486937f8ebcaf57cec6af_avoslocker.exe
Size

1.5MB
MD5

1675c71f388486937f8ebcaf57cec6af
SHA1

56856a35107e7e0b7afddbdbde82ac42a367aa03
SHA256

ec9cd3f7604ca27314a993641a4680d03aad1f0287a11dcba44ecfba054b846c
SHA512

ccce18bb67f5301a9c93929e96f46a5d4c78a38dbc464123513b1cd9fc0d02901645db59e0352837d342e4cb5cfcf259b8cdea3df6164e337b9ce640ff74031e
SSDEEP

49152:L+ls+YuQrP1ecUT1YaskgDUYmvFur31yAipQCtXxc0H:L+ls+YuQrP1yOU7dG1yfpVBlH

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4668	alg.exe
3232	DiagnosticsHub.StandardCollector.Service.exe
3880	fxssvc.exe
1740	elevation_service.exe
5080	elevation_service.exe
2412	maintenanceservice.exe
4840	msdtc.exe
1176	OSE.EXE
856	PerceptionSimulationService.exe
3384	perfhost.exe
1512	locator.exe
1688	SensorDataService.exe
1284	snmptrap.exe
2520	spectrum.exe
4448	ssh-agent.exe
4452	TieringEngineService.exe
1648	AgentService.exe
3216	vds.exe
1660	vssvc.exe
1064	wbengine.exe
4344	WmiApSrv.exe
3956	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\locator.exe	2024-08-10_1675c71f388486937f8ebcaf57cec6af_avoslocker.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-08-10_1675c71f388486937f8ebcaf57cec6af_avoslocker.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-08-10_1675c71f388486937f8ebcaf57cec6af_avoslocker.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-08-10_1675c71f388486937f8ebcaf57cec6af_avoslocker.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-08-10_1675c71f388486937f8ebcaf57cec6af_avoslocker.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-08-10_1675c71f388486937f8ebcaf57cec6af_avoslocker.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-08-10_1675c71f388486937f8ebcaf57cec6af_avoslocker.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-08-10_1675c71f388486937f8ebcaf57cec6af_avoslocker.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-08-10_1675c71f388486937f8ebcaf57cec6af_avoslocker.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-08-10_1675c71f388486937f8ebcaf57cec6af_avoslocker.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-08-10_1675c71f388486937f8ebcaf57cec6af_avoslocker.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-08-10_1675c71f388486937f8ebcaf57cec6af_avoslocker.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-08-10_1675c71f388486937f8ebcaf57cec6af_avoslocker.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\91dafc88240c1bce.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-08-10_1675c71f388486937f8ebcaf57cec6af_avoslocker.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-08-10_1675c71f388486937f8ebcaf57cec6af_avoslocker.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-08-10_1675c71f388486937f8ebcaf57cec6af_avoslocker.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-08-10_1675c71f388486937f8ebcaf57cec6af_avoslocker.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-08-10_1675c71f388486937f8ebcaf57cec6af_avoslocker.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-08-10_1675c71f388486937f8ebcaf57cec6af_avoslocker.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-08-10_1675c71f388486937f8ebcaf57cec6af_avoslocker.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-08-10_1675c71f388486937f8ebcaf57cec6af_avoslocker.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-08-10_1675c71f388486937f8ebcaf57cec6af_avoslocker.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-08-10_1675c71f388486937f8ebcaf57cec6af_avoslocker.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-08-10_1675c71f388486937f8ebcaf57cec6af_avoslocker.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91656\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-08-10_1675c71f388486937f8ebcaf57cec6af_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-08-10_1675c71f388486937f8ebcaf57cec6af_avoslocker.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-08-10_1675c71f388486937f8ebcaf57cec6af_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-08-10_1675c71f388486937f8ebcaf57cec6af_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-08-10_1675c71f388486937f8ebcaf57cec6af_avoslocker.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-08-10_1675c71f388486937f8ebcaf57cec6af_avoslocker.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-08-10_1675c71f388486937f8ebcaf57cec6af_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-08-10_1675c71f388486937f8ebcaf57cec6af_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-08-10_1675c71f388486937f8ebcaf57cec6af_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-08-10_1675c71f388486937f8ebcaf57cec6af_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-08-10_1675c71f388486937f8ebcaf57cec6af_avoslocker.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-08-10_1675c71f388486937f8ebcaf57cec6af_avoslocker.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-10_1675c71f388486937f8ebcaf57cec6af_avoslocker.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a4bd56a6c0eada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000982b42a5c0eada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b2a2d0abc0eada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000046055aa5c0eada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d943d9a4c0eada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3232	DiagnosticsHub.StandardCollector.Service.exe
3232	DiagnosticsHub.StandardCollector.Service.exe
3232	DiagnosticsHub.StandardCollector.Service.exe
3232	DiagnosticsHub.StandardCollector.Service.exe
3232	DiagnosticsHub.StandardCollector.Service.exe
3232	DiagnosticsHub.StandardCollector.Service.exe
3232	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4764	2024-08-10_1675c71f388486937f8ebcaf57cec6af_avoslocker.exe
Token: SeAuditPrivilege	3880	fxssvc.exe
Token: SeRestorePrivilege	4452	TieringEngineService.exe
Token: SeManageVolumePrivilege	4452	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1648	AgentService.exe
Token: SeBackupPrivilege	1660	vssvc.exe
Token: SeRestorePrivilege	1660	vssvc.exe
Token: SeAuditPrivilege	1660	vssvc.exe
Token: SeBackupPrivilege	1064	wbengine.exe
Token: SeRestorePrivilege	1064	wbengine.exe
Token: SeSecurityPrivilege	1064	wbengine.exe
Token: 33	3956	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3956	SearchIndexer.exe
Token: SeDebugPrivilege	4668	alg.exe
Token: SeDebugPrivilege	4668	alg.exe
Token: SeDebugPrivilege	4668	alg.exe
Token: SeDebugPrivilege	3232	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3956 wrote to memory of 5656	3956	SearchIndexer.exe	123
PID 3956 wrote to memory of 5656	3956	SearchIndexer.exe	123
PID 3956 wrote to memory of 5696	3956	SearchIndexer.exe	124
PID 3956 wrote to memory of 5696	3956	SearchIndexer.exe	124

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-08-10_1675c71f388486937f8ebcaf57cec6af_avoslocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-10_1675c71f388486937f8ebcaf57cec6af_avoslocker.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4764

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4668

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3232

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2360

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3880

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1740

C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5080

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2412

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4840

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1176

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:856

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3384

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1512

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1688

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1284

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4500

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4448

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4452

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1648

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3216

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1660

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4276,i,13995403245988825027,7033610968827661507,262144 --variations-seed-version --mojo-platform-channel-handle=4240 /prefetch:8
1⤵
PID:3528

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4344

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3956
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5656
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\elevation_service.exe

Filesize
2.2MB

MD5
7b9519bca92e7a76bda7ec78026ddeae

SHA1
acc804e6c1bb7f6fcd28a56e733df10a6eeb40ef

SHA256
5722cf20249688ecf5dddc4855811de89a989f1f65842d0910df82be9c75de14

SHA512
11999ab744c1fecd7da8af1f07ee86d61dbf6be7d2fcdb8cfa65daa05ed36eff5bb67d032af8815145943f2eab6adeb74e23bdaa1afcbe3481c081fd1873564a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
9b53650d6c288cb117aa5b447954bfb7

SHA1
e4e88c41ca44e23f6ce0146d1e3e38717305a696

SHA256
990727a2abbb0509d338f214ee77f7ce84b417c6a02c85fe6e7884693016a887

SHA512
84146c309bf58e079b4b91f063800bb976c580f9d7780e4862a4dbc5bc3473c35f819753b45290d6e42524837bd72f5d3e68b007d906a4ba9a1a4be737404745

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
96de4ad33428525adbd7b64eff17a112

SHA1
53ae80a6a68135d080729ec8aa96f02535d07915

SHA256
74475f1f14676a6fd2f52e68bcd9802bd82ea6c12976a0a5a812bf500966adab

SHA512
a4da9cf09b3f2b7f292a2e3a2d565d4714ba8a79bd19e67570ad57e206ebc418be63e99fb5927b7af917ba377d3c35515bd572d8a85fa8e5ef77fe62f6ae5e60

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
e79e91fd77ebc32bd36851b3fa952774

SHA1
ae16f8ba1cb76831954dc0a72292d6957e6baf6b

SHA256
b16d9e0b86283be3c68e11faa1116ee6b92d3c3aa63398a0dd369497d43b1e64

SHA512
c6590d3534663e91da1e68b6145c4fde0b882a6e0450224f7da0b28b2c87d0f1ddfe38225368fb80fe0c50d55778b13814d42ca0c100f0b996c7abdd7e84184a

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
17a46395e70fb4a026a368ec24661122

SHA1
c3f0eafcbf62512850f89308b3a82b62d12c211d

SHA256
4a83bfa861492f6a02bf8af1ea68d570cdfb7b84a5e6ac1300f9465f87db1eda

SHA512
946e110a515cdd5dbb883f090afa52917e63959f5e5f5f46d9c1d8b54df3aeb82eadb058f29e64499fd976df14ea2b4e3fa2775d83809e826202db80083da556

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
cfdb568d135b2add669aefd9d2ef918e

SHA1
d1065be39adccaa1fc7e5f863eee1198caadb86e

SHA256
acfe09563460b5dea94cc1d98daa4175e9dc89c52530f756f49b1b35334e2e5a

SHA512
e56b34a774cf4fad49ac3e3b179417e16bafa7e23e016bbda1f1c9443067b842a7f13ba59664c36b19d5e94166a1ef1880c4165c98ab9e8a55ac64043c17e5a0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
c4d8a7f1a57551630ce22703c0cfbd2a

SHA1
82239fa5a9c810489928e1717dc4b761abc568a3

SHA256
17f6b72bffbd4db646d49b047384dcc6e4dc4202ef5edb5acd444365945ef172

SHA512
d0e71c1daf26150557ed8e3df4057e7da8711fe01a1de4c3ef1195ea62b9734358a70accb218455d089cb7beed7c9ee10b09ef8c650c6467069ba8572d97d485

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
0903b0811a2b3bec492088fe3fc81014

SHA1
3f41883482847d4b9739fe2a4b87f25d3bcb699e

SHA256
1edc2bdd0618584e7bb9f6de3d72ddf842e35e38c80bd36205386fb44beb960a

SHA512
af48b096c0601fbf57ec826242794aad4fb2a252b6d0067b93522f7c71febdff2a81b6b1eb442d0765d9bda422942358a366dfcc514d6a5a0e345ed731810523

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
39ade89aa0ca185e09b70bb04755d3a1

SHA1
71ad93c57616a617004b69346da43dd0c8e83310

SHA256
474dc0e6b8b29a1a53d8a83d2aa256c8dc9131a6ebda720ecf5ca7e35ed32417

SHA512
b04ab431fbadb4a7461e3d4d34b92e776bf1f6c8ca7b1e5e0702344a2a3fdd8d428df545ec3090de0dc2503588360fd7799c6d0864c1e015a8bd901d09661745

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
260c743c9b1e142304048ca570226ae0

SHA1
a1fea37add0e7f7cbab324a8b90945970d83c421

SHA256
63442ed85970cb196b71b357eb5b77b3b9cb2b7b089d4b04fd040fe65d73ab49

SHA512
b1b64a5e51e80e429f5f2d7412d7d193e176b30e98041faa46c9be4d921b7e2ad2781a1375352d67272bbaf03e300fc9e9c4edb5be9717a9504ff16493794c43

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
2fca080a88560bfa4f3cc86d297bfb39

SHA1
7da306a60d27fd0734eabc3a01d5217c54b38894

SHA256
6e48963c515655e362380d8952e6184e7b981b45fb2fcfa7638458d6f8365755

SHA512
460afd6d5196dbdd58f2884cd1d0aaf345860ca2cbea3e2a33c0ed226d78fd3a06f5f6808a32408b17f813786ebb4693fb82136c34cac4640ad010136a1425b2

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
343978d37c69911774194ab9ec76f9aa

SHA1
db4fef9a743fa0b59f6e7c970d0b689a46e83057

SHA256
0cedf2eee68e611ceb9a517a6a1260c0521a06fe0d0158da08861d09019b720a

SHA512
7d33245217c3f48720089de3302f849b31f7faeae29b8a7669d673b5d11e3cf23d591fc4b83d21167b219f0f4db2b7503e77010cbace9c34b59b7c8b34cfe136

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
1f3588491f5e9fdc3b8d669f64bde63c

SHA1
1185873025546af1e7b75f039cc00ce5e08b7406

SHA256
e01c20249641b00872a9cc0b2bb262ded5534b25e9c8388982f113bd318929e6

SHA512
0a2a4fc9b93c6ad4a4f53d5e4182c452b0322747d9c3ae44b1bbc422726413e6f25760918f497472ca054eb352baac1618bd1c9e0e71743ce7b3790d81e99f31

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
7ba3b08ca79c40905711315ba5da4306

SHA1
29421c03b7186b5ae57f3de8288b03d81d35c483

SHA256
9e7d1075e70efce96df4522ce669baf81424342f4d2475b9c3cad7f973a5bf9e

SHA512
210aa0afe9aceb7e039200cdcf4ca74a7ba0a4de5a0b1c7f8191203d4b7fdce3e75d5d049560f107d388be5cf98ab598426dd86c27005bf9c8eb7b202e9f70d5

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
8398ff0f6cd67e1749a75136f460e3ca

SHA1
188b9eba93752ff2e1ec911d63788115733d1990

SHA256
64f1ca432df9003e9e9da49817a7144006139db891eed4e0f69976d97ff859c4

SHA512
9504de5bdee70d26d6929ba63dfac1cb091c006762d22fab8ca5aed452a7251a90f3a457dd4afd004d44b035907282c9aec06f63d2da20c9713f72f953c20547

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
dc01f7edf81aa29ff47d21b8a78b3143

SHA1
29e0202385a8bf336a3a06a209df9ba7c30ef036

SHA256
c36d6139db3d13cb05389d1d186d3489221650f3d751c71ccfb5b049f13b5e9d

SHA512
0abf69de935119aa9e6ee0071fb3e243bcd1f10a6117899c5cb459fbbbc043d402b42edf084491a398a11f378a1634691bce48efdcf7ccefe56cea36e0d89f6d

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
8aac3c66cc071db2a96e496c2289d4c4

SHA1
be2d898de61ce21d23f34ea8cfde2acf9bb98df2

SHA256
d677be82105b62efbaa7d6458211acdd34a454058836e9a2ef49265a47d91940

SHA512
c4dbbfe68a1f68201209a5025caee10f66ca93270f04098b6fe4408cfb947ec6f700972e945710d6eb45342b899ce48470b6d5b2d55fdbbc70ab986f4bfb0b5b

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
9f139d9765ffb7041e76531138695aca

SHA1
8363f4e477b63bc4fe5ce14e931672cc93ddcccb

SHA256
f7d5d409ea6800f397f431f7fe4873eb35066158d9bb2eb75b4cb7a1370c2ee5

SHA512
9ac7df8abd359363ff9661f4f47756cb631a69c772857a9d450d1e084705a6475fc47c284940bec45f8668136ffb6848a2613a610a3512871de676d820a8c774

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
6c18cc5006d27ff8a9b934dc51f38f8d

SHA1
841d09e2c4b015b89641957a2ebd0542f702ccd4

SHA256
dcf95f50c797de673f4432e40f01abe0964c41b77705f9dd69273c09236bfff7

SHA512
9cfd7ae8c6a410a87a8245191751a6dd7afb459bbb229046b955e0f68fcaf4336cb815c8dec33776a56d25ef835dbe9336d79e88f7111360d37bbd1814ef86c9

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
46936e07a85f9497a471be9a7dc4d7e3

SHA1
23e6d7119563024a20d6a38dcab451f0ec4b0188

SHA256
40d43b9dd61401561781b9175c0265e50d2123302e593c756c6dd09fd86086d1

SHA512
79f152234e85c537df9663afb217eef914f8f1b26a765e51999b33327754257ff9d5ba6e34167c4460043d4ecb5e43508c910b0626fc748ac7a2ac675ccb9133

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
36d8802ee873a9400760ce4d2b1667a7

SHA1
61be557d7bcbdc5bccd7fcdfc1162cb49f8ed522

SHA256
3fa6e6d9f74d08de0c83ef91c8b596dd3795fb53e9154ba5541a49376e2b845c

SHA512
d892021346ece1fb0f6b82d495c881bd2fef8e4577ad10fa90f957cd7b08ad2722aed616084b1ef8a44208b0c48695343011c368c4a6fd615ad282d68f9fb9a3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
471333b974d10a72c7d898c4eee26793

SHA1
52ddacfc0114ec0fc76ab155ff8d09ce2dbc64e2

SHA256
2b8596d3119ccb5cf1197a39e704106c817c635dfe5037054dee929e89a928cf

SHA512
ea292d376e1b3aeb2f46054df9a65f828a3f7d140d657e2c0ad92d591671ec98e82ebbb8545134e72eac593c66b8640895d909d6057eb8518e7468c10dde05fa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
4abd8a769d324bf2ff13c193846a402e

SHA1
53c3bb243d051a79f221fef687445dfc5769ee80

SHA256
b157179ea167809177e25b46508427f8163212fc1b6373f3a2e91c5a8923ce69

SHA512
34272fe4483a1aba7dca824f9378865b66702dde9a435b358884ec89f9da3389008866d7441a5565ef575b4bc680fe84677402b0b9691518244aa03a34c84b75

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
83cab71bd49144ded4dd9424da1d0c6d

SHA1
2cb30fac13fe9a4526ae6f85e9f419ab59208044

SHA256
fc258cc55f4d4115c570f84cb82980731a2b0be059fa21008fe196505324e614

SHA512
c9adecd486f79bc9354d4b9cea400ab7b55844c08b7839c9acb83e88368d2d981717697ed0d294985ad8f5a46e04a5a94cbc533ec371a2c033f47e6e521cc7d7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
be0a186b1f841b1e3339bb6fa0b03ff1

SHA1
f7df35375fea779c668bc9c44cc946563f267e3a

SHA256
0ed356ad618eb12762e9aebb89f53972dcfa5c96c1c36598565bc7647248362f

SHA512
2511c4d7cbe4255c5cdc46865e74ad42f12b17d7d60e345bc87d7376b20aa263cbf13ae1a278f4ad72d935ba4b0131953e3a6e81919e09bce8d359009f5e0849

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
561d2bdf9c42f7e1793626f0e340cb0f

SHA1
ab3892f5a2a0127fa00a1ad151107607b584b9bb

SHA256
f3afab0623b3d082d20272b1ff2e8f41181278c174a6b64090aa9e79b598ebeb

SHA512
a44dd79f6dd9bd1defec1a0c7a611341595dae960373f40891926ec742ccbdb0115e85a685ff452d43e01ebe08afd82aa7f0605ab07438750e7fa908a144ec7a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
ee49fa53dfd1ec7292e32f42d86f4a20

SHA1
d10800e14e515e25ec9d5313119caa7da3bd227d

SHA256
ac3eced071a0367f368ece284d990dd0782ed8d2841958b34efeb06232a9adf5

SHA512
fd2f1a31b1b92236f1dfa447d3cf960fc2f64769690db1e467e181a3705bb200556fa1678fbf5a29f70ba1edd17d3cc6194a212ef217d8bef413bf6e917a1ada

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
9232ee3dfff26b52b052e0c4027df04b

SHA1
20e5ef7695a066a6b7434649b219e7b861e26158

SHA256
8525e4e8be8d95e7947cb2671041532206aaa3ecb19edfd509b28ce25b3d1917

SHA512
b5570149668c7caafea152af14cafe79316d95b1259f4f7d6f58ac426d9410e92e6dab961c3d19c5740b2c9d6b6b89c6137574b38b43a0e5dd6d36ef6ae4a788

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
2946e6d4bffc8040ce8e06b70e1a9676

SHA1
de83ddce25782d4ca890c3697524934233defebc

SHA256
caa83876125b7e3f0ff84d5f474b1f4f4273a765c455526d2debb8c63477b954

SHA512
4047c0f74f5b344caef0d7d80bd102100a1524b9a0c57edb167506aad08230eaaf928e4c7d962244c8b3dd12720b5b1df1037fd11afa24b719d729b9e01e9897

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
59c5330d64da2872a6aced61af0af041

SHA1
946bb1de69182f5868c4d0f0ee7d50474dd54d7a

SHA256
292b0d5e685b2b948fa4326a207ef0b9eab5ffdbb952e255d310fb6b14cc04e4

SHA512
0866fbc104ff3ef29eb09541bf787b30975fcf83127beb7f2220875933967deebf10d0d1c17a351598d64a80eaf603b06bebfb5f0505a69292678d6f593b6e87

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
92c4ae19b08e2fdec3241fbbbe59fce8

SHA1
14bc253802253cc083b6b136a737bfe28ef8f48a

SHA256
c766a0368e762f3dbf4fedf1e385c6b51e4b3479ea61df897091d5b0e2ef33bb

SHA512
7664d2e021df6e166798e34f629ff53c3bd706b705f8e69b5e1c4a1a58574d2999f07e26ae094253f97f371dfb359745f6d140a485a7120e4e6c9bbf36678555

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
c7764a11e63c20da3ea7bbc084774317

SHA1
a7e0742a99c4a3c0e3b880b92785d58513ba4fb7

SHA256
36c6fe81f15b3d204d766dc1028905667f43471b35f149cc7480c2f1d8f74c29

SHA512
b8d0de1134d625bbc832ba52f44c9404cc3093dc7a569aee8479eb617721a50407c8d82fda611af3d0bad7254a6b4dc377119e1bf536ce149374d2dc8a1cffe1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
7b3d2c2e31e5b26636990106324e8b06

SHA1
62b849b05b44007e55777d706fbd2f423de5ad5b

SHA256
7d6424dfd28d6f9dceac931069c2d8cc8c43111a33d602c7e85b26f910741b8c

SHA512
5955dcc79fb2349a6e027cc84470c09f7beffa32d7dbc065e5938650c17de7000870f051535b7d18e08d4993aa8b5b35197f028be29edcb750c9b1c92521a0db

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
b7fbfe443f3874c5dac91ffca2ebb825

SHA1
08b6d767e4064319c3728c2e5a5f2abc3746b6ac

SHA256
07dd1841561a5e560305abe867613f12d4c5de5b714769adcee98a477c92a62e

SHA512
aa97b8d57ecc55cd8169c1816cf15471b7e965ad8662432701d0c91c3dc5f333c74cc21f1875bbb0369c338e5af76a5bb94eac2721aa45d32744cd2abfbfff23

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
5dc5136d5654a0f8e92c671caacd281d

SHA1
3f2d0900e6c929bd9104a0c4381fd451f911cc61

SHA256
296e74c8fd0988e542b99b1c15c7b03a62c4b27480013c319f575be483da6b9f

SHA512
48105c3bc0cb14a828aae6e41b5b29ddf3b41fd8b2530accba44bbb25c75e30e3f670a7da889d95c18c05a8feee0f7b7bda1e32b59b5dd21a90bde36187f13d6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
f4ce0be551889ab1293d7967ab120061

SHA1
a0f0168e0dfe337ffad22fd498e7bc3ae20a69ac

SHA256
572793914a2dd62285cf1c6cddb00bd22bf0480fa0776eedc45341dab85203c9

SHA512
f117c7f7904cc1935c2f4cd45c523a7206d336d9904ef27870eb1831078b2d15bf364698f2a0e2e75a31f682ea55b5301bcee4c6bbbcc6989f4551a3dec01213

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
f32062b9afc9ee82d51baa20c695649c

SHA1
0f3ab8b67a0084f856a557c3b1cba4bdb4890b4d

SHA256
09f6f27dffbdf8cbdf9824c60fb39b54bd09424a1aba1fcab1e194bc253e43e3

SHA512
4373c85207a62e59591625bd58f4221a1f54aed2c28b9b065f9241781932d27f16f236cb6b5920f7e556cde27bf0bd04303537d70c1525ad029ff2ee23c1a9ca

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
e3cf95847c5b8a24d277925f746884af

SHA1
cfd98d20904acf634ac3094b30a1b94b58199397

SHA256
45385200d05c8391e598b49fda4f41731fe0bfe59ad2789a453bbb026ccad26e

SHA512
b5e1996762d7f39fe4ddc8c52530e1559f8548b0062a45836439752b5d0c892af3d3d3789344e4f4106190bd13cc6f712cd1d32088c99b382e06e0b4d39c23ca

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
5121ec86296cc3a8831cc069010da378

SHA1
a6a2b8892ceee31ffb4c205585f5a6ecffd157b7

SHA256
e8b30c2eca820428b35821026367216061c1209b4b92ffff3b9e660487f94e0c

SHA512
65d8672f81653637c0f88d7f7457a1e189321d8c0e7ffb04f7318b49cd79574bc32621120a320e82a68bd02e9e35b0ae964550caaacdc3683a34f4185ac96d82

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
164KB

MD5
e93e117db119b15a2010c9f054f1cd20

SHA1
0e39b5205a4875a0f17ed59f703da023da224664

SHA256
fa8416e92db87fb36a38cca2cf1437adba4cb03ccf84905dee0cd98360b41503

SHA512
50b3c6aa89f6f30992d2b322e8e57cbe6dea7f788b235745d6d3a2d412145a45bcf3122ca001454400f1de05d396ad318e1aab3de7d56ca6b363d085e9c1c375

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
b322818b1d5cbb732f9d1ebccce809c2

SHA1
5d8c2133fee2217082d487774ecf19d59800c29c

SHA256
944793393ddcdc10d6bca3f6a2058557ffcde0f91f528c85b0e92aded9b14cac

SHA512
77a00ddbbbcf602263092cee8e45527ab03c0782ec24a5fcdc6f77ee606c286bbd86ae5d548ff37235c8583cdcc01e558c7d99b1ea64e7f938a6bda1f35a18a9

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
438ae84f34266dd54b49b9b556dda721

SHA1
d23ab657b5207b32d14d66653cc23f1ff0d5ba48

SHA256
c61bc5a3c1307f90b59ffab542b1b0da1822af6154042001970f173868c2b791

SHA512
c1941edcae12d763b38da9a3a864270cbc3be4409b0cf2ae482ce9a0d1e5d99e99cbdf6d0e6f821d9cc98fbd3e3ecf94ce09128a23f9177c849bde3dd26e50c2

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
00ed6737df95beab49960d4e98b8f787

SHA1
b9329e0e522a535b42683ceb881589599ee1e488

SHA256
eccdc768bd828d662ebf54eaabb2175d718faa0602b76757d8a8bb6222ca0f4c

SHA512
c13c4d250f3e56f843f48185af20d38bb3cc6174cb7a59614869882a49b103b51b6392184ed1e60b95adcb9a9bfddee65d2a043a72148487f967762cdf12b43c

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
fa965af67762b4abdbce6446d860c337

SHA1
9fc46a0ee078e4145722697943c497ac73c9cfa8

SHA256
717791a4b233a00c1c83616647bdff654b1592953916659b589295b8067ff71d

SHA512
57d987b7b558560e55eb463a1ba309aadae9ddcaefc7160ab4331931ccd401602258540e56d00dbb681c77966cabaf9d483ea031c8b5c4e42a89af0885491798

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
a1a1d2fe3c4b44dfc72695e99a3c3586

SHA1
909959bab5b930f5169c335ea5f46487e817621d

SHA256
8aa8208da633ef96b5774368be7e2484310690c690f611353e511e121110a2b5

SHA512
1167f2017122e6665397e4f7c0b4fa71c78e3a12a48707f8aa8d747368d8b5d2411e7099cd6bad153c728ba0f1dd60a919bfdcece44dea741d03a5d380bc372b

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
d8e4b06b956a267530da6eddb0327f58

SHA1
21aaae9280aaa972606d020a1709052126793f48

SHA256
9a1afc56b4ce36f57bb71a4eff018d3842b836f903ce3a38cb042c588c313e6b

SHA512
d734016065669234e3c49a9d5a3ea1df2b199a5d4177afbd9685a2b2754e0c5272bea1be4143180c9491c30605486c380dd9d439857f3073018e5cb6cc5910ff

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
fd5d2ccc545f24892e19c5f6042a42a4

SHA1
15f5bc57f595119ebe20ac53cc05158530818485

SHA256
22ced1e297502146aeed79bbde5acd33460f14be178c7efc88b1fdc307105bfc

SHA512
1a08f3aad56d28fd3eff2d711c7fcdc500ee2b5654ee5fbadaa1a4315c274b90869ba52c5b430846b7182f6759fc5ec9c24cf4837dacc82a7c1c918cf1ff2cae

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
12d347b598f07b8403121581743bbcc6

SHA1
a1766776fcca86708d8951621540e983f443cc27

SHA256
c758dd01907aa3e93c792ca3230844ece6a779372904708abfeaa6d1cd3711c8

SHA512
abee1e9b1c814abebab76a13c5fd7396691a58ed3c674e98d3bd62565796d563aac0aad5b0ad9c713db3923813939429f94dc3b549678b5bf3de56ab7b01e037

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
7c690f6f1235735c4f03395865d5022e

SHA1
291fc0c33e53022400a95ae860406bcc848362b7

SHA256
e060da33b8eb5b6b4392931c257c56ca2e58953499a90cd98f91997729cc3138

SHA512
9bda6f4672a25de3b99d89ed0db4a53c3895fc0803d06bf4a52af5513eb009048691815d3b89831dc74aee2432e4cc8b4d799f5b92b8a94e5b3c5c55c4700aa3

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
695506bc50a84e86f5a856436e188a84

SHA1
ae1d20fcffee11c2e63e556b6c8831a42e94b7b0

SHA256
cf1c495dc4a2c87948ace69548426bbe1daf7c40c483747c6ccd175763f52a62

SHA512
f57f8dfdd0c0001b9fda9d18825eb518ff8bd36674fe226d2d95bf560b4d1c9fe102ddd8fb6570e940b853ecfa9fc24e86346d9e6453d9bc3008ff3ce8d8696c

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
9ec3c616b65614ec3449c4d9ae1a0c8f

SHA1
4c335a1c64d147ccdfcdf233f2dc2b3095a5474f

SHA256
2505eec2f746961215a344251049aff0ee1ffc09ade16e2bfee1ce0de5c7f72a

SHA512
49e13e56e4802c99f21ff70fb227a9dd870ee347659191c1f3a2fb52a61880c8979147baf8f83616bc4cb2f98b0e6e8a44bed26ddeecea99a14de2edf371ceba

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
33dd12af291cd0f0a49a33d0af2bb2fa

SHA1
2aabd215a6f9857b2429128316ca13d388a715ba

SHA256
ba31a78f505e06732265bf92b12c734be4e417feb9decd271df6a7b9187c5884

SHA512
4759ab20dc3099fec253a3e7be5fed2ce8d4ac15caa84a7a049f191da9923511be5510ecd6c86c13b3c6c284d40a5d2e5c719f2e28ea170a7a3d13760bf6468a

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
51e89f4c43dac2102c8ea328bd8d70cc

SHA1
056bf7c8a22d6e11e04e0097db303d7ff36a86b3

SHA256
83a264a71798c7b55df0237e662e8612b916c097f29b1bfafd3ff7a8c3da4a71

SHA512
5532166d1caf43ca047fa16cc30c2bc2b68c75bd42d86049da558e8f1ba15219bbbaa7c4cc2128b3df139e16edb56fd7828c23fd9c55aad2dcdfffa07bb6a3f3

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
ccf0acb60bca0af1292c50d98ea62222

SHA1
1e19a2b0c67353485fa448bf904b9a9d6f4b2a55

SHA256
84c3dd39c89ce118ecd09201c067dc62e84bc87510356a7094521ce6616ec9c9

SHA512
db550a1ab59f790835ff4983fc5c63347a7c2a83d72d34095a16d85ea708c93f169d7c7f4eef282f2490ce8fd095e4ecba95a880d085cd160b7001bad2aab8e5

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
f3dade35f3ecd35b978c40d2041b6c02

SHA1
415c75b1e21996e65fed6b6792afa7722fe7fd10

SHA256
4550f694a42b5e10728c5ca4eea4c9bf41f6779c2dfedf380c71464dc9e05cf1

SHA512
944b27ef232ce8cb444b8acb70a858759b4bbaf9c3cffcb79bb6bc498c6009aceae82c71762bde0ad6af7aaa5e6345a157e88406497f606339c9de36790659fa

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
e8ef7a717b475d5c86f89474216d8a0e

SHA1
cfb0905268d9b742ce37112683513cc7a9e7f8b0

SHA256
ade7f7d0003cfbe6483cd0f0d62b2a7882e0a052635591c03532769c95113d8a

SHA512
4bb2ddada7711daaa558b142a3c81739234b1b0bc1480dfecf42ff729a5a9c2f1a13e19e612ee030fe4bbc64895b663ca50c07f7dc58669ef7d5723580044a25

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
1217aa78da12650d16a697c7ec8f5411

SHA1
f25938a618cf6f16aa295e9ffd979336422d0160

SHA256
9a271e2410a16d2fc61bf86abefd0c19094e90cd0358187aa2e5081c62cc5556

SHA512
ca48ef1926fc65b2b1d13bdeabe861beb25935dc967b17e5ef98510a6bd3123fc877ae192c87f8d343ae0152bd0dafb4ba60d3cb4ad55807da3269009496c1a2

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
f353c7bd9aa736db751fc35932ef8497

SHA1
c78190f06853906d3875ac93fac0f719b1f46715

SHA256
d5ab253e0748225226fdb3c4af5da7f31b032d858234df27e6c182cbfdbde5dc

SHA512
3dde635d1c744f8b8208235bf0df703f4d5972d7c023acf073f1aebc8b399e9f2caf81fa20eac96bca8006d66c771c845f888ca7ae54bd3828a8edd1cc146877

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
69a619a3e09cda888c69b93df698818d

SHA1
18170186c42ee1430be1f7a8f257e398317eb26f

SHA256
cbc6f1785392df4e75965468cf9b945931eb728c81780a3da5680bc25a30084e

SHA512
a826d62c10e73dedfe642898ebf14acf4084af5e929ea4a843f144237ff18b57e465f90287e17580a4aa229641f2f3b51f2ee3e2fc9fb866779590dd211486c9

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
e1bbc833d3ddde94178404a72bb155e1

SHA1
0bfff958e0effacbb481d9c0a8e72fbb98ed2863

SHA256
993bfaa2617a63637dfcb9b71781b748f9f07a0e9fe4d30b3130c4e55cc6da9b

SHA512
b16a7c58a7b78f4512225cba74e0393f16c255195f93fff68a19900804d78805e7e052a230c2c0288aa90e2be7483ba66757631a3d8e07d8be3f27c4d0112120

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
94e0e4029ee3d91a19cfb2c7c48114e3

SHA1
acda8c79997505c17183f85aef9e935f3ab295af

SHA256
64e0d6f43bd59b01742416cf1122b3b630a51e8dd63f3129a4a9b79f9b5e319e

SHA512
c0d959cb47d7997baa58a7cf6f34b8b1a5ef0808f9c65dd13d0aede967a00a8c1c5786cba85fa9669f442f0a59438dd78196beef37d5f153b4068fbbf0edd29f

Download Submit
memory/856-132-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/856-249-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1064-612-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1064-268-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1176-237-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1176-120-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1284-176-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1284-498-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1512-281-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1512-159-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1648-235-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1648-223-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1660-608-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1660-250-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1688-172-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1688-294-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1688-533-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1740-70-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1740-73-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1740-187-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1740-65-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2412-86-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/2412-99-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2412-95-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2412-97-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/2412-92-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/2520-553-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2520-188-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3216-591-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3216-238-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3232-41-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3232-40-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3232-32-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3384-261-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3384-143-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3880-60-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/3880-101-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/3880-103-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3880-53-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3880-54-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/3956-295-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3956-614-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4344-282-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4344-613-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4448-201-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4448-589-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4452-590-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4452-212-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4668-131-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4668-19-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4668-27-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4668-18-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4764-414-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/4764-6-0x0000000002420000-0x0000000002487000-memory.dmp

Filesize
412KB

Download
memory/4764-0-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/4764-119-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/4764-1-0x0000000002420000-0x0000000002487000-memory.dmp

Filesize
412KB

Download
memory/4840-104-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/4840-113-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/5080-81-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/5080-200-0x0000000140000000-0x000000014024C000-memory.dmp

Filesize
2.3MB

Download
memory/5080-75-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/5080-84-0x0000000140000000-0x000000014024C000-memory.dmp

Filesize
2.3MB

Download