0b247bee5e52473601adf0dcdfad2680f069d59ea6be1a2a8a3dc83b2399627d

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2024, 23:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
Size

4.9MB
MD5

b1b3a924a339c84e5804f4b95c9f1464
SHA1

c91e7fc26c9dae92666c467f06cd55e6d752fea7
SHA256

0b247bee5e52473601adf0dcdfad2680f069d59ea6be1a2a8a3dc83b2399627d
SHA512

b984bf222bd91a15df4e1f38832d85589c8c83b67cfc78e0765656bfc41bbec73021573b5dcd14d18b3a1ccb25d9643b5cb52dca67ca330c8fdc4eb22cb7b123
SSDEEP

98304:EWqq+Mb+JyWvfIy5YFWAvwzn7b4ZhIBRoKAtqzLnw9rTAmIB/v4:EWaEWvfIy5YPvwznKhmoKoWLw9rMz3

Score

7^/10

discovery evasion spyware stealer trojan

Malware Config

Signatures

Executes dropped EXE 24 IoCs

pid	Process
1708	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
1304	alg.exe
2480	DiagnosticsHub.StandardCollector.Service.exe
2272	fxssvc.exe
3424	elevation_service.exe
2980	elevation_service.exe
4836	maintenanceservice.exe
3444	msdtc.exe
1628	OSE.EXE
4448	setup_ui.exe
3904	PerceptionSimulationService.exe
4708	perfhost.exe
3036	locator.exe
4456	SensorDataService.exe
1772	snmptrap.exe
1112	spectrum.exe
4132	ssh-agent.exe
4060	TieringEngineService.exe
2012	AgentService.exe
4344	vds.exe
668	vssvc.exe
4336	wbengine.exe
2088	WmiApSrv.exe
464	SearchIndexer.exe

Loads dropped DLL 33 IoCs

pid	Process
1708	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
4448	setup_ui.exe
4448	setup_ui.exe
4448	setup_ui.exe
4448	setup_ui.exe
4448	setup_ui.exe
4448	setup_ui.exe
4448	setup_ui.exe
4448	setup_ui.exe
4448	setup_ui.exe
4448	setup_ui.exe
4448	setup_ui.exe
4448	setup_ui.exe
4448	setup_ui.exe
4448	setup_ui.exe
4448	setup_ui.exe
4448	setup_ui.exe
4448	setup_ui.exe
4448	setup_ui.exe
4448	setup_ui.exe
4448	setup_ui.exe
4448	setup_ui.exe
4448	setup_ui.exe
4448	setup_ui.exe
4448	setup_ui.exe
4448	setup_ui.exe
4448	setup_ui.exe
4448	setup_ui.exe
4448	setup_ui.exe
4448	setup_ui.exe
4448	setup_ui.exe
4448	setup_ui.exe
4448	setup_ui.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\spectrum.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\41b907347cad7dd2.bin	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Program Files\ShowReceive.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_ui.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ceecb9c8341cdb01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cb1d8ec9341cdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000045897cca341cdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000071784aca341cdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000883d8ac8341cdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003c35eaca341cdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a35889c9341cdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004492c2c9341cdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2864	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
2864	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
2864	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
2864	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
2864	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
2864	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
2864	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
2864	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
2864	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
2864	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
2864	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
2864	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
2864	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
2864	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
2864	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
2864	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
2864	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
2864	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
2864	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
2864	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
2864	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
2864	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
2864	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
2864	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
2864	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
2864	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
2864	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
2864	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
2864	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
2864	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
2864	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
2864	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
2864	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
2864	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
2864	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
1708	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
1708	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
1708	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
1708	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
1708	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
1708	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
1708	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
1708	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
1708	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
1708	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
1708	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
1708	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
1708	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
1708	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
1708	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
1708	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
1708	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
1708	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
1708	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
1708	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
1708	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
1708	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
1708	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
1708	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
1708	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
1708	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
1708	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
1708	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
1708	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2864	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
Token: SeAuditPrivilege	2272	fxssvc.exe
Token: SeRestorePrivilege	4060	TieringEngineService.exe
Token: SeManageVolumePrivilege	4060	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2012	AgentService.exe
Token: SeBackupPrivilege	668	vssvc.exe
Token: SeRestorePrivilege	668	vssvc.exe
Token: SeAuditPrivilege	668	vssvc.exe
Token: SeBackupPrivilege	4336	wbengine.exe
Token: SeRestorePrivilege	4336	wbengine.exe
Token: SeSecurityPrivilege	4336	wbengine.exe
Token: 33	464	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	464	SearchIndexer.exe
Token: SeDebugPrivilege	2864	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
Token: SeDebugPrivilege	2864	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
Token: SeDebugPrivilege	2864	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
Token: SeDebugPrivilege	2864	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
Token: SeDebugPrivilege	2864	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
Token: SeDebugPrivilege	1708	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
Token: SeDebugPrivilege	1708	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
Token: SeDebugPrivilege	1708	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
Token: SeDebugPrivilege	1708	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
Token: SeDebugPrivilege	1708	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2864 wrote to memory of 1708	2864	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe	83
PID 2864 wrote to memory of 1708	2864	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe	83
PID 2864 wrote to memory of 1708	2864	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe	83
PID 1708 wrote to memory of 4448	1708	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe	94
PID 1708 wrote to memory of 4448	1708	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe	94
PID 1708 wrote to memory of 4448	1708	2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe	94
PID 464 wrote to memory of 652	464	SearchIndexer.exe	115
PID 464 wrote to memory of 652	464	SearchIndexer.exe	115
PID 464 wrote to memory of 2764	464	SearchIndexer.exe	116
PID 464 wrote to memory of 2764	464	SearchIndexer.exe	116

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Windows\temp\F307B3DF7288FE11DBFB2E2622AB6F3A\2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe
  "C:\Windows\temp\F307B3DF7288FE11DBFB2E2622AB6F3A\2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe" -initialNonSecureSetupPath="C:\Users\Admin\AppData\Local\Temp\2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Users\Admin\AppData\Local\Temp\368F36DF7288FE11DBFB2E2622AB6F3A\setup_ui.exe
    "C:\Users\Admin\AppData\Local\Temp\368F36DF7288FE11DBFB2E2622AB6F3A\setup_ui.exe" -cp=objref:TUVPVwEAAAAAAAAAAAAAAMAAAAAAAABGgQIAAAAAAAAC+Oirdx5oRkzhWVqCOSlaAjwAAKwG//8Nqcxuy+UzFC8AGQAHAEsAYgBrAHcAZwBlAGIAawAAAAcAMQAwAC4AMQAyADcALgAxAC4AMgAyADAAAAAAAAkA//8AAB4A//8AABAA//8AAAoA//8AABYA//8AAB8A//8AAA4A//8AAAAA:
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:4448

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1304

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2480

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1416

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2272

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3424

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2980

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4836

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3444

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1628

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3904

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4708

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3036

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4456

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1772

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1112

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4132

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:344

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4060

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2012

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4344

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:668

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4336

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2088

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:464
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:652
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
9cbed67c48a7a55b85ea08ef6ba3688a

SHA1
923eaa57ef0a6d3bf6c619783405a0f21c787d0c

SHA256
4d6cef1b2af7458af7a61288a247d3eba09af5b4a12e9cc20ea4fbff4c8a3534

SHA512
6b3d2ba9db5cd4eb6dedc8fd52b00e1d71b64e17408486e561d73e607bd1724d8656032f2c6fec7522acf8f34c7650246679a52fc9089e458430aaa51646247e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.3MB

MD5
91ab326d8c86b881e8373b63e55aa72c

SHA1
fa65eea8c6eae63af3294e4410a3a4700e5c9f04

SHA256
fd69c9b7f650116d3428fabd496f9dafda73165fcd3f7cc4ddfc9ea1cadfa33b

SHA512
e7620284090e68aeef86d4124d19b7258932eca7c9273c9c14214450603acbd37af296c4b0fa7c5976dbc6973998908163d3ed8d41136c2f63ddf6dc4b97b8c8

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
7ae0d29748d02f1a787696a8508f9f86

SHA1
8213715bda0b5acc8a2ac73e4940a8f206224852

SHA256
2feb9eed3b09bbea718ee6a3feaa09eeef9cd3fcad1d03f73e4a8594cd5c7f45

SHA512
e9f95c1c0548916f4d096e21ec791f567fbd6bddf2f1af16f975331df193f4457a29f203eba34546e36051010b2b93b7e2e6ac20fde24e0f19e040713a26c182

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
635d7cf6166dba390e72d7121d033003

SHA1
f2623ca8641ae5562b492d72f889fcfeff41a041

SHA256
d52e2c22b7fe11d74874d2e163e17cabab4df8bac888498e183e6558ca01ca66

SHA512
99ce0bb789ad6c6587ccbbff6689231f00ff18631e777ea7a26b67263638ce15f133eeb03edf93c49dbe14e8143ec7c78938f548da4d6ceb3f56d787244f6203

Download Submit
C:\Users\Admin\AppData\Local\Temp\368F36DF7288FE11DBFB2E2622AB6F3A\kl.setup.ui.core.dll

Filesize
73KB

MD5
3d791db3fb8df9cfb95cdc1c89f576cf

SHA1
977725bdd90b7e20d86285c9d91c294a98f76ece

SHA256
6ff013a27dab58effd6b1fcc885e49302ac99a371c640f01001e036c4f06c6e0

SHA512
64cb627d2fefb9245462b5410cc7bbc111d84838f3be2fb8091cb5847faf115fe00397159db01ef6079cf6bbee0062ba71bf8a253b103f271562c61a79eb4a6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\368F36DF7288FE11DBFB2E2622AB6F3A\kl.setup.ui.dll

Filesize
279KB

MD5
3c7d941e01763db131f05cd5e17909d0

SHA1
a7f8afec2bae02d5e71de09691ed23a59afbb36b

SHA256
a985540c3dedab11d80faa0537ffc3e91f3f778da28f7d60dff3ccbbec97de74

SHA512
78ce5069df9da39b01ebea7ef7c6b582a2b266e51359d1d2561413df290f3eb2039341fc474317c116232542899d7cdd0d84e92837677770988d164f53e2b65f

Download Submit
C:\Users\Admin\AppData\Local\Temp\368F36DF7288FE11DBFB2E2622AB6F3A\kl.setup.ui.interoplayer.dll

Filesize
55KB

MD5
b7e44cf662827b55d7f1aff8ad75bd01

SHA1
26447133da5fa2b79abb4004062d088501492a1f

SHA256
a82b14a1f48329b1288e92cbe72c033c1446fb813f6a8551a86c5dc1ade7aa16

SHA512
c46e8141a42dc5e0e491f1da09b5e2133fcc92f47e224309fdee1010229b262e94460ccfb63ebfe1ee7edadf10c3d1da3439e5d7e8a885f5f04f729657ba377d

Download Submit
C:\Users\Admin\AppData\Local\Temp\368F36DF7288FE11DBFB2E2622AB6F3A\kl.setup.ui.visuals.dll

Filesize
406KB

MD5
70f74920e8265226ea92aae61e555df1

SHA1
1ba3bec7011418d63d181c1ac452cec1f7beb3a3

SHA256
6ac4ff8fd298f8f78c825eb714c801f026db14a1862eec9562952b59a2f862f8

SHA512
4ca6d4f881a2dbc1f6c0194451429c389fa0b6a9bd18f5477227895fbb5a5d513c212c4adb48d956603a95216f70c52f07016be2ad92a5c5ccf4f5c44d592673

Download Submit
C:\Users\Admin\AppData\Local\Temp\368F36DF7288FE11DBFB2E2622AB6F3A\kl.ui.framework.dll

Filesize
213KB

MD5
676bdc05672d36e2ef7de38aa83a2803

SHA1
1a87a7c0b8571631800c517fac92a06bd88657b9

SHA256
79c7455735eb0b7e8b3cf46da78b06fb81229169d85039afab44ca74fe3f9a43

SHA512
c136de38e9bf50b901ab79d51169356f6f8077c18d440ea39d6920f2335f7cd67537697b90479be4a6dc59529842121b84f2e7b9223c740e6453ae47ac3de78d

Download Submit
C:\Users\Admin\AppData\Local\Temp\368F36DF7288FE11DBFB2E2622AB6F3A\kl.ui.framework.localization.dll

Filesize
285KB

MD5
2985b28c3485039cbee81b840b5437b4

SHA1
c7020d197d094196137655da3b0196720d99d2de

SHA256
586c371ecc1b17c7cac9f8d72961d9d6504b0bf855ca3501262bb0338c6654a4

SHA512
9c2c82c1c1bee1a9e76868a7598998c0b927505395e700d6aac05e7c2a4f522f715534bcd8a512152b7879fc87ee11ceb07c4ef440de5519295d8ababdac6022

Download Submit
C:\Users\Admin\AppData\Local\Temp\368F36DF7288FE11DBFB2E2622AB6F3A\kl.ui.framework.uikit.b2c.dll

Filesize
659KB

MD5
8acd5d780ddd04ce22f90db393027cc6

SHA1
2466b7e57fb2997e50cfac797065cbe7c565e671

SHA256
029317b7e585abd3561020ae0d9a941f64abf01302024270c7fa55648d0c5360

SHA512
a57c323a7267a21d2f262d99edd4edc7ba8254e301c3f9c0f8b9d9fbf21914896c0e4517a3a1985976cc80dc2afca595c7369537fa11d10185be26b734179946

Download Submit
C:\Users\Admin\AppData\Local\Temp\368F36DF7288FE11DBFB2E2622AB6F3A\kl.ui.framework.uikit.dll

Filesize
2.9MB

MD5
05b722edf678407e6da411924d11bf74

SHA1
2df3ba610c858ea6156867f1ade8aebe3f278d28

SHA256
41eb3558586ee2eacc0822b725fba7f755f54c7b0ac450dfeba5a59057192b44

SHA512
16a16d35cbb0a71298ce3413d44fd790ee49d8649e0eb9587cd6f20621a3ede6987de6bdb2377180d4616c4fc2b677cff378e89aa9e8e37da3b5a7e6e5ab7484

Download Submit
C:\Users\Admin\AppData\Local\Temp\368F36DF7288FE11DBFB2E2622AB6F3A\setup.dll

Filesize
5.2MB

MD5
7890d9d216271426009bea34fb92b679

SHA1
bd57d457935c2ae978d1d04f841b838f8fcd5948

SHA256
16bf70be072327d3a7ec8ebaa49ac7a88bd51d6b1dc4d11c31120518f432506d

SHA512
6f35ba249a5da7fa8c541ccb3c40d5c2e605dc8e013652fabaeb6899a9f70bbd1ee3e8eea5b85566dc4d9b0dad6aecec93761d63fbfae0bf94bfe5c719bb243f

Download Submit
C:\Users\Admin\AppData\Local\Temp\368F36DF7288FE11DBFB2E2622AB6F3A\setup_ui.exe

Filesize
656KB

MD5
3417c299a866aaff3a715f3184f1fdd8

SHA1
b77266a2acc4bf70c2ea551c0a18d84c2aa18d0b

SHA256
037fc05ba0c22c5a4c69a8e8602109c144a11c57985c5cf826fc5ae625d34978

SHA512
bfc12b060d3c0870912588b9948c89d8913ba9ee788fd4e974ccfaee609ba95208d8b83c3e5d17cf48667849f507d4ff0041824c08f164a7c28876652a65772d

Download Submit
C:\Users\Admin\AppData\Local\Temp\368F36DF7288FE11DBFB2E2622AB6F3A\sharpvectorconverterswpf.dll

Filesize
136KB

MD5
9ed0b05697672396a56f9d5c249b7c53

SHA1
928e251256859ed146c8b566287ccbcece647878

SHA256
93a87c48b86a10f6c0e59827ae90e7af45a0fc61f92df2a64ee47e4219b3873f

SHA512
e0ab1c3a50d09ee5174cd1a3ff27566a0e23e5a75c7d16da6635df227e57d68e9cc3cb0f89a14148fe5a9d506e0431f2654bc678a26c928fdd093140051b974f

Download Submit
C:\Users\Admin\AppData\Local\Temp\368F36DF7288FE11DBFB2E2622AB6F3A\sharpvectorcore.dll

Filesize
201KB

MD5
9620b9b61a710c8a2178747a74d066ac

SHA1
1d48e8583dcff441d880b2e2d00fa2c9b6ac905f

SHA256
3929ef5d1c09611bde783054cdaa6f19e07a9f22c7e9c85edf9510d13c7c423e

SHA512
c88b2dccc17e04ecb9afe3133069778a88873a98133cc2989fde6ced1cbe00c434c9bc6019fdab02b0b65db65f81efc18e235dc2dc827a28cbd0f6397f3b7f68

Download Submit
C:\Users\Admin\AppData\Local\Temp\368F36DF7288FE11DBFB2E2622AB6F3A\sharpvectormodel.dll

Filesize
996KB

MD5
768fd4b2b69b57e5a3370dd19db5bd9f

SHA1
6fe8859921169d25cf67af7567f2a97df7da7941

SHA256
4eb40c9c1019c0804c813cd0eff2c0da709724b022a4e510be5d6a89cc05bab4

SHA512
e08ce0545235b1acc43798eff56570752ae2bf77adb38cb3fae8e2781f8c9cc1709d251709e2491fd8ef203676c9ab7fe91590792ae37226c6e605eb36c4a61c

Download Submit
C:\Users\Admin\AppData\Local\Temp\368F36DF7288FE11DBFB2E2622AB6F3A\sharpvectorrenderingwpf.dll

Filesize
202KB

MD5
e53fe31b6e8e76e82321b1a7333cece0

SHA1
d70a43434b8c3022fe9c9b7f2f3be15c49bd8b72

SHA256
97ec1da3c2bfa0d12f3f6d03ceb7316214a07e55f183c324746b1ce8f050503d

SHA512
e1679116976918d520f01885498d46e0233a1750a47979cbd675ddc4b8f3047a616cfd94bb60ad15c5dd1a9f49357eefced5b012f7e2e90a5ae21515fa51e3fa

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.1MB

MD5
6142034a923231cecedfeb3e74174b26

SHA1
5f03c13f514e5babe50f47106328b8a7dddb4dde

SHA256
dfebff6d77ab20fb0ab9fcc953be43c08ceaeab649745b0a9fd39edd6b992fd7

SHA512
ece08be69754fb6f9eb95bdee7dbeba7ec71402472440687b0feb7d22f6d0f52bdcee9afb33744e9aced8f26268ce66fa15d9fd81ed2652e6068b6947a1aff67

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
5e4231d044f7a3b55c90ba3661c48a59

SHA1
fd178d5cdc28944edffe62be87018952490f31b5

SHA256
db13fed8032297df1ca9f971dd4dc62c873d44b9c56e2098b615741791b8ba22

SHA512
246e19cedb18c29bdd572c0b42e1d1b0d73de1d59d8607d1e92a0175fc83c13f29e8f2da7608a09d6cf24f3eab77dad699ee93f5234add1c54750a35aedfa37b

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
529204f0295d058ee29ac0549b9f4067

SHA1
90871e2ce3e3a19f19f02eb9c9b6b8ea7fe49b67

SHA256
dc122e1a788ac0245467bfc96f735b37af2c67236223eb8960cb49642e7e8817

SHA512
bbf2dfe155552b32181a8affd9fa06acc3c2071843f76777668b267f9c4742c1a3491f9a3089381ff5a66bfdf4204cf29102dc3e70a5afecf9c846b5a6f266cb

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
6148b7ef1c1d51ab9325d31fb1931aba

SHA1
6ec7d0ddb17ef68f434ecaeb12feb641f631f4b3

SHA256
3858e8cc1033042826275d4947a5553eed04d02965610eba88166f4f613eb384

SHA512
915322cfcdaff682a0425061385b24aace1ba5c55f4469f6f402a4d0b6e2021d8b43bb99a87163040fad0747f47a4a864b365ac1bfd63c01764fd88e724941ac

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.1MB

MD5
3a727a9589ead1152e19cc19b22eea3b

SHA1
548650f56b63969b9bdfe7e22b5f1829ed645270

SHA256
2e2fde5d97a97770ff6f70a20a73d1925092703b7eea15f7d3179cf429a27884

SHA512
b9f170a9fe8c43e4bfc802867d29e659adcffce3dd5bcb0802db9cce1959d51b68aaed059dffb03a29ca55bb23f96442efe174e26e4ce3a93eb67f764235163b

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
cd5774e8d15d8ab2d89db0083d227d85

SHA1
6080c68e35f6b8aacd93caa052a73bb09c04cc92

SHA256
6754e986054204f9a940a18deee43adb278c34de70fe1862dc847c3b232ee898

SHA512
09f4e687ae1e3604be09a7783a235b4948e26d68979fa3c0f4b364035c5901507d5db731aae56f82d9c4b8ddab7f60700118b4bca46d12583137c5935c34f185

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
9cd772ca88a6425f75e6af38cdd61627

SHA1
242731ed812d3b00770ed8f24b65bead56ad671a

SHA256
a029bea3cea375b811d99af4029a18fbd5fc24f1dbd904d1acef4abc2cae79b1

SHA512
faf5f671d5ae57c22ebe255a031dc569ec914a3201b9bdf3436f4ac9e9d1e3634330e69fabd4bb91bb7ae7f2a20b4f19b91da72cc90d78e64cb38d9635b94871

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
506c8a5402af629a4353ac3cc41a681b

SHA1
715300187cd3fb394ce7fa0332f2a1686597fe30

SHA256
c97fb08ad3662c38618c9557ae113f25b67026a712bb8b35b59668369f03a8b8

SHA512
dbc8404713e5fa73e0190d8ea665a5afedf1b8ef2c4861a0f4da164b9cada1b461f01a602b8b95d2f6bcdf7dc6d0614e784a7ed482dd2e6bad15148ead1534e2

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
6adbaedd2fb4e5d34cdcc03491e2ab56

SHA1
b85c97e5ee86674d87bda4af8387ba228e046b50

SHA256
6817fc53089c76ebaaecfa2e077c8c498d12bfc927e5b77736cf4ad71f99e5e2

SHA512
babb22b44805b91df6eac255ae920c2c361843ac4e99155f7b008a6f00adad330cde04e9cf367bebe12d44e9cbd1c89f352412db1d8def0957a2d52e494c6fc6

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.4MB

MD5
f3fd3a857816aef9b84ff4b4a4fb9900

SHA1
a4fb57ceb89be800ce40ff44b46dde443aecc17f

SHA256
8ab6bb2cb65ca85fc5271525c5c43cc08f84391c27a5e27b52f7035eebbe5eaf

SHA512
f7157160dc7dd272ff0552628853c3b4abd9d5fd5ef380545829d27036fd26435aee7ddba9b503241c50c905951a09c8c9b90f29826a2cb0195aa2241e2bbd4f

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
3f0f8579826dbda1a96cb93cf144e182

SHA1
5ace93bed381d224e4a818f3d6632b5a3905110a

SHA256
fee028821d381f8fbba7c649ba1a0e71152f862e77ffbe4158730ba2f75cc464

SHA512
d24b325754d986a4a7c69caadabf32f66d9bc511fcab6e4f188f1492706a0b88ee9e976b28eb71cb8a7a6b78c07d71e41b5f0e2d92936c355a02a05abcc4a198

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
1f561a9d20ac297833c90c25f2759daf

SHA1
09b440477d8797352088fb88721a058903ce91c2

SHA256
496df1294c5650979ea732d4406810494c5772faa9387383086c100fcbec2a56

SHA512
0a91fc9650647dc31f300156ed86b766ed8a49d815626e5d7bd99c41510fd7cb921b0ab6871a5cbecbe020462c8888ac871ab67e2c87b0f21c5de06cc252a06a

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.2MB

MD5
01afb95d8880bfd8199715b9c7e2f33c

SHA1
5e4614cf55a04d38d398b75b6fa320975bb88aa4

SHA256
c535dc2009b38bf796e5b12f8ab2efd775853470517027ebd47be57959c649da

SHA512
0b729a59bafa4f7d0a6720927f7df2dadc2e09cf88894a78f242f1192ad5fbaed64af4d1b4a83573fb129127dc4065f79879ab1f90a219a8d179900a0d555225

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.1MB

MD5
523c17ec56b3774d0412e7ff465c1cf2

SHA1
d041d897463a43f943a47930b683030430d3bfc8

SHA256
3575349f22e6f1a6441f8c1778e4ecfd9086c6105ce1d626b566928200789937

SHA512
63abcdd6c1ca884c77048927c5cc24eb3f62defd0b73e3864e92e08a4ab3abf70821a78fd00045a53d459b9c669419adcdba29197d3c2d9c4a55c8d37e94d02c

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
96472713069e3971696f86b29a8f167a

SHA1
f44983f4fa934eac49721b63c765ec105aaf5ffa

SHA256
243ae9d7654052f62edd0be2b3b14288c3dda283afa9b007ee78fe8ccc5036ab

SHA512
98ab47bd64fb165459bf1779eb75cfb048b906a805f687ee5137113e18095e7e0d982270d55b6f18b99d91eb9e68efa9825cedecf29cdb97464dd84a6e992cd8

Download Submit
C:\Windows\temp\F307B3DF7288FE11DBFB2E2622AB6F3A\2024-10-11_b1b3a924a339c84e5804f4b95c9f1464_avoslocker.exe

Filesize
4.9MB

MD5
b1b3a924a339c84e5804f4b95c9f1464

SHA1
c91e7fc26c9dae92666c467f06cd55e6d752fea7

SHA256
0b247bee5e52473601adf0dcdfad2680f069d59ea6be1a2a8a3dc83b2399627d

SHA512
b984bf222bd91a15df4e1f38832d85589c8c83b67cfc78e0765656bfc41bbec73021573b5dcd14d18b3a1ccb25d9643b5cb52dca67ca330c8fdc4eb22cb7b123

Download Submit
memory/464-666-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/464-389-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/668-611-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/668-344-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1112-499-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1112-264-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1304-39-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/1304-40-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1304-121-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/1304-31-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1628-140-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/1628-321-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/1708-28-0x0000000000400000-0x00000000008ED000-memory.dmp

Filesize
4.9MB

Download
memory/1708-27-0x0000000077340000-0x0000000077350000-memory.dmp

Filesize
64KB

Download
memory/1708-90-0x0000000000400000-0x00000000008ED000-memory.dmp

Filesize
4.9MB

Download
memory/1708-18-0x0000000000BC0000-0x0000000000C27000-memory.dmp

Filesize
412KB

Download
memory/1708-25-0x0000000077340000-0x0000000077350000-memory.dmp

Filesize
64KB

Download
memory/1708-23-0x0000000000BC0000-0x0000000000C27000-memory.dmp

Filesize
412KB

Download
memory/1708-26-0x0000000077340000-0x0000000077350000-memory.dmp

Filesize
64KB

Download
memory/1772-260-0x0000000140000000-0x0000000140120000-memory.dmp

Filesize
1.1MB

Download
memory/1772-444-0x0000000140000000-0x0000000140120000-memory.dmp

Filesize
1.1MB

Download
memory/2012-314-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2012-318-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2088-662-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/2088-383-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/2272-112-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/2272-57-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2272-111-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2272-58-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/2272-68-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/2480-54-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2480-53-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/2480-45-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2864-1-0x0000000000A10000-0x0000000000A77000-memory.dmp

Filesize
412KB

Download
memory/2864-12-0x0000000077202000-0x0000000077203000-memory.dmp

Filesize
4KB

Download
memory/2864-0-0x0000000000400000-0x00000000008ED000-memory.dmp

Filesize
4.9MB

Download
memory/2864-10-0x0000000077360000-0x0000000077370000-memory.dmp

Filesize
64KB

Download
memory/2864-11-0x0000000000A10000-0x0000000000A77000-memory.dmp

Filesize
412KB

Download
memory/2864-67-0x0000000000400000-0x00000000008ED000-memory.dmp

Filesize
4.9MB

Download
memory/2864-9-0x0000000077360000-0x0000000077370000-memory.dmp

Filesize
64KB

Download
memory/2864-8-0x0000000077360000-0x0000000077370000-memory.dmp

Filesize
64KB

Download
memory/2980-91-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2980-263-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2980-87-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2980-81-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3036-227-0x0000000140000000-0x000000014011F000-memory.dmp

Filesize
1.1MB

Download
memory/3036-376-0x0000000140000000-0x000000014011F000-memory.dmp

Filesize
1.1MB

Download
memory/3424-76-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/3424-70-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/3424-79-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3424-259-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3444-306-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3444-130-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3904-342-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3904-184-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4060-303-0x0000000140000000-0x000000014016C000-memory.dmp

Filesize
1.4MB

Download
memory/4060-561-0x0000000140000000-0x000000014016C000-memory.dmp

Filesize
1.4MB

Download
memory/4132-286-0x0000000140000000-0x000000014018C000-memory.dmp

Filesize
1.5MB

Download
memory/4132-533-0x0000000140000000-0x000000014018C000-memory.dmp

Filesize
1.5MB

Download
memory/4336-374-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4336-644-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4344-322-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4344-592-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4448-177-0x00000000055E0000-0x0000000005626000-memory.dmp

Filesize
280KB

Download
memory/4448-234-0x00000000060F0000-0x00000000063DE000-memory.dmp

Filesize
2.9MB

Download
memory/4448-340-0x0000000006B80000-0x0000000006BA2000-memory.dmp

Filesize
136KB

Download
memory/4448-352-0x0000000007070000-0x000000000716A000-memory.dmp

Filesize
1000KB

Download
memory/4448-353-0x0000000006F90000-0x0000000006FAC000-memory.dmp

Filesize
112KB

Download
memory/4448-357-0x0000000006F70000-0x0000000006F7E000-memory.dmp

Filesize
56KB

Download
memory/4448-335-0x0000000006AD0000-0x0000000006B04000-memory.dmp

Filesize
208KB

Download
memory/4448-348-0x0000000006E30000-0x0000000006E62000-memory.dmp

Filesize
200KB

Download
memory/4448-361-0x0000000007000000-0x0000000007012000-memory.dmp

Filesize
72KB

Download
memory/4448-170-0x0000000002D60000-0x0000000002D6E000-memory.dmp

Filesize
56KB

Download
memory/4448-281-0x00000000065C0000-0x0000000006626000-memory.dmp

Filesize
408KB

Download
memory/4448-292-0x00000000066E0000-0x0000000006786000-memory.dmp

Filesize
664KB

Download
memory/4448-182-0x0000000005670000-0x00000000056A6000-memory.dmp

Filesize
216KB

Download
memory/4448-343-0x0000000006C50000-0x0000000006CE2000-memory.dmp

Filesize
584KB

Download
memory/4448-216-0x0000000005740000-0x0000000005752000-memory.dmp

Filesize
72KB

Download
memory/4448-440-0x0000000007390000-0x00000000073C8000-memory.dmp

Filesize
224KB

Download
memory/4448-441-0x0000000007420000-0x000000000742E000-memory.dmp

Filesize
56KB

Download
memory/4448-221-0x0000000005D90000-0x0000000005DF6000-memory.dmp

Filesize
408KB

Download
memory/4448-220-0x0000000005CD0000-0x0000000005D18000-memory.dmp

Filesize
288KB

Download
memory/4448-503-0x0000000007620000-0x0000000007628000-memory.dmp

Filesize
32KB

Download
memory/4456-388-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4456-591-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4456-247-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4708-212-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/4708-373-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/4836-93-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4836-104-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/4836-113-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download