remcos | 4aa2ea3cc55b48f3f6e54c75d383592a6fd4fa449908adbc019c3fb676dd5285

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/10/2024, 11:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4aa2ea3cc55b48f3f6e54c75d383592a6fd4fa449908adbc019c3fb676dd5285.exe
Size

2.9MB
MD5

155573c10ba4dfaa5e03edbc0ec1693e
SHA1

69e2079d8d1b6b3b63054ddcb230ed1692215937
SHA256

4aa2ea3cc55b48f3f6e54c75d383592a6fd4fa449908adbc019c3fb676dd5285
SHA512

4e82365c54a897d60ecf2fc1d48d71c6f2349750558370f7165308afa6a3e429f164455234334eacfe293ed82f6c7f745fa5bb58a2c4e2000a496a547861f676
SSDEEP

49152:7JZoQrbTFZY1iaC/xLjwrTEWcVtb/vSNTOHGtLUYTwZwcgRLKLCdjrnSYCFyg8qs:7trbTA1ejwrItTvSNTOmtLtw4RL1rnnd

Score

10^/10

remcos remotehost collection discovery rat spyware stealer

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

204.10.160.212:6622

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-98KSNN
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs	name.exe

Executes dropped EXE 23 IoCs

pid	Process
5008	name.exe
1660	alg.exe
4656	DiagnosticsHub.StandardCollector.Service.exe
3976	fxssvc.exe
3292	elevation_service.exe
4908	elevation_service.exe
1140	maintenanceservice.exe
4728	msdtc.exe
4036	OSE.EXE
876	PerceptionSimulationService.exe
5040	perfhost.exe
2112	locator.exe
5032	SensorDataService.exe
4744	snmptrap.exe
4536	spectrum.exe
1228	ssh-agent.exe
3980	TieringEngineService.exe
1216	AgentService.exe
1324	vds.exe
2752	vssvc.exe
4384	wbengine.exe
1328	WmiApSrv.exe
2080	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	svchost.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0008000000023c76-5.dat	autoit_exe

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\3d3b78a6c1221773.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	svchost.exe
File opened for modification	C:\Windows\System32\msdtc.exe	svchost.exe
File opened for modification	C:\Windows\system32\AgentService.exe	svchost.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	svchost.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	svchost.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	svchost.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	svchost.exe
File opened for modification	C:\Windows\system32\msiexec.exe	svchost.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	svchost.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	svchost.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	svchost.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	svchost.exe
File opened for modification	C:\Windows\System32\vds.exe	svchost.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	svchost.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	svchost.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	svchost.exe
File opened for modification	C:\Windows\system32\spectrum.exe	svchost.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	svchost.exe
File opened for modification	C:\Windows\System32\alg.exe	svchost.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	svchost.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\vssvc.exe	svchost.exe
File opened for modification	C:\Windows\system32\wbengine.exe	svchost.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 5008 set thread context of 3868	5008	name.exe	87
PID 3868 set thread context of 2816	3868	svchost.exe	114
PID 3868 set thread context of 3528	3868	svchost.exe	116
PID 3868 set thread context of 1136	3868	svchost.exe	117

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_73343\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	svchost.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	svchost.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	svchost.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4aa2ea3cc55b48f3f6e54c75d383592a6fd4fa449908adbc019c3fb676dd5285.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d53a7c70421adb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009fe8ca70421adb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fe85c870421adb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007535f870421adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004c753c72421adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004d8a6b70421adb01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cb0c1071421adb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002e953871421adb01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
2816	svchost.exe
2816	svchost.exe
1136	svchost.exe
1136	svchost.exe
2816	svchost.exe
2816	svchost.exe
3868	svchost.exe
3868	svchost.exe
3868	svchost.exe
3868	svchost.exe
3868	svchost.exe
3868	svchost.exe
3868	svchost.exe
3868	svchost.exe
3868	svchost.exe
3868	svchost.exe
3868	svchost.exe
3868	svchost.exe
3868	svchost.exe
3868	svchost.exe
3868	svchost.exe
3868	svchost.exe
3868	svchost.exe
3868	svchost.exe
3868	svchost.exe
3868	svchost.exe
3868	svchost.exe
3868	svchost.exe
3868	svchost.exe
3868	svchost.exe
3868	svchost.exe
3868	svchost.exe
3868	svchost.exe
3868	svchost.exe
3868	svchost.exe
3868	svchost.exe
3868	svchost.exe
3868	svchost.exe
3868	svchost.exe
3868	svchost.exe
3868	svchost.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
5008	name.exe
3868	svchost.exe
3868	svchost.exe
3868	svchost.exe
3868	svchost.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3868	svchost.exe
Token: SeAuditPrivilege	3976	fxssvc.exe
Token: SeRestorePrivilege	3980	TieringEngineService.exe
Token: SeManageVolumePrivilege	3980	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1216	AgentService.exe
Token: SeBackupPrivilege	2752	vssvc.exe
Token: SeRestorePrivilege	2752	vssvc.exe
Token: SeAuditPrivilege	2752	vssvc.exe
Token: SeBackupPrivilege	4384	wbengine.exe
Token: SeRestorePrivilege	4384	wbengine.exe
Token: SeSecurityPrivilege	4384	wbengine.exe
Token: SeDebugPrivilege	1136	svchost.exe
Token: 33	2080	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2080	SearchIndexer.exe
Token: SeDebugPrivilege	3868	svchost.exe
Token: SeDebugPrivilege	3868	svchost.exe
Token: SeDebugPrivilege	3868	svchost.exe
Token: SeDebugPrivilege	3868	svchost.exe
Token: SeDebugPrivilege	3868	svchost.exe
Token: SeDebugPrivilege	1660	alg.exe
Token: SeDebugPrivilege	1660	alg.exe
Token: SeDebugPrivilege	1660	alg.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2744	4aa2ea3cc55b48f3f6e54c75d383592a6fd4fa449908adbc019c3fb676dd5285.exe
2744	4aa2ea3cc55b48f3f6e54c75d383592a6fd4fa449908adbc019c3fb676dd5285.exe
5008	name.exe
5008	name.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2744	4aa2ea3cc55b48f3f6e54c75d383592a6fd4fa449908adbc019c3fb676dd5285.exe
2744	4aa2ea3cc55b48f3f6e54c75d383592a6fd4fa449908adbc019c3fb676dd5285.exe
5008	name.exe
5008	name.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2744 wrote to memory of 5008	2744	4aa2ea3cc55b48f3f6e54c75d383592a6fd4fa449908adbc019c3fb676dd5285.exe	86
PID 2744 wrote to memory of 5008	2744	4aa2ea3cc55b48f3f6e54c75d383592a6fd4fa449908adbc019c3fb676dd5285.exe	86
PID 2744 wrote to memory of 5008	2744	4aa2ea3cc55b48f3f6e54c75d383592a6fd4fa449908adbc019c3fb676dd5285.exe	86
PID 5008 wrote to memory of 3868	5008	name.exe	87
PID 5008 wrote to memory of 3868	5008	name.exe	87
PID 5008 wrote to memory of 3868	5008	name.exe	87
PID 5008 wrote to memory of 3868	5008	name.exe	87
PID 3868 wrote to memory of 2816	3868	svchost.exe	114
PID 3868 wrote to memory of 2816	3868	svchost.exe	114
PID 3868 wrote to memory of 2816	3868	svchost.exe	114
PID 3868 wrote to memory of 2816	3868	svchost.exe	114
PID 3868 wrote to memory of 4528	3868	svchost.exe	115
PID 3868 wrote to memory of 4528	3868	svchost.exe	115
PID 3868 wrote to memory of 4528	3868	svchost.exe	115
PID 3868 wrote to memory of 3528	3868	svchost.exe	116
PID 3868 wrote to memory of 3528	3868	svchost.exe	116
PID 3868 wrote to memory of 3528	3868	svchost.exe	116
PID 3868 wrote to memory of 3528	3868	svchost.exe	116
PID 3868 wrote to memory of 1136	3868	svchost.exe	117
PID 3868 wrote to memory of 1136	3868	svchost.exe	117
PID 3868 wrote to memory of 1136	3868	svchost.exe	117
PID 3868 wrote to memory of 1136	3868	svchost.exe	117
PID 2080 wrote to memory of 4416	2080	SearchIndexer.exe	118
PID 2080 wrote to memory of 4416	2080	SearchIndexer.exe	118
PID 2080 wrote to memory of 3264	2080	SearchIndexer.exe	119
PID 2080 wrote to memory of 3264	2080	SearchIndexer.exe	119

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\4aa2ea3cc55b48f3f6e54c75d383592a6fd4fa449908adbc019c3fb676dd5285.exe
"C:\Users\Admin\AppData\Local\Temp\4aa2ea3cc55b48f3f6e54c75d383592a6fd4fa449908adbc019c3fb676dd5285.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Users\Admin\AppData\Local\directory\name.exe
  "C:\Users\Admin\AppData\Local\Temp\4aa2ea3cc55b48f3f6e54c75d383592a6fd4fa449908adbc019c3fb676dd5285.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:5008
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\4aa2ea3cc55b48f3f6e54c75d383592a6fd4fa449908adbc019c3fb676dd5285.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3868
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\gzvsmeyfjdzyxnx"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2816
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\quacnpizflrdzulbom"
      4⤵
      PID:4528
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\quacnpizflrdzulbom"
      4⤵
      Accesses Microsoft Outlook accounts
      System Location Discovery: System Language Discovery
      PID:3528
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\twovnhtattjijihfgwiuz"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1136

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1660

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4656

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2620

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3976

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3292

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4908

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1140

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4728

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4036

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:876

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5040

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2112

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5032

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4744

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4536

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1228

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3368

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3980

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1216

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1324

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2752

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4384

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1328

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4416
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
d0ec216df15d3ab731d7113872389c4b

SHA1
7581080e6b72b9ce460dec22261e71d8df1cea24

SHA256
51adedde288f18cf8696c269deefb975efae82127bc4a4aa4588c93f23af3807

SHA512
5477f8483e5c25eb7f0f5d25c993b632659f9885fed1ac45dd088483c6d289bcfc1500524aa2840ef252787dfdd786aa60997024aeb2fb3e8eb9d0bfb361112a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.3MB

MD5
44a497ab4397eb82e4c821eb2f03d823

SHA1
842440cf42996541786c43d1cfc0b608cc151be2

SHA256
f6fb0a7d3710a86991d70d862f952c6d49f33db49bd21a45f8df128eba78dcba

SHA512
906215679218e8369bd3c22bad38687b6b70cb2f169622fbea2f8915e2aae337f42bb9d630dbad2a02d0cb3adfe4e2ffd2b065977497f3eb033439c6d6bd16be

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.6MB

MD5
067f2da0d9e9482d7bb2257c673e925e

SHA1
316583f6d1934b83f02328c047cde495c7ceff15

SHA256
a5db059608620105f193fefe7a2d3c86200bb8869667fd01cbc78f0cf9fca091

SHA512
6b891d102a239bc9db9137372e0a7ac8e4f3b0ff85e5e8f140b890728d29186866322f545928ac9853c1359a76a18029c1aab8c1efc7a81e636b0e9ec88526a4

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
4c07f0c3a19a0d2e610023406a01d992

SHA1
a548c7c0b4da5906bd021c9aefc26e08e187d307

SHA256
1e27808d760b8c0060d15f28fcf4aebdd73f938570cb22cfc7a1b657ff4031c0

SHA512
fa00639ae62391fd4954c92bbb0d82533bc8d21c94bb348dd3716372d31741a8aa48d3dde18771d7c157669d34204da6aa1c31b40a2d41a7b91bd30a7c2de13c

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
754ebc06d2751ef4fcb6561c1b7b2152

SHA1
3f7ee0e501f734479911deb3d0ec3a0ecff5e79a

SHA256
c790dcda2615d77bfa903052e16dfdc478f9e9638a827dd30ec8a8635a95c034

SHA512
6204a87a432dd21bb5da24945e17ec1bdc5e5268ffb5f503fcec56ca6435fc6d1695965a1e66624ad31460b2344a6871e531631d9fe19f423df592cfc1f80e62

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.1MB

MD5
528e6a3eb1a633f574efd240d4cc7304

SHA1
47a9def242034fa51ff17ca8192c5c804dc3ea7c

SHA256
275b4bcf3ef0d85106512f30e56c494f75991ba8706e22a04a7e1f0d359a1237

SHA512
6e60cd217e8b91450425799ff814401907f1f0c611d4b8ff3c4836f11717f150d400e43a5b9491043a9d468488dcf272fce1a7dc6162e4a0640345370ee4f5b9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.3MB

MD5
c050a3ae3261cea7e7864340099ff0f7

SHA1
9ecf8e802984bbe415db5efec28f214275f05ba6

SHA256
bb18a0d71874be92f165fc6fc17fcaea529d8f8f17003f6346c3b3c6f3959d1a

SHA512
d8844dfdd601461ef955cf340f9107fee1f8fe59268a38d3bfe188b7a0cd174f6f3baef9ba75750d3c832bbaa69e541860d59b309a5f9e7a1885ad7fdeb064d6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
6acd231ca53bf29d5bab9c0167640c6f

SHA1
7603cb96e5121d0981032e868135fd9b85943a7b

SHA256
dcd220388691809a176c0341bd2fc922e820e77525cbfb0a741218d53e53cb59

SHA512
b459d9b5d655abb3619c5bec3dc9809fae3dcf1a4cb985dbacb71a993f1b063ab2ae09981913b15fb79544b748b633293a9e2567eb8448e50362587370531670

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.4MB

MD5
638078ec0582cf8163e3e4ce0dc5de90

SHA1
d6978d32c911a41ce93d6a632fddcdfa1b2630a5

SHA256
9c6f1a4ee245eb4d4342bf6e0bdbd3e5f2863963e760a8e7c2988ad0facba45a

SHA512
096a1f673f2be53452a8cdaaa442b7dd80fbe26c6f43465e8e42026beef31d7b80e0955b7446ba7b4237cfbb05d50b616778607abae7dd9885ad57a41f9aeb2c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
dae44bc20c4b6d93842610ea7746bfd6

SHA1
74149242408e94115cac79f48b5d5fcfc137506e

SHA256
43eab6326c59f2947ba2241754d2669919dbf6751cc68e9e69b241b3c3a56091

SHA512
f06e812d70aca84a389e64104f8da55e86ac352ce5ac47087b29d658cf29da33332bd7745fc49821cb280468314272a5431df563cb5e5d480f0e9dd26fd71946

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
e0f85f3dcc66a389d3fa8665bd0faf80

SHA1
58bf059d53f191245b679cb2dc700c680f238b22

SHA256
ad7ad8ea7642dc00fc8c2f548ead1055c33ee3f1e110649bc5365ad05032020e

SHA512
5c01c46e3ccdaf794d4cde8f7046310f354bb4d6814f01716e08e1a4d7d3b67e383f280ce640d509db42193243c072b9d7677f8dde7899cf7fc195eda775531f

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
730f5bb1e1ea511c3147114adac798a5

SHA1
f3109abeeeb5c5aca3ea56dd8e2b825afe9213b9

SHA256
f55c0a3da4890ac1775ecadd6043e2513ea6463fcd359fe297e093021a284b05

SHA512
34c1954d0a6bde62f3d21ed1c18dc93ab77bd65c0172eec8f52f7747bd99be9c2c3aa1f043051f07eefa58da782e68afeffdf1306c9f26277d692b4dc202949b

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
7e6c54501f7c7b236fa95360544f73ff

SHA1
d8ff6e6e25fce5f682e3dbf558d879ece0834bca

SHA256
cdf83490e316ad1e4484ea18da4cb484c46d77d4e961829d4066a8cedc72d6be

SHA512
dcfefb8b23b7e10c9a5086964791676183c8247500bc6c2a98d9569aedf20be873e71620ab9898dfee70b0bf8ba180f3e4261aa2bf1a9099f7f26bd092ad0a39

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
557e825b1a7fc2895f2a566ff619c772

SHA1
b1f6d7d2f16cb50f065e5d33f39638e6438e0972

SHA256
70dbcdb745e1a32870f748d0ec508728265e7c2adba817717f8f63ea1e580e21

SHA512
1a1fc85f772f35624a62378951dc2d63ab7b80ec914443298709da728f3f6c48162a0b2afa0cef07a4ab8be4484321f7b172f353c2aef7d4b4963d062264c3e5

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
3b2d1cde60d9af425e3d727611bbe1fd

SHA1
9376ffb1987c3c56deefe0471f181f85ae251850

SHA256
3e24875a0a3b84e281b1864a5d247e30d7f3a9ca65987804fc9d9d45ce92bdd7

SHA512
464235dd8cb6f6e341018a9470590146cc555bc81beba5d5ca540494edae577b03467ed002f77d69c6d494d6a010406171b0a0b225f35c01a215dec75a956abe

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
237448de6e8a5c8d82c41a00aa0d8abb

SHA1
250c6e1b1422369acb72b9de555ac788a93862a9

SHA256
a23cb5694426c076459d3a0372575cfc264ea51154cc038552cc48e735a6bd78

SHA512
dc85bab8fb142a2137a3a2fdab26294d78ae7fceecfa0f209169eb80171a6c35b275719378eec80c89aad60f77dbe531240d46a41210d357849067a2e91f2697

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
d9c2a7f51d56093d9089105d750df3ad

SHA1
ef59ac7385378171423bc3033325ee405d34792a

SHA256
3e73da710d23472a4c24e3bcc9a6802b899b8303aa0b59da4e2c724c99826d3e

SHA512
c2d39991e801ace26a58a34d7623fac42c9ea8b726a5d05aba496ff458f1aad3dd62fba8f0a8e1beec3d7c08f15d39d353e280acec44cfd5b1d62c002487bf92

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
d28728e1898f5551cb3d0b0b11c336c3

SHA1
a4e9505edab1bf193769bcfb19940461b4467d51

SHA256
f1c3f09cfb018c26531ed49a053b887ad534a89beeb3f56e1c56edd9f09fb6f4

SHA512
b175dbeadf928d9f28f7227295b8c772e2abea85ab8bb59188a2672345d3a7d086381ac6dadb1e65147b51c4290e587aec7c12184936aecd57beb71d0422e9fd

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
9f15c79591e1e4885880b5d6d52fe693

SHA1
a938ef34418bddaa9f6db1fddcdaba2eb47f03af

SHA256
3e4b35c2eee61d10ccabbad54623fa98f92200f28487f7b40ecb7729ab189364

SHA512
65e8df1185cebdde23a4c8917cd75d85cc5de2861bae8bcfedf82805f037e35c4949acab0cf00cd4fc1a33b94a1c2e1440ad8c6cc9418a1960ec0e79aefbc930

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
a41b76ba97c300dc6d16f6643bd2dc00

SHA1
0499b9112eb4a9e01e020b9c5f46f79b58b9cfa0

SHA256
8a593bd709d4f054e4b0f2b7948e5cf0aa422e7be46c1bb5855c6e45c748bc17

SHA512
53ca33e9f03c2a49cce1d640bf3073714934bb3943f9140983a5ad1de586225ac6a2d2dd07ba711252c6e98e6aca8bbe1a7e55e80255ec0681b6cd2abb89dc67

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.1MB

MD5
73aa95433ff1a18347e076b7e558cc8b

SHA1
1d9214b56ab1fa9130f5d4072b74459658c1ff97

SHA256
abd269ac53b643363bdcf32c849f866046a0cf22c6a2e013c6ab2c94c7285979

SHA512
7f6972d1ee07b4827e5416a7a8e06f46ed4844f675b20c556e9db50a0f14a850c695b11d5941c0218d24f95441eeed84c247733e4fbb1136985a8bbfaa631eab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.1MB

MD5
6aafafa957812b6662619df4cb974798

SHA1
932c8951ccd8805b82790b41de613a6ecbde740e

SHA256
ad0102619665981d69f716d33c67595bf2b64ba9f5db5d3687a2a52328be84e9

SHA512
589fd029858fc4922e9efa4cf07fb1007fdec8a6b4e4ccec15ca623f0f1b4e4564f6174d5bf300de4d53a295b19773f40fe4fda766017d0c2374f508e1ba8123

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.1MB

MD5
25936902e2fc6659cfee3e9f352c191d

SHA1
a422a922872360d32cce7b0bf854b99e84e0fbc8

SHA256
78c9e5a9c8fb60c1af82f59ed9ed615d1d598822d762b7b0ac30f43d3df5647f

SHA512
89cc034d156e47c08e117eccaaf3964668932e852aa81ccb895edae776aa445e9fcb1439c1f2b352d17a590dbd4fe8a5ce50649dbbdd4be71b13201f1e5497f7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.1MB

MD5
21a7f416f85509a059f6e7be20151d03

SHA1
cec9c0e1fea065f2b777af7d7d14cfdb022ef563

SHA256
b06603b41dcf4aef9fe29cfa3ab6d8d192f8060e65caa54938b28b84f9a3368d

SHA512
3c8da6f504511f96061ebb0176a94d92e45646981ffc297b99974bf6540235140fe11b0b7e12500e0458a7525f79301ac17a26e31f75db581f01a53efc161b09

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.1MB

MD5
728eb8ec8b60a24edcf57db1535d6ad1

SHA1
36a0a3cb459825d0300c3e32b08948f5cbd32e28

SHA256
c1a32fdab7115fb708f2e89efe5c408d9bb38f4fb7ee1c22eb04a3b941fab32b

SHA512
9a250969adbd84dee688e16502c57666f32dcffad74949de3f6459b1378e71c375c9adffefa8e85054764ae33a98674f010ae923114198f0d8732345714607a9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.1MB

MD5
59da982a5691e83173b039609ab6e05e

SHA1
60cca65ff84756b2b842ca9e0b79cae4d80e9782

SHA256
c6401df3420fe0e9106f401c17731bdccd52187920c49d996f70e650c283c4dc

SHA512
2f7dc1559dfa4a05dee0c334c6a5e04048768f7bdfce2dd31f5c734ca9fe2d7edfde659fa12400f7efc7409fddb59702e9750c7360616ec9246cfdf2074942c1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.1MB

MD5
c7ee07fea554a8ebedd88fa9c7b197e2

SHA1
6b26bbbfa55d6aaec7af0f132b8145e585bc77a2

SHA256
3663c30fbaf025e08e84e341c9635131698e10756458fc4f276d2db497878fae

SHA512
a571d78f60ea7f35ebbd9363c64a802d0a6ba9c3478de0f0e6ae4d70c7fd6d48155036f0596ba445d0cd4fe0bccc1a4caf1e33bae67da0275e1de2d256f214de

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.3MB

MD5
93ca073e7d139b9e16f7daa5ddffc5ff

SHA1
4a2a7f12c7bcece9eb817a6e31433a9da9d730e7

SHA256
1499a3417942d40019c4c9701ad1e70970537d1fbc079285f62dc3e9e7d486bf

SHA512
5193c547c47950b4abae8e07498e3e15c420bbe28f61d18c9849ebba63db470072e721f2ec300c16a177d8ed451fa10d0aa181d2bd92abd4f7825d976f953368

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.1MB

MD5
4fdeec0ade10ed4bd9af2301b0f4aaf9

SHA1
5d606448ecd4e3459910ad5d48cd19594b49c2c1

SHA256
2377f723208d1ebd5c2da59d9edc3c240bee54e596edeb26625f252dc9fbc19f

SHA512
85b9b67f054a6d004d772efe98df2d05430fb3555723c85025b0da680292f496e7b0ba9359b1c1753c285eb6392670f45736f73c63d7c7a1859846a0eda0c1e6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.1MB

MD5
73fbbc2523f5ab21276b86314920447f

SHA1
128e59ba96aa0c31eeb3eb97280c8af0cdf75cac

SHA256
d18aef87809f70d1c03cfb59953baadd270ff34805864ae5eec5c608b8cf73f9

SHA512
21449b5acb714c538c56d3f5f31f612b62a6e2f32b445767741f8e63b9b713d5e914984b8f7f125c3117ccab9b8cc143d5a4ba0c03f2da60f4fccaa1d502e270

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.2MB

MD5
cda671be518fbbc591c7a69b9f56d29c

SHA1
59c2732d9c12c003d4c8678244c04d21e6c43723

SHA256
a897bcd54aecdd1851fc34ab7a4b99b1ed9e4165c1f14b6684f640e9b4629d7f

SHA512
cecdde5b61fe3d0955a1ad22e4271be1caae97b811f3bda9defec80397b4197bd29b5c0520c3be1a0704c777acd877cd8dbd9c9d6d71cdaa05a6dd47cd0bc06c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.1MB

MD5
58060015785295ab93a859fb4ece2a52

SHA1
5196ec77f814017652d02ee8e6995b8e1a514ce8

SHA256
f304a3595fd05ce3045cb3e506d8e13251eb81169599abb91fb8c54e3958b084

SHA512
705a6b0756433f1ea3d59163bddb187ee2ab36974249bbec9f2add9d799393f690a1f8fa81d90f2fc9f92992318ca20727fe27de41c76edd49fa905a403418e3

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
e49a5a427c1be2ef4c619690bd3cffd0

SHA1
72626ad4733a010d6ed099d9fd1790569497702a

SHA256
a981548808fdada738f110ae8c61b73b9d66643aede3b3a6ad3233a87cf66b27

SHA512
f45e535f7dec5605b9970a42907e8eac341f19f54950500a78e717b46863bfa0eca802fc6b15d1f7362d32368cd622719d1db51317ded5e85b1b1d2aea3fb280

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.2MB

MD5
814bffa13c5e3ba12db461ff3836516e

SHA1
a679733a742e9fda3e0cce3c7ae2ea7c403ab207

SHA256
551e0ccd6b845eec62d66633ed280c3ba5a19d0c6699816a125a8de1aed64a5b

SHA512
c030639802c0b46fe4626eb2acf0cb795904cf4c065d96eb3c717274c219e7c29d653f769024b2ec7dd29408e1634d7340be037c5bbc197008a14d09d7be18c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\gzvsmeyfjdzyxnx

Filesize
4KB

MD5
16dfb23eaa7972c59c36fcbc0946093b

SHA1
1e9e3ff83a05131575f67e202d352709205f20f8

SHA256
36c49c94327c8cadcad4c0d2b3a8f5162fc7bb86624923484476c5f7b960bc4c

SHA512
a8b38b5e7bf886b78c5c7f01234b44647a252d4dfbcc06c99b863f8e160e3cfc151b2a83b8b49e09d13e8547419467da4bffbb8dee5fc6740032eb7c839d89dc

Download Submit
C:\Users\Admin\AppData\Local\directory\name.exe

Filesize
2.9MB

MD5
155573c10ba4dfaa5e03edbc0ec1693e

SHA1
69e2079d8d1b6b3b63054ddcb230ed1692215937

SHA256
4aa2ea3cc55b48f3f6e54c75d383592a6fd4fa449908adbc019c3fb676dd5285

SHA512
4e82365c54a897d60ecf2fc1d48d71c6f2349750558370f7165308afa6a3e429f164455234334eacfe293ed82f6c7f745fa5bb58a2c4e2000a496a547861f676

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.1MB

MD5
74cac1a44e0483cab5df14cf21607008

SHA1
b57eec1dd5b8f9027bb2d94311b54a5759fa0897

SHA256
3bcf9fe273ef31ea25449fb172bc924cbfc3dbf0a44f99ab663796cc3a6b0672

SHA512
6b01d1eba848452afbf304feaa3fb0f21de88651556949df44c9fdd2c885df835a3d39893a61425071d8f2f51e9112af7dec945e3fb734390435ea646e60acec

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
c327b428c0c0519c879ebd2a42434fe3

SHA1
36d2e89a5f86ee49621829b45bd87db33fae8d3b

SHA256
bdb52933ceb9bf1f7d0287c4d7af8fdc254b855de2f2e76e76b388a18a64a403

SHA512
c9e7000ee8b5b968e515b5355a496e632b9b8dc03ef450ec9f5f58b678a67b071dd959832fce07f57c37f407b709beccf23375a86c804f9989e1163e001cc0e0

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
21852b039942506fe9b44b5d10ba9c53

SHA1
b916aaa94258d0f82432a152443e320d6808dc8c

SHA256
35dc3c34add106a28690ce0c9dff06066eea5d775523bcf8222f566ab54146e4

SHA512
7df653165901b0ac0600d498e987052b947f5c08e90f97eaf719e53f8abb1a4093ab1fec49a1e5a9b2bbb74c41e30cb6a95fb81a0192981325766bea7c4a044f

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
50a4d01dbe600c20b355a194ae89ef31

SHA1
42b7a567bff2af93cb7172daafddb5a2a97b6b01

SHA256
880b52a40a0398c652df61678d7068623e91bde3f383d1b36100d88931e4d176

SHA512
d41db8738406947dbbd60656128cc688b78fd7ee4a76738cbd0b56b39ec6ef6ba2d1afa33abf14dced02ce0a22551b1b3a08cf0938f59803d6b3b3b1900eea91

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.1MB

MD5
004bf9f0d9500ca838c05f59dbb44148

SHA1
e2ac2eafc83b6fb612b4663d6b9eb131f0edcd56

SHA256
00b189397f8d06725eaaefc4512016a1c0141571ed9486e91ffc3bb768760838

SHA512
33b679a7d5fa80af9877f357178d7f1cf2b51aa4073f08f4451d86ca7b9c748dfe1c257dbf12c039c454abe4d2eae5b48a69ff9635e5c5a7a19d5c6074027564

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.4MB

MD5
9265399701938684ea1165eae9ef1133

SHA1
eafdfc7640ab348e3b62da7443e85642e16fed1d

SHA256
a27ecaf288bebb76ea0e5c77b023b1ee055402cae8db863f120e8d1e2a5aff71

SHA512
688e90c207adcd4c939aa4d22a5bb3ea1f5c110bfad7827d3334ee23a87307ab7f18984475e83f1e8178aa6941360c86d7ea2c6d222905f00e50360c65c5eaaa

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
51db025d8d120a3d0b1bfc42e2213afe

SHA1
125ab4c030d8b8aa78e09662e1f29cb5f3acda73

SHA256
8e01ff87c3afc5d4416aa3c11edfeb83b9b6448cba3ee1101e2e302efb8fd2f2

SHA512
5ce0a90d7d6b8849684488df80bb04af2ef0dfde77913076d68b80c33733c237565e9db10f5f69a89a6e88c11734b25c1ca8315711338f0cd2866d6c0d6467f6

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
2e0378c2ad6116efc3013ddf2c1c7eea

SHA1
ac6a3fe892a8daec9317fdb3550ffcffa58ddbf8

SHA256
9af536ab443af8cc1933c963b61c81e91a2752bf73e647a63b02753e813987d8

SHA512
1743e0642647118b13e141c7aea36eb4101154568e99389c7bb7be3c67ca0ac9cef382f6c51c8511df06b8fcdf90182e7712ab66374531115b20019f0fbc65a7

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
95185adc1d52a3a616abb82e4a87f882

SHA1
3c4ec9fc1858440b8ef960fa7018da392358638b

SHA256
0bead2310a9f4e1725350a1dec59872558edfb02e137098a36d2bd098728cb43

SHA512
56b8a5d8356afbd2f2f78785aecb6a25709643671af5b715e91eb33ab758c8998f8448204b007d7e352b4560d489cac48aa892d37baa2ff5d023408465ff5d9c

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
33adf80ce52de016de9748f5a5ef56c3

SHA1
0999a2a8462ea548c6232feb789343a542fb0f69

SHA256
7223df240f9b252307b665539c2bbddcf9e5d5e3a03f73bc9342904f6330656f

SHA512
cfa9aa7d36c93fec057b71aaf1d78d945f16eff94d24e08a914c367e37e41ca892c7699b73e2c47507f8ec937f969b4f7647028e90048f745fcb95304266debd

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.4MB

MD5
69662f00d4784bfd12141d78a762112f

SHA1
d473f4f859c93a6bde8abab15836f4aa0fe1260a

SHA256
793954b1abe2ba63736d7798e1ee01b2ec62449f51261b62e13266fe63fb019a

SHA512
fadc075f5778aed7da08517806eb699a48f01db10756bd222563d2675a13231028928af94815e02c9c1e38141fdd2519e66b09f0cdf21026d9f61e5b343323cf

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
3f2b99cd869d88d4099ac789f50300e2

SHA1
2489160ddff0d7eb76004f60c582851e62a8d81f

SHA256
ad4829257a9c16d7bc0dc963ea101af82ee675a884b7eba0a5b5d9d9145c337d

SHA512
6515c5f8c7296e4b4dbf7da6f4ca1abb04db272449ce0ba5e1b570c22048c92cf9f4be5e9b3d5fa7f5e69bef98c9fad60f61322c702aeef12206941d6d0551e9

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
f9822143404ba9f0ba9483884079ddea

SHA1
08ced97c8be4f7ed1f89858b170dd0f6ce70928a

SHA256
c734114a0130ca2982b015c91d962c3f132337154c6fa31a7b57f8a0ed8949b8

SHA512
022377612cbd73840e48742fa8fbd2f27bbc46bef09ba5f63f8c57053a3e1f328c402b7d0f4ecd03532ae0a067a138b128ae8900daa77f2115d7d3dc22c83d94

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.2MB

MD5
8bccab51de1d2132cc88fea60d6d9ff0

SHA1
cdca7ffd575760122519ada68fe3bf037a47d73d

SHA256
98cd92c19f7d64124868b24bf9cc639303e2cccba7b1e45d11505be7a6181e3a

SHA512
239f14d1265bf70629c07603e7b458f4ddb468ea976e7b2400235ecbf978f0aca47958c2d6d47d6c181033646347ee6312066b7e96ac5820ed49a51c73b7bf14

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.1MB

MD5
ad9f7bb0b4565b729a426841e8907a51

SHA1
66182a0b0bf972a82cc15ce74528a8ae46af0551

SHA256
bd444655cfc8fa28fdb02ac839a8ff6d24029574d581c05a5686ea32251bc781

SHA512
86643f00ce3779d6765185485b0798e2a23104988061b794424fe45492f17981ab131d6f2ca330b6855977e992871a4c54b897e4b665e8602f2330357d32311c

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
f41145bb5f9b4800b5b3ddd2e416979f

SHA1
5e408e0df55b97d79ee9deb0266a28358157fddd

SHA256
d560f8765c42b8a657355482666cd77012eaa766280c09fc2530e72bc4a3e1bf

SHA512
fbe4cdb474a5cad09e4ac4fc5aa689b520c1f34998deb01e147e986064c15dcb38888b2314a5a79b192f864cda22c62a8dde1f48ab4d6da9a7122fd1bb438f81

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
f7816241d709b3ac68c98d04dc6ab2c1

SHA1
66b15a41cf61925719a366e9eacdf11665bbc217

SHA256
f236278aeb21f9085e1dc50c257e8e9b3a11f05bb9189f7526602962e5cb033b

SHA512
cad2a6d5b97b51eed451d6864c3a1f76d22c3d1ad8e40e8a1b0bb7162f1ecabe425dfe75dc605bb726fa744eef8421ef8915a5ec5d4f147dc4a0320dc8ea0883

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
d67d9fae06c06cc0e07c8ac4b141ff39

SHA1
593334f5c6e97a744765a93c128ef9d7b2fc7595

SHA256
af0b073e4fee217ce53a0c577be438f123ac87207396b21541bafce5a2def652

SHA512
ea3328a03343a97c07aa9815f6f0e21c3081a22548c3f58ca5c11ad8dae77fb21c637b7bbb84947f87554ff24fc2a34253887ce22defe6f51858213b14e47181

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
e0b32f1ba8d6597fb4d94c788b89aeb0

SHA1
854f41428956c4d7b0dce5ce00285fa8577ba2b3

SHA256
40bb4e85da514b99c3b73a2f34a38e256c8187b399c9ead459a693f3d0f4624e

SHA512
2c2c3b0216a888d30b356800a18f71ff85f0293e5601fedfa6e2cd5ed9f5935ec59487fbbd8be52d7c8ff986beb8abdca76a0511733ba45178c4cc4285ffed92

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.4MB

MD5
ca75db6ee880fb7c79142f69b8737dd8

SHA1
9ae321a6d841341a95d9386dfa2d878ea20ffaaa

SHA256
ddc78317e6c715c1a0782cc50e54fd1b6668ce6851538e5b20f46d8e3fa2b70c

SHA512
58d0774ec6d8cd18e6f78a5b37e67eb4b040d532999c173d802ae170159e38aaca65c2c146d98d42e1657cb5e0dd536f139fbf3879b5a3f4b0524a934549619a

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.1MB

MD5
a43af96559dd9e1481a7c30250ae2d8b

SHA1
3bf23b5ec359e41e9bfb5cb5a6cf9342d07de9e9

SHA256
9b2eb38c1bbd2345e94a2dbdebbdd9d289879f1302c87522467b8be0378218ce

SHA512
8469966f1fe0a001fe1708debb0eace1724832cc3d3421048b05635c7a964d9bce28d4599552729982788e8583e42ce88f089c14fe3c5e0b94971c80b76610a9

Download Submit
memory/876-132-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/876-251-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1140-91-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1140-100-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1140-90-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/1140-102-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/1140-97-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1216-233-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1216-236-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1228-200-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/1228-459-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/1324-543-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1324-240-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1328-276-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/1328-633-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/1660-29-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1660-30-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/1660-38-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/1660-143-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/2080-635-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2080-289-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2112-147-0x0000000140000000-0x000000014011B000-memory.dmp

Filesize
1.1MB

Download
memory/2112-275-0x0000000140000000-0x000000014011B000-memory.dmp

Filesize
1.1MB

Download
memory/2744-2-0x0000000004C10000-0x0000000005410000-memory.dmp

Filesize
8.0MB

Download
memory/2752-260-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2752-548-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3292-65-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3292-186-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3292-74-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/3292-68-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/3868-12-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/3868-13-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/3868-14-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/3868-15-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/3868-16-0x0000000003240000-0x00000000032A7000-memory.dmp

Filesize
412KB

Download
memory/3868-120-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/3868-23-0x0000000003240000-0x00000000032A7000-memory.dmp

Filesize
412KB

Download
memory/3868-24-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/3868-26-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/3976-54-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3976-55-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/3976-61-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/3976-76-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3976-66-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/3980-213-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/3980-480-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/4036-239-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/4036-121-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/4384-264-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4384-632-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4536-420-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4536-187-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4656-44-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4656-160-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/4656-43-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/4656-50-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4728-224-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/4728-105-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/4744-370-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/4744-175-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/4908-199-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4908-85-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4908-79-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4908-87-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5008-10-0x00000000049A0000-0x00000000051A0000-memory.dmp

Filesize
8.0MB

Download
memory/5032-288-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5032-161-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5032-631-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5040-263-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/5040-144-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download