remcos | 3b58a492a265b1629ab7bd59cf3df576f5723f0c5c172665e14e563f7f13c59b

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30-09-2024 16:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO 036086-06709 -2024 -Order pdf.exe
Size

2.9MB
MD5

f74fb3c0c8708b7e11eb2da3703fa582
SHA1

ce258c4c0d7e409afb736295e82cc095fb244ac6
SHA256

154976468ad4be5f36dc0f0ea701a8270cc8240fb22ed705e2ccba689b663056
SHA512

3f9a942543378f1ac97e517d7d4e4fb5bc6ab773fd155f1dd8dc574fb1c88bdf3e12425059242420fd0da4c3fdf86fb6ba2ce1e63c38a9d5b92b331ccfc2f485
SSDEEP

49152:f3v+7/5QLa9dNZdu9hRRQWv+cWP1/Z0SZpKW3KXKQOylO0/x:f3v+73NZEhTpv+cWPJiSZnC9BD

Score

10^/10

remcos remotehost collection discovery rat spyware stealer

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

204.10.160.212:6622

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-98KSNN
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs	name.exe

Executes dropped EXE 23 IoCs

pid	Process
1088	name.exe
3116	alg.exe
3608	DiagnosticsHub.StandardCollector.Service.exe
1400	fxssvc.exe
4492	elevation_service.exe
4004	elevation_service.exe
3592	maintenanceservice.exe
4908	msdtc.exe
2396	OSE.EXE
3412	PerceptionSimulationService.exe
784	perfhost.exe
3804	locator.exe
4772	SensorDataService.exe
4472	snmptrap.exe
2364	spectrum.exe
2676	ssh-agent.exe
2900	TieringEngineService.exe
2132	AgentService.exe
3904	vds.exe
3848	vssvc.exe
3148	wbengine.exe
1844	WmiApSrv.exe
1456	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	svchost.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0007000000023482-5.dat	autoit_exe

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	svchost.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\8aa2112a4521e136.bin	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	svchost.exe
File opened for modification	C:\Windows\system32\vssvc.exe	svchost.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	svchost.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	svchost.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	svchost.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	svchost.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	svchost.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	svchost.exe
File opened for modification	C:\Windows\System32\alg.exe	svchost.exe
File opened for modification	C:\Windows\system32\locator.exe	svchost.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	svchost.exe
File opened for modification	C:\Windows\system32\AgentService.exe	svchost.exe
File opened for modification	C:\Windows\system32\msiexec.exe	svchost.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	svchost.exe
File opened for modification	C:\Windows\System32\msdtc.exe	svchost.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	svchost.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	svchost.exe
File opened for modification	C:\Windows\System32\vds.exe	svchost.exe
File opened for modification	C:\Windows\system32\wbengine.exe	svchost.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	svchost.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	svchost.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1088 set thread context of 4988	1088	name.exe	83
PID 4988 set thread context of 1236	4988	svchost.exe	112
PID 4988 set thread context of 3028	4988	svchost.exe	114
PID 4988 set thread context of 4616	4988	svchost.exe	115

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	svchost.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	svchost.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	svchost.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_79125\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	svchost.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	svchost.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PO 036086-06709 -2024 -Order pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cd79babe5313db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009b1f58bc5313db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000091ee83bb5313db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002abf36bc5313db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d9f1ebbc5313db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000007c2f8bb5313db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
1236	svchost.exe
1236	svchost.exe
4616	svchost.exe
4616	svchost.exe
1236	svchost.exe
1236	svchost.exe
4988	svchost.exe
4988	svchost.exe
4988	svchost.exe
4988	svchost.exe
4988	svchost.exe
4988	svchost.exe
4988	svchost.exe
4988	svchost.exe
4988	svchost.exe
4988	svchost.exe
4988	svchost.exe
4988	svchost.exe
4988	svchost.exe
4988	svchost.exe
4988	svchost.exe
4988	svchost.exe
4988	svchost.exe
4988	svchost.exe
4988	svchost.exe
4988	svchost.exe
4988	svchost.exe
4988	svchost.exe
4988	svchost.exe
4988	svchost.exe
4988	svchost.exe
4988	svchost.exe
4988	svchost.exe
4988	svchost.exe
4988	svchost.exe
4988	svchost.exe
4988	svchost.exe
4988	svchost.exe
4988	svchost.exe
4988	svchost.exe
4988	svchost.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
1088	name.exe
4988	svchost.exe
4988	svchost.exe
4988	svchost.exe
4988	svchost.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4988	svchost.exe
Token: SeAuditPrivilege	1400	fxssvc.exe
Token: SeRestorePrivilege	2900	TieringEngineService.exe
Token: SeManageVolumePrivilege	2900	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2132	AgentService.exe
Token: SeBackupPrivilege	3848	vssvc.exe
Token: SeRestorePrivilege	3848	vssvc.exe
Token: SeAuditPrivilege	3848	vssvc.exe
Token: SeBackupPrivilege	3148	wbengine.exe
Token: SeRestorePrivilege	3148	wbengine.exe
Token: SeSecurityPrivilege	3148	wbengine.exe
Token: 33	1456	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1456	SearchIndexer.exe
Token: SeDebugPrivilege	4616	svchost.exe
Token: SeDebugPrivilege	4988	svchost.exe
Token: SeDebugPrivilege	4988	svchost.exe
Token: SeDebugPrivilege	4988	svchost.exe
Token: SeDebugPrivilege	4988	svchost.exe
Token: SeDebugPrivilege	4988	svchost.exe
Token: SeDebugPrivilege	3116	alg.exe
Token: SeDebugPrivilege	3116	alg.exe
Token: SeDebugPrivilege	3116	alg.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 3848 wrote to memory of 1088	3848	PO 036086-06709 -2024 -Order pdf.exe	82
PID 3848 wrote to memory of 1088	3848	PO 036086-06709 -2024 -Order pdf.exe	82
PID 3848 wrote to memory of 1088	3848	PO 036086-06709 -2024 -Order pdf.exe	82
PID 1088 wrote to memory of 4988	1088	name.exe	83
PID 1088 wrote to memory of 4988	1088	name.exe	83
PID 1088 wrote to memory of 4988	1088	name.exe	83
PID 1088 wrote to memory of 4988	1088	name.exe	83
PID 1456 wrote to memory of 2716	1456	SearchIndexer.exe	110
PID 1456 wrote to memory of 2716	1456	SearchIndexer.exe	110
PID 1456 wrote to memory of 3808	1456	SearchIndexer.exe	111
PID 1456 wrote to memory of 3808	1456	SearchIndexer.exe	111
PID 4988 wrote to memory of 1236	4988	svchost.exe	112
PID 4988 wrote to memory of 1236	4988	svchost.exe	112
PID 4988 wrote to memory of 1236	4988	svchost.exe	112
PID 4988 wrote to memory of 1236	4988	svchost.exe	112
PID 4988 wrote to memory of 2876	4988	svchost.exe	113
PID 4988 wrote to memory of 2876	4988	svchost.exe	113
PID 4988 wrote to memory of 2876	4988	svchost.exe	113
PID 4988 wrote to memory of 3028	4988	svchost.exe	114
PID 4988 wrote to memory of 3028	4988	svchost.exe	114
PID 4988 wrote to memory of 3028	4988	svchost.exe	114
PID 4988 wrote to memory of 3028	4988	svchost.exe	114
PID 4988 wrote to memory of 4616	4988	svchost.exe	115
PID 4988 wrote to memory of 4616	4988	svchost.exe	115
PID 4988 wrote to memory of 4616	4988	svchost.exe	115
PID 4988 wrote to memory of 4616	4988	svchost.exe	115

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\PO 036086-06709 -2024 -Order pdf.exe
"C:\Users\Admin\AppData\Local\Temp\PO 036086-06709 -2024 -Order pdf.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3848
- C:\Users\Admin\AppData\Local\directory\name.exe
  "C:\Users\Admin\AppData\Local\Temp\PO 036086-06709 -2024 -Order pdf.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1088
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\PO 036086-06709 -2024 -Order pdf.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4988
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\ksgriojlgnaryfghjvdvlpebuaugf"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1236
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\uulbjgufcvseblctagypwuykdhepydfli"
      4⤵
      PID:2876
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\uulbjgufcvseblctagypwuykdhepydfli"
      4⤵
      Accesses Microsoft Outlook accounts
      System Location Discovery: System Language Discovery
      PID:3028
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\xoyuj"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4616

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3116

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3608

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1176

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1400

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4492

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4004

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3592

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4908

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2396

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3412

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:784

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3804

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4772

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4472

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2364

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1676

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2900

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2132

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3904

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3848

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3148

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1844

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1456
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2716
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 900
  2⤵
  - Modifies data under HKEY_USERS
  PID:3808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
0edc570ef94f6181974652a4ea14875b

SHA1
915d41d52ba15377afd2b338fdc30e049ca9a2bc

SHA256
4f6ea95c9bf4dff1381c58e98d395f3c107358a23d181517fddea7cf54192721

SHA512
04c0ffc7b89b72200cc70081c33d0c8d88d3f2a87c63c7c9397e559c2e287ea04d587337cba1e664adf7f3b696e418b2beb755cd318b4a04e0d20e3f4b5e5fca

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.3MB

MD5
1d9e650154f099e910e9c11f5ad6bcca

SHA1
46d2dbf2e97eae25147e5d53f6e8a7cac8ec757e

SHA256
86650e5def26e5656b6cab8e999d2f80bd3ce22d979515718c575a79ca31836b

SHA512
551e2e79328c9077bec36157bc8bb6f3b50965bee0e5181caebe38473fe5c4eabeb2c1b8a28b78683d452bd2d4c09e5b821aef0587934b241b0286a7ef68bf8e

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.6MB

MD5
1141da113eea8077bd4c3aee5e03e73c

SHA1
a1b728fbc287c9647056be1cc0b0dd31f2371b4c

SHA256
751b88af1a8ba84523c657b4e70fe15b83f301498663d79fc34a85ecfb2b1739

SHA512
0759b1d6d6587601c203d4069b478ec1d55b0afe6a84aff2e9c12af1097210bc9f098d2137d765125db05a91bd4f04ed598961e178e55ca70ab6a31f94128216

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
5d98b0ec5bf66f4c42edb16c3e1c6868

SHA1
bae74226c938a839a95ffcffc27578a07c4508c0

SHA256
928757e7a92bb70fa2457c127273b1b265d97a8b09e71627694cd52ef713ebea

SHA512
30365019b89891d62489e0e53a40fe8f379493f164c53b087617e23e4dc962e0cd942d5fd1d0baa20f1ce38bec43d5ecad28d3f1cfab6b6b289dc990a42f9ee9

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
bb58a6ad9c188ba61b05ff840df65f10

SHA1
8662a099d35cb85db990b1469419cff967bac6ac

SHA256
1986b66bbd9a002ceb5d5d04c165718644a3669f7fbb698768533bd15dfb3200

SHA512
4707f48d08e7138cebffc3b498ced79a390cda0aa7aad7b8dde3a0cfe9da769245f122c5fa2cf2b41cfab12f3c72ce1bb2932d6ef4c9d7caba83341f02a96ab4

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.1MB

MD5
c10d87017b5a86f6749277f733261113

SHA1
831cd76470ca3a768fa7bb834b85163caf7cda80

SHA256
60171d70aa6c0bc6baa132c8cc0f94861d934aa1c1ef385da9eadcc4f5160a8c

SHA512
84e30dd01eebb58aaa0acfe0faaeb1526678126ee395f19f4c0e8fad41f4e422a9f140aeb9dc925635e025be4b2bcad0eb173e12c76649a3e4b4ae179a8388ca

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.3MB

MD5
d03a86a1e96a6825bde1565c636faf6e

SHA1
40240b655fd27d65b287433ce204deadade8d323

SHA256
a920c14dc217d9a22269d838f8c20f3719b989c2a2ecdfbb685ff65625b08c94

SHA512
e18bbf977710b8697fbbe304e2127dab4846047798760c24440c0cc13997585366bf9ec2434f5fcfbf77957074caa65b334d5fd6b1cceacb36ca0f1c85841c0a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
5c7589cb1623c363650c471601505eaa

SHA1
3f7ad0439eee58b5fa7a5e232c337ff3548e0cc0

SHA256
153c5b414ab38be33e25ba7de67b2fb97950aa18a81a4d096ff6ba09c0f9d0f9

SHA512
12465d04dc9c5d930c36f8ec941f0af37e524e702dc38774940f7416ebd9596d8fbeea6d4086c8e18ea87633d858b76bf90405fd9c83629714ab209c7381c4f2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.4MB

MD5
4bd53f912977bfafc612870d39360909

SHA1
0d3f026d44ee1652c8a705e1da3db4c7f596dd57

SHA256
41631d37b51b2c99f451d0e0f70340290ee8c0390eba65f455e992e3d0b84bcd

SHA512
703ac491dc44d32f1217258d6e53ae1bd1b376cbff864ea53c42e15c0b8a2136911ae2d571447e3a808c073f63582964ba4a2d356b07b25f798da93e1e77d9ae

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
258eaf6f11464817c1f1db6fde6cef85

SHA1
eb6a9dc6017cd5d7384036b7efd47822562d9f80

SHA256
04fc614c23b88b61d03d97778c9d7c5f8895301eaa84fc73cc0003790a2ebc0d

SHA512
b29ee439fcf58d762a4cffd1f80a05dd7b32fce4e3b83cb3bba8e0b38213fe8223c83deba81f2ab1890247b4c53f0e6e9531bc6da0ddfe0212491c0fb71fda23

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
d42a4c71a06bfbaf3f6bf65952d632aa

SHA1
b796aab46adab7ec17c3a58450c010c083c82b06

SHA256
5eb443ef6b18d9977398d05ae78262783d179ea97a0399b87f78be857e0aeeaa

SHA512
11a949724594a32dbeb5a6200da8c1aba045b58af8af665485fd577185f3d92b904f9640f08791724e62009b0b1042a7110177b2d3d1ff16a2fa123640fbe056

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
cd83fcd00f263453d526e8bc46e51a5e

SHA1
c4ef3b7cf9b72956bf9e75ead9677d079d357d34

SHA256
dbbdfd3f37f1a09e6611e769a037f3ae435312c3868864799e4aed998e030a29

SHA512
f1ac90df105a2fc625dfe62905a5dd05dd156f4d945137c0bb2e96668c71efe67c20eebec55e920db52459ff39d1785eacee1a9bc5337a405a20cab53f32fa2f

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
2653e33a1b3736cd1164f8b9b180b5a7

SHA1
3cbce8ddff286a4ba62b362ce1b23ded2e4330b3

SHA256
bbd22dbe36e217de08e59c087791f1bf309dca526dbd7cd40c6e1947b5cda2ef

SHA512
aae1970ab4dd4feaa76c0b545ffda7bcda86839240a8dc84bad494ff6e02655226b1eed175211a44ab82fbcc30be6f487a859264bd861e61423eba9590839ff6

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
a6e0838c62a1084998feff72e60cb334

SHA1
5a804b80048b6c86bdc9b2ade5204578975a3df3

SHA256
5dfa9dcca763dc89c9fbde2582303112fcc7d6f69ab39f1e6d6b5cfb9d415751

SHA512
5a53175e2c71946f68c04c8e1fba7af5e2e180339fa188fbc014737f3dc46e24fe2915b2c842c4d0f959a886ba6681f9116c754d28d12517cadae1cf036f681a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
f0e2beaaba05509db0c7bef98b6b7481

SHA1
67d17068a5b71767c1e48f6d609be765eaea5648

SHA256
d84b9222515c14c767b7fe0d5b9a252dd18158b9535691577990551105f35050

SHA512
be7a5591a67495304ae0f176beef27adaa346833ee3bf0a2c9b3f5c28d7ab08a776c3662fe69d190166180b3c207eaec5da2294182547151dc9da228ed923710

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
cd27f7d44d3ce7b7b126793c0a519be7

SHA1
85ceffe6517eba7f80795b8f6d849f6aabfbb627

SHA256
c28c38ed83d925f3df7e8618c603d5e96f9996402bb72343e1597fb2283570de

SHA512
c13c3f3c83eca93bdf7d94052cc139d8b136c6134801910910cfcead5cb75918a74bb586a12dcdf0c78ddaa83d6a57495d832672a00c1a198757667e5d3b43aa

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
89192e268205cbd69060de0b135cee80

SHA1
5b711f673ec49177aaefac63c7566f5470da6255

SHA256
d14583069af808e03c5fb70389ad10f18e83a6935e6c482d5ce4ebcbb8a9ee9e

SHA512
216ff83d33466f9d35854b1f6f714d0611a8ec9205f757b848961cd28c6779f39bbd0e9bff56c995f1f25fcacd7c469a51299492a84fb95e4d53708fed62b2c1

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
04ca1eaa5b0dc3022716bed59528c6ca

SHA1
2d9c7b3395bde28c1c33e2bd44bf2a81ec234e04

SHA256
6dc07a5dc24ef66274dbcb942541881dfeeb51b7b06c21c7ab0b37424dae7bc3

SHA512
2c5370e5fbe52c539da85981b42a8e5628d9923d4f505e26c420a21f4f30c9cf992330ce16c52379d1c4ab6e24ec295008f95fd002c14de3bf11f467b3c613dd

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
83ba0552b655a329343e71ad3a81fc98

SHA1
c990fd74b8bfd51f48832e0cfb306713cbfc0f8e

SHA256
f7c8d280a3e0ddff61f58c45db8e6639119251fbf362f9debcdefa6abd8d7a62

SHA512
2224df9ee099c5774df94bd7212f602ea75231dd30d9cacd42d86f36c867921802bb97e47643bc8d9565e608fc452ca8c5d34e684ea016fca502e5105cca0b5f

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
701bf6537bebb3d829bc2e0e9ec408ae

SHA1
215df8fcea0cb253503f310d29b5fc778737c98e

SHA256
2197b0209e64438c25c3c44072877269356ec04bfb3bd874a21082e071d1695e

SHA512
d231f379a45e45300bf1b3f06fe307c336e0ecda998373b158bce3553a2fc49fbe6e1d01226a740d1689419965e0bee5a2a3e0c681fd40a1ad90d1aab8612bd1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.1MB

MD5
aa994463c4191f2b31e9f32dc7549a33

SHA1
e6b4e2884b5d15c7805cc3d5f94aa6bffd031305

SHA256
2ad2b0ac63b68d21227213a59f76a5376d712f6b511d1ad5d953a84c192fa36a

SHA512
730f907b508cab37928d67a5cb69a0bc6dbe0f04689667c4d9612686b60fc8dede4ab1bda547a590544732932d81e10a147b3fe45d38061c9adf5ac5e446e400

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.1MB

MD5
39935389eb4837dc7e74982348ca9924

SHA1
8609937d461567bf82d996bca4676f08796dc073

SHA256
862b378563d6932218e2e1d1ddf85df65549c2532f9f3cc132554cc887af05eb

SHA512
51f43758fd16aa0f6e419a89b59b508b772ad7b14c5360b625bcb4f5e27bb8333b78de38950fc74ccb412fef8665c92c74c6e3b2d25c94637d030041d292b5d0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.1MB

MD5
784290212de0ac5a92bd71c2227c7bf6

SHA1
0689435bdbcd7284467e5cbd12989e3026d3f48d

SHA256
7398082582ad4f722f846d380c9cdf8d97631d01b63bd7c6cc7fc2af9c20eaa6

SHA512
a89ccee7455bf9652bad7375e1931af47ced755568020f31a5ce13e17fa3483e628d4ab16b82e007f9ad540c368945930f7e8fc12d7666862fb353b3fae7b6f5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.1MB

MD5
6158f37955773240972c3852ec635b89

SHA1
cb8a0d147db7fb05ffe6f40362d702e0d52c3974

SHA256
45377fb62913407ed77fa99f1f7a1e2a066bd3a886855957712f5e38c4afa6b8

SHA512
f3724d182365fa3cb203249529bc77444b6be20c2c93a7ecfa0e229bd3d9672a3f10f0647e55aff1caad8d13ac8328cfa9679c0cb9e215f7856f771f9a99e0d4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.1MB

MD5
3dc3c9a9c722600310f8e2352bc64bfe

SHA1
7f2682a5da51077de59bcd888f31e1ebdbd80989

SHA256
468d440883988d515e6312cb552eecfb737babaec976c746a18a8c74f446b4ee

SHA512
7afb9ea22eaf796c7f6e63110eb0d5adb10bd72147914aeb62b41b40067b239a347c2968501eb733da5f19fb959b629f9e67b3aefa41293735036e03a8c04621

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.1MB

MD5
381a8974a2a8e3a321391d82ea04d2df

SHA1
6fc41f98e8e0bc662d771e224fdda1b787dad239

SHA256
5f21c370538354d1f45ecb1b23573a30c832bd20a90d7ebb55077ebac305e4ae

SHA512
d7ed4ede7a81c8d48d738e5aca9c66acf27738fdbcf57fa79623577ae06de0b882f03b663a20680450e1df03ab3e562b3247daf9f84bb2b95ec2ef09ac5ed025

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.1MB

MD5
89bd327882cebe2ae2041522479a4fad

SHA1
8c1fa74dd57083298a441ee046ea36f9544f849d

SHA256
405d47fc922826a47074b870d40adb56108a80273ca8171b9c2df352bdf8bf36

SHA512
48f66fd6cb170317f40f67fac1243687cb73e06356f8bdb57726b464da5c02e563809b278a388676bbd010027b98697236ecb1ca264400d8aa82024ae607ed91

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.3MB

MD5
afa13c296af4584b458f0627f2a7f7bb

SHA1
47a1c91cc420e3fb68a709792f4b09a17dbdba80

SHA256
a260370db0b8e7940bda009ea59125a2f98ed2baa976ae339b0d095161060b25

SHA512
18da107f7d0c5800d8c4dd49f7135d3c10ff5c37727932ae23f4fca057d2845e92009c1668768235219036eab67afa3fe5fdbf6ee5ee61fd9f9deddb6e33d5c6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.1MB

MD5
31680eae0d0323f18e89628db22618b2

SHA1
b7e7a2058ae097c7f1234dabc891c26ca5807171

SHA256
63c7612eeaf549eb907bfc381f0f3449a82d7a6a8da25d1aedcd91cf6d73b3a8

SHA512
8b4163b0587c6db0875bd72293a79eddd92dcfcf439d3346682b80b49e26842834dde08d518273f547e15a3c122994380eed119d96993b8819cb3e758a192304

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.1MB

MD5
a82a8cd6e66ffdcc07c06c6ed0abeb9b

SHA1
57001aacebbdf5dcf5e76c6dc753d57b8dc2d0ce

SHA256
4cf9273e2b99ee90638cf1b855db96c5b422bc361c5c95f0159780386f98e2dc

SHA512
e2850551a85fd88c9bf098d18472ccd6a9571bd2adf24012867263ead576d768ea87ef3a5584019e0275dd9eda75cf269ed72f31c9803f131bb158523d44eefd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.2MB

MD5
083f6308210004122d5294829baf8e79

SHA1
50b76a3a138bcc362f8ea9bc363d8ebaa90e0b0c

SHA256
9b4cd9ff0596e9bfff06dba33deecfb6c686ae67b256e3edbbc19044cecbc21f

SHA512
2544b80f398a7555dd6e20bf574bb2d8642a921227005b77f82e167941de0d539a6fd9d02fb4b7db7c604a8d86aa72d0a3888b253507138700a29dc5e5b3f3d5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.1MB

MD5
018bc30df1bbda4cf4613c0524d6472f

SHA1
e0e9cda5b044bb5e1f6f012537fc15d97e2ab1f1

SHA256
66c57e5c7c75b8001a1ada29105546d86e1f263fc191fca01b7afe2bfe70617b

SHA512
d7a1a221e5d74841ade0cf4f03f9803fd419419dc44e8f5a2cf5dd52074d5489270536434aa5796a6be324ee3ab6c6f0838d28666d002ed366d4704b2e14b514

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
faa937c8f771174f84697cb7b309c7aa

SHA1
a735e1b3817506840a23e4d20dbd2c204225a3b9

SHA256
922800028308b4a48b63bc433eed56be53e0b0920cd2848e6e7d06bd3ec34900

SHA512
03ccdaa61d7bb3ddaeab2e297483670793e18dd9e77d83f063fb9371c42be4a3ab3551c4f6666cb3c6164b23ce3f5791c0936a5b2275d94ed0efddc48c25cc7e

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.2MB

MD5
47f9b1c02d604887f6f87e226ffac98a

SHA1
6a700d341a6f9b461d87e84689d9e02d402d2a44

SHA256
808c58d0de160ad5a15c8bcc1246c5ea9d726c28bd178c3eda7874be4cc127ae

SHA512
41711d6207632db28a16fe7aa02355cfab4517becd2fb6977dc57aa89016ee0af524ff91fcbc8c719ef8b53f1cf7d828af85b51b69961b6b7ec08447c50585a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ksgriojlgnaryfghjvdvlpebuaugf

Filesize
4KB

MD5
1891919175c888ce82e9bd8a047b01ad

SHA1
502a6892a5d27ecb791ac5aa6d8586944f540453

SHA256
a6c43b4e4b8681cf0ef56c49c730fa77e34dc82db0260253a3ba75039030b9ec

SHA512
8bb940050b1abf6c27db133ed446f41e108f670f361ed5102408832ce33d9b87cd0880723441f1632292eeeb0a319c4e0fac0ea659eb55ebe1130cc3e6c776a3

Download Submit
C:\Users\Admin\AppData\Local\directory\name.exe

Filesize
2.9MB

MD5
f74fb3c0c8708b7e11eb2da3703fa582

SHA1
ce258c4c0d7e409afb736295e82cc095fb244ac6

SHA256
154976468ad4be5f36dc0f0ea701a8270cc8240fb22ed705e2ccba689b663056

SHA512
3f9a942543378f1ac97e517d7d4e4fb5bc6ab773fd155f1dd8dc574fb1c88bdf3e12425059242420fd0da4c3fdf86fb6ba2ce1e63c38a9d5b92b331ccfc2f485

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.1MB

MD5
965799d1bec813fa2ae321e83166aa8d

SHA1
d14fbb80b8be779e9286759badd2d022546907a4

SHA256
b792a6f95c6e538eb05e4e1779a4b09b8e631313e56da9a0bded0d1f86c627ae

SHA512
c171e9ada8b6065d2e44d073208313d8ac3f1be1b10f8b0fea238a85f23a434a65c24e24a15680ffc7e00d9ec135cf2c727a93d017181ebf2680ac29f557004f

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
c19b7039715f7e99f13c5921f361feee

SHA1
7bd9f68b743c837f7981e1f4e49bb8bbd699240a

SHA256
2977b36f6a68fc1ec82147b71b965d1e38a132b00431d23b73923cf4b48bc3e2

SHA512
d1f721ca16070edba7d3c9cb9528f51b1de831d6f7eb91235133049b44a244a9fff79b757d7c40284439f42baaa27798085629d4d5f0a4880a472afda7dc857b

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
fa333dcff3c301ac9a11e6ef77561ecc

SHA1
fada1b49561a896481dd0ca01c8e8949c1312a6e

SHA256
851724333577de63ae8d2d6493cc6b60b4c1eea60a3aba5acec0777af23f3620

SHA512
a4b3a3ea810d670d12d84d7e6077b662d2ca94b231149aaeadb862552eb8c89ee9b1e238e66d021639f44ecb51093057814d79a5ce3088e1e037909419d923a2

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
d2ad93e8e0c386a10cc09c229a988811

SHA1
f6efd2ebf0b24d8aa71d380658c873171ab5a47e

SHA256
528c9e1c7c87f2b7d019f41e4f0f851be2c72d9a54908cb11b8b8df1e586e585

SHA512
1822571daa5d9e7f335d25b6563bf9cbfa16d4289fa50a2b1c0a1167f3ec48073df47d994fabac043f06329e4f4a19692298de2de83757a1153c956b8f982535

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.1MB

MD5
c80b6ef96c27dfd274dcbd55372adbe4

SHA1
2fd6fbd28df9def02c1ba07117fef08d30d02c44

SHA256
c36ec68b6caea74114511cfadd192e0b8b017e389d647ceed7025355972ac505

SHA512
c0a51f574b5e4e6620da04702bbe2265f2f75a0c1ffedd42a91823646e01a07cf0f0267b58e7794b02a60b8e2af4eaeab11b46546469256303deada472b3bd86

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.4MB

MD5
549cbe81a9e54c1032e4f963abfc7ece

SHA1
e532f89a6677aac90aeb8169c09a50d81a0b4c17

SHA256
6f1cd71b1216f7bd32d19eb3a0e96d94a89a92738236a159cbd78d298b84fe10

SHA512
a8f4be10822ee0d07efd7c136ac65a3d71c91536b04d1f48902ffd3b288803b3d16382b342cf833bba50e11e2ce82c8b19d888a46e4451e9d38a6ca087c71377

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
7dc150ed3e613f5ae84a213ab9c5470c

SHA1
32b3c1e26a959b4fd4fc32d01901a4d35a20e699

SHA256
66d7ec98373e5fce902d6d4a74f2ea90f1b0d3303f7869bc1c652198a77ceeed

SHA512
a3115458065c8e415c62f0f4d42d900fbb2f7f075d759e44dbd6ccb90af7e045fcab6a77ba50ee4ea6448f1e9ad1ceb0dedcc2d61ed7531213d06431df200def

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
6f127af0b5ef2a2c44fb3097d822cea5

SHA1
231a0cb662057d76978bf3f8a646db0728387b12

SHA256
762389b564182ceca732b6828511425d6f19a92a4a0162c8ad69c44bd0b071f8

SHA512
e1ca26d7cd55e765f71039ec706892e95493ea58e442e546bbf64cac0499860da755308b36c433cfb6be226c19dd89d4c52ce09ed83fc932551c43b1ccc1bf2b

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
d300eea8ab354de116a5e89a4baccf64

SHA1
5c972643cf5235c4aebbf5a3d36e1311dbfcc49d

SHA256
25c1f2f0070c03ccc0c8bbca17b6706980be485b159003889638b21eb25d7d8b

SHA512
d671227a907dfe7e3b22be3eacb972c4c3b45687fab27f9fc73eed86fbe0043bb814df7a4c060a04488e579bdfbacf9edd51ba3267c9acb01f6fb68a05f4e592

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
c1bd0300a695c388a6ab5ceb1cf2eac4

SHA1
f223e74b12fca5ce2d61e3df1f734538dcddc158

SHA256
6dbe3c5e167fea89769813dfb05fa1a6aabd7dfb1974282e8d4d13ab7cff9c55

SHA512
bc70c366892759fac909066f656c968b21520410379043195552ea843b097e47ef8604069bd0c0271a67c4141e941fe29d586019e4c7b4cc260715138df11ced

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.4MB

MD5
03b6283d17b6a3975b4b932453602930

SHA1
484ec7f6ff86f94de4168f8f0c31e55bcf2ddf8b

SHA256
58ad43fe1c552fc35f7b50919661f8f8372273fe5d6406332e74fb7b844849e6

SHA512
6e01798dec96a917ca68d66c21dd64f58ef2fb5e0957a39eaebead5e696ed29ef8402fd435bbb241d7d902f9d312bb9daa15a580729a1349341160877180da49

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
d1e3117fca5f33eeae30f42195ead11a

SHA1
86dc23596e60a8b565cb3061d2608f6e815caf9d

SHA256
715f797c53a645a493073b7948bc29c30adfefde6e8ed35126591570acace0ef

SHA512
8eca2ec1f7f750756109e45582ece14ad2b738dd5cbf54ed47e6d76a0cc422582f4e8c7dec35b673b93f197ed7a72e5ed0bcf0ea76a5edc05856da675591a247

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
be282606636626bb3b51e37eb50dd007

SHA1
c5eee7f81a86cf95c9199cc0c8b7fa313ecaa041

SHA256
3ac573ae6bfc5ca8f7f5a170671d72afbd7d2beb03b75b21d3ed17c1970e3db1

SHA512
acc9b10f102133bdc4b90b915606c9027061c0522389e3763ab46bab4d5300502b41cda1ed64558125199c4f89727b0b0e0a3d5f35e6337a98382eb9625248cf

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.2MB

MD5
0f927a20699956f85e43d0e0bfec21fc

SHA1
0053a88cb8729c2ee11fe89639965eff01befc0c

SHA256
1d955c4176f7bbefe1f92f1a29066b888a9423b8ca8d2798afc2a29506303688

SHA512
93d5b0e909619fc8e4426bee2a4daec85dc92af74aea04a0c7f273359acf9d64910af13d8c6f644626eb399e36daa2689b76774fe137e60b2d417f441cb44d7b

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.1MB

MD5
9e9a86e9a938bfc796d178d5fc39e5d1

SHA1
359ceff1688334117b61fd999b8395f802f6152b

SHA256
b0bd0df0f361db0e5d1a2e43a3acad51aaf9ad95ca2985caa32c90483108a321

SHA512
1dbde53d3b9ec6c4985516a0e2328be87f90817a3d114c75994862253e9d59a1d21ffd4957a24536279067ff2753b1177066095f2438fbab06b9b4ca8d7371c1

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
6d0cbf641fc9397344c829f3a55775b1

SHA1
ff11e5fc176132586c5f63160f3709ca4125bc6f

SHA256
194e2aa4f31648d4e22f0429ac72a0a94bc6608b4da9cd19f94d3c2bc74cbfc2

SHA512
406733998a4a6bcec9e4d842ef2257ca00429026031e4b014821a74d5f98a77ec1c8bfd81aeed94f544a12e2b7bee2beb5a2d36bf87b7103bfbfdbb48ff0d214

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
faddb4d07e4e36eee5b59315bb008e53

SHA1
408e1ccdd2d6efc25d473b0f204186f8a8e22721

SHA256
2057b5dfd3178bc67862b359d344ac05b544b3a9838d4bb2107907af67a371f6

SHA512
841577b4c56b692a042b08c1be22d683de3c456a12ba3e7fef1876916e05a30f57a64d13e4dacdc249af4d54baf5592f49bf7b6fedee1b2f49ee3acdba990f08

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
e1526cdd7bef8980e5aeefd211c6e45b

SHA1
14827cea7919f915a07278e2c47e2c3836c0f42b

SHA256
3cfe130da1ad7629eb84be3b90bffbf09cdc46da146968591bb9750bd412fd6c

SHA512
7e6277dc9c03df9a44961c3d703eb645b3e935401620c609cbc375516457936b0bff9451cafeacdec9ef28d57b3a5cc3d1c295dc32d71f415a10513764e2c841

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
a0561216989f4b434de6120baaffb31f

SHA1
712e6e220346400dbc71ac042a71cf54d12ea539

SHA256
99861f7193466cd78afc3b368da8bb9ae45e28d77ae8c0523a06f8d0ed1fef55

SHA512
1d90484dcc07e07e877ac8182ab300cebb39f131416c8a7679b7dad0b5d238f02914788934b3a3969cedc707f26f58414c35851b4cbf20b49b3426961dde2abd

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.4MB

MD5
7ca4393b32c9f283290b3cd7cea30a02

SHA1
be651b8cbc1f137824fd35c768deaadfbe638036

SHA256
0cdb591760bc23d300d927eebde02110d83b9042f95add01205fe8aec2e8da64

SHA512
c419709f02a545e668c2a50729c4553ee6e0258cd3128045ca335804fae7b1154c5201db06f49ac77c89dfa443bd7b8381a915b5e5d157db095ff99d173b99ed

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.1MB

MD5
fdb9f46e2cb13ce0749af770e72557e3

SHA1
48ce9acae77f4df211d45a7d5e7a7e2316b99270

SHA256
9852cc7fdf84c18564d8ecc5add9a6921ce937de51c74a11b25181079601c111

SHA512
117137aef65fb131aaad9fa7b52821a6904fda99126c7f1f6a2aa4f516c7fbc918881fb8dcc97798ebba958d8f9017f7d7d0ed0b0b72becd42310549b4d323be

Download Submit
memory/784-144-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/784-257-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/1088-10-0x0000000004900000-0x0000000005100000-memory.dmp

Filesize
8.0MB

Download
memory/1400-74-0x0000000000550000-0x00000000005B0000-memory.dmp

Filesize
384KB

Download
memory/1400-54-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1400-55-0x0000000000550000-0x00000000005B0000-memory.dmp

Filesize
384KB

Download
memory/1400-61-0x0000000000550000-0x00000000005B0000-memory.dmp

Filesize
384KB

Download
memory/1400-76-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1456-586-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1456-283-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1844-585-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/1844-278-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/2132-231-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2132-219-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2364-395-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2364-183-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2396-233-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/2396-126-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/2676-443-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/2676-196-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/2900-215-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/2900-493-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/3116-29-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3116-31-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3116-38-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3116-143-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3148-258-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3148-583-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3412-245-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3412-132-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3592-90-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/3592-100-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3592-103-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/3592-98-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3592-91-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3608-44-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3608-43-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/3608-158-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/3608-50-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3804-269-0x0000000140000000-0x000000014011B000-memory.dmp

Filesize
1.1MB

Download
memory/3804-153-0x0000000140000000-0x000000014011B000-memory.dmp

Filesize
1.1MB

Download
memory/3848-2-0x0000000004E70000-0x0000000005670000-memory.dmp

Filesize
8.0MB

Download
memory/3848-576-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3848-248-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3904-242-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3904-551-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4004-85-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4004-195-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4004-79-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4004-87-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4472-364-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/4472-171-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/4492-182-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4492-65-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4492-73-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4492-71-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4772-282-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4772-167-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4772-580-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4908-105-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/4908-218-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/4988-24-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/4988-26-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/4988-117-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/4988-22-0x0000000002BD0000-0x0000000002C37000-memory.dmp

Filesize
412KB

Download
memory/4988-21-0x0000000002BD0000-0x0000000002C37000-memory.dmp

Filesize
412KB

Download
memory/4988-16-0x0000000002BD0000-0x0000000002C37000-memory.dmp

Filesize
412KB

Download
memory/4988-15-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/4988-14-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/4988-13-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/4988-12-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download