blustealer | c376fe2391abf98b6da345abfa7ce5d51da5cbcd172423083da3dc83fbb9cdb1

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
24-03-2023 08:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

QUOTATION _RFQ# 1043999.exe
Size

1.1MB
MD5

761e246fbdde33f37a9bd68fcc8286e7
SHA1

571eea7e2618ab05cb19bef6e9337855321d775c
SHA256

c376fe2391abf98b6da345abfa7ce5d51da5cbcd172423083da3dc83fbb9cdb1
SHA512

fe4ab08a13765c061c30cd3f6dfcbb34960f587b44f231eefcd736790fbe56788b4f1ec04ebf563644628c728d54d13ccd2aa1527cec05db5e3b664363b9f59b
SSDEEP

24576:/YtQ7AZ1RnHQjI9A4/wsf3Iz39pnvgey2UNupVchQXPA3:A1n5e4/wmItpnyJNwV2L

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 24 IoCs

pid	Process
1568	vyjlolms.exe
3880	vyjlolms.exe
656	alg.exe
4496	DiagnosticsHub.StandardCollector.Service.exe
8	fxssvc.exe
2160	elevation_service.exe
2892	elevation_service.exe
1368	maintenanceservice.exe
4288	msdtc.exe
5048	OSE.EXE
3060	PerceptionSimulationService.exe
3348	perfhost.exe
1960	locator.exe
772	SensorDataService.exe
4596	snmptrap.exe
1092	spectrum.exe
4340	ssh-agent.exe
4324	TieringEngineService.exe
1000	AgentService.exe
3364	vds.exe
3756	vssvc.exe
4512	wbengine.exe
2248	WmiApSrv.exe
4516	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\msdtc.exe	vyjlolms.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	vyjlolms.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	vyjlolms.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	vyjlolms.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	vyjlolms.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	vyjlolms.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	vyjlolms.exe
File opened for modification	C:\Windows\system32\AgentService.exe	vyjlolms.exe
File opened for modification	C:\Windows\system32\vssvc.exe	vyjlolms.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\d9f2663dc4600f4c.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	vyjlolms.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	vyjlolms.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	vyjlolms.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	vyjlolms.exe
File opened for modification	C:\Windows\system32\locator.exe	vyjlolms.exe
File opened for modification	C:\Windows\system32\wbengine.exe	vyjlolms.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	vyjlolms.exe
File opened for modification	C:\Windows\System32\vds.exe	vyjlolms.exe
File opened for modification	C:\Windows\system32\spectrum.exe	vyjlolms.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	vyjlolms.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	vyjlolms.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	vyjlolms.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	vyjlolms.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1568 set thread context of 3880	1568	vyjlolms.exe	87
PID 3880 set thread context of 1256	3880	vyjlolms.exe	93

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	vyjlolms.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmic.exe	vyjlolms.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	vyjlolms.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javacpl.exe	vyjlolms.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	vyjlolms.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe	vyjlolms.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe	vyjlolms.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\unpack200.exe	vyjlolms.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsgen.exe	vyjlolms.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\kinit.exe	vyjlolms.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	vyjlolms.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	vyjlolms.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	vyjlolms.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe	vyjlolms.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\serialver.exe	vyjlolms.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jjs.exe	vyjlolms.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\klist.exe	vyjlolms.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	vyjlolms.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsimport.exe	vyjlolms.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jabswitch.exe	vyjlolms.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	vyjlolms.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	vyjlolms.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	vyjlolms.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe	vyjlolms.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	vyjlolms.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	vyjlolms.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	vyjlolms.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	vyjlolms.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe	vyjlolms.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec64.exe	vyjlolms.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ssvagent.exe	vyjlolms.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	vyjlolms.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\keytool.exe	vyjlolms.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	vyjlolms.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\orbd.exe	vyjlolms.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe	vyjlolms.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	vyjlolms.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	vyjlolms.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f357eecc325ed901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c9a23dcf325ed901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000089e140c6325ed901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f577d9c6325ed901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000074c906cf325ed901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000020e005c8325ed901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008feae3cd325ed901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000013e76cd325ed901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	77	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
3880	vyjlolms.exe
3880	vyjlolms.exe
3880	vyjlolms.exe
3880	vyjlolms.exe
3880	vyjlolms.exe
3880	vyjlolms.exe
3880	vyjlolms.exe
3880	vyjlolms.exe
3880	vyjlolms.exe
3880	vyjlolms.exe
3880	vyjlolms.exe
3880	vyjlolms.exe
3880	vyjlolms.exe
3880	vyjlolms.exe
3880	vyjlolms.exe
3880	vyjlolms.exe
3880	vyjlolms.exe
3880	vyjlolms.exe
3880	vyjlolms.exe
3880	vyjlolms.exe
3880	vyjlolms.exe
3880	vyjlolms.exe
3880	vyjlolms.exe
3880	vyjlolms.exe
3880	vyjlolms.exe
3880	vyjlolms.exe
3880	vyjlolms.exe
3880	vyjlolms.exe
3880	vyjlolms.exe
3880	vyjlolms.exe
3880	vyjlolms.exe
3880	vyjlolms.exe
3880	vyjlolms.exe
3880	vyjlolms.exe
3880	vyjlolms.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
672	Process not Found
672	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1568	vyjlolms.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3880	vyjlolms.exe
Token: SeAuditPrivilege	8	fxssvc.exe
Token: SeRestorePrivilege	4324	TieringEngineService.exe
Token: SeManageVolumePrivilege	4324	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1000	AgentService.exe
Token: SeBackupPrivilege	3756	vssvc.exe
Token: SeRestorePrivilege	3756	vssvc.exe
Token: SeAuditPrivilege	3756	vssvc.exe
Token: SeBackupPrivilege	4512	wbengine.exe
Token: SeRestorePrivilege	4512	wbengine.exe
Token: SeSecurityPrivilege	4512	wbengine.exe
Token: 33	4516	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4516	SearchIndexer.exe
Token: SeDebugPrivilege	3880	vyjlolms.exe
Token: SeDebugPrivilege	3880	vyjlolms.exe
Token: SeDebugPrivilege	3880	vyjlolms.exe
Token: SeDebugPrivilege	3880	vyjlolms.exe
Token: SeDebugPrivilege	3880	vyjlolms.exe
Token: SeDebugPrivilege	656	alg.exe
Token: SeDebugPrivilege	656	alg.exe
Token: SeDebugPrivilege	656	alg.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3880	vyjlolms.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3608 wrote to memory of 1568	3608	QUOTATION _RFQ# 1043999.exe	85
PID 3608 wrote to memory of 1568	3608	QUOTATION _RFQ# 1043999.exe	85
PID 3608 wrote to memory of 1568	3608	QUOTATION _RFQ# 1043999.exe	85
PID 1568 wrote to memory of 3880	1568	vyjlolms.exe	87
PID 1568 wrote to memory of 3880	1568	vyjlolms.exe	87
PID 1568 wrote to memory of 3880	1568	vyjlolms.exe	87
PID 1568 wrote to memory of 3880	1568	vyjlolms.exe	87
PID 3880 wrote to memory of 1256	3880	vyjlolms.exe	93
PID 3880 wrote to memory of 1256	3880	vyjlolms.exe	93
PID 3880 wrote to memory of 1256	3880	vyjlolms.exe	93
PID 3880 wrote to memory of 1256	3880	vyjlolms.exe	93
PID 3880 wrote to memory of 1256	3880	vyjlolms.exe	93
PID 4516 wrote to memory of 1952	4516	SearchIndexer.exe	120
PID 4516 wrote to memory of 1952	4516	SearchIndexer.exe	120
PID 4516 wrote to memory of 2976	4516	SearchIndexer.exe	121
PID 4516 wrote to memory of 2976	4516	SearchIndexer.exe	121

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\QUOTATION _RFQ# 1043999.exe
"C:\Users\Admin\AppData\Local\Temp\QUOTATION _RFQ# 1043999.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3608
- C:\Users\Admin\AppData\Local\Temp\vyjlolms.exe
  "C:\Users\Admin\AppData\Local\Temp\vyjlolms.exe" C:\Users\Admin\AppData\Local\Temp\octkeqdy.riv
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1568
- - C:\Users\Admin\AppData\Local\Temp\vyjlolms.exe
    "C:\Users\Admin\AppData\Local\Temp\vyjlolms.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3880
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      4⤵
      Accesses Microsoft Outlook profiles
      outlook_office_path
      outlook_win_path
      PID:1256

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:656

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4496

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3032

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:8

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2160

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2892

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1368

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4288

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:5048

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3060

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3348

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1960

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:772

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4596

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1092

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4468

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4324

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1000

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3364

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3756

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4512

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2248

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4516
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1952
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
ec9ca7856299c12900712fe0347edbb2

SHA1
42e8cb7ce22d092d03fc85c977bdfc3d694aef14

SHA256
ac3449ffcaafd480f14daadc29b8af677880f0b011304430bae65dcd475d32ee

SHA512
4159f0b15b6c5309b3e1d0a9c16bb1b8dbc90d0b272704690675a607ed9ecef2e301222b6d9819956afd989ae022a9e9bd84b14771048dd26945f0825d50bf5b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
a3289ea79e19b0df2630d75e1a325e48

SHA1
ee9cef6c12d67265ae84e0cca6ad4537a0c5c0b9

SHA256
de2b88f5d5075db9a98d06474e90a7534438568232548ba6f100ed93072684ac

SHA512
887ad6e8576f6fc516416f3360bdbbd0e915cb9151d5e88cda13f04404d28913d7b3f7b076149053dbcba7bdf46919d5fde2d42996b165d78440cec7877ccb55

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
a3289ea79e19b0df2630d75e1a325e48

SHA1
ee9cef6c12d67265ae84e0cca6ad4537a0c5c0b9

SHA256
de2b88f5d5075db9a98d06474e90a7534438568232548ba6f100ed93072684ac

SHA512
887ad6e8576f6fc516416f3360bdbbd0e915cb9151d5e88cda13f04404d28913d7b3f7b076149053dbcba7bdf46919d5fde2d42996b165d78440cec7877ccb55

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
5bc28e14fcc289ef7c57b4e12313229d

SHA1
72c300840ecb6f221634ed982b388fc487ef2a03

SHA256
4b4b129ffd982b64d4252370bbbb61f2ec9cfb57f12b9e35a715838d13f22c8c

SHA512
c3af45522662cad34cc7f87861d13aa9106f075ce8de2e3eb23396a98f0187927f822b5b690c5ed4211cde754ed778683dc9e1de9f58ab60864b58cd62da275e

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.4MB

MD5
5b8d7794daf820359b3bb07b5fc8abff

SHA1
06ff6ba5d0994bbc1c46276ec13401bff2612112

SHA256
7e9a017b1452e422930c21081427f6e7d99deae59456d1004e9c9bbd88f4cbcc

SHA512
9e49452f5e32c72fa4842f42e644c1f1b8e85150dc4d86b5c4360958c67370a045194bffbcc4ee2843f2a8e5b4157949331cc816911af5511527c4c0b68f9ce4

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
d81e8d9261178d1ae673a12ae9a8af6e

SHA1
8367f8481642377fc79a94dbe670d285df014191

SHA256
f33c02d31b05834872a6dccb3a14edd7dcf9f1584680842d47140b3d053885dc

SHA512
56d6cca003a011c60bf8b70595ea10723bf59b90512d5289103aaadd8b7289ad4dc24fc772c71a395a9d66956fc14cd320e8ce3377c21c76104d4e6443522b81

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
9867e013ff3ef632c589bfe673c4d8d0

SHA1
339ac38cc5e98d75ad8e6cdfd149fefcc7856d24

SHA256
cd1292ab5b0c70cebf7b5c869ebad8d3a9ae4ccc59d5ea9f7ba8aeea1fc2eed0

SHA512
3bdee2365067dd923caba06721ebb2fafa214240c1b4e80d0a977b4b300f12279fb538e09836758a202a3585b673648e3cc3b3fb1fe924f209306d2af8940b81

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
eabfa1742136b0907ae619400247da3e

SHA1
9355fa14dfbbc764befa81bb2c9777587fbfabd7

SHA256
14355d5a11b940778276518b799b052c29c7f9c72934f2f4b0dc00a41c664f6f

SHA512
ee1e884b0dba83d49e356fd392f9cf939aa0657390ded7d73569c640a1d23d800e841c5e4cb0da965156f98546de88d11fcd7051d656f3953cac008d71bfde78

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
022c64b07c0cb039541942e5bb142048

SHA1
28bd5f5c66796d5e6cc250ec92eb991770994af3

SHA256
4bbf6e2bd24a4561686559d572c56ceb81be49fe731093092188527c5ef6994e

SHA512
55284941d079488ae1d4128d569c490efb3e85ee097596b29b56284d6797e9464e21a5141d0ba41b71548cde4687eedfcebab79aa015ef85bc4ce99e644c750d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
cb69d65314956dc8721c747923e31c91

SHA1
3dc5c7cca29c96988dfa5de403095a8bcd77a6e5

SHA256
a7e08a33e0007693ae77a6405d01fed48a5d96697c08fa6a4377a508bcb95ec8

SHA512
228e68f1ceaa7b7c127ffc5b083a2b61657259bdde71dc38357b45b51df36070ec33639b994f25e0abb87611bdb705433208f8a1d58afe126315cd5865c06ae3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
0457addafb7bd8a0fc18641f0fbe2ef8

SHA1
6ebe3abecff24d8168d602243dd333b8bd617fdb

SHA256
e3dee7437a7de72872d5087f06950163fe108419f0489660e1658028d0b81d0c

SHA512
437070fdbae980ab5398c265746f1e2e4948b11dfce8c2f2b3a6819a0e351f49837af6aa700a6fee69a7dac2b062e792e5aa9e6aec14238535d9450416edb556

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
2259b24f06f7ecc59ee27c0771dbe5f6

SHA1
08436a5e6565d7ace06c82842b2c5f7b0c8fc4e0

SHA256
fb96a76459ba2649a29d525439a33b98b65b8e502c082dd8723817b8d536417f

SHA512
8e32f7dee4c4beffd18925e9d18290a702a3c5f55cd24e377c4b2af9569dcd03a21834d06f0671b681180d96a7114b2d893934958877ceb8d22e9aa08b11f1e0

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
58f8821ec18ba6f00d2fb43c73c6b71c

SHA1
4af946153f3e307afc05474e8eb4fa0bb52132f3

SHA256
27dee2f62b66dd33f4fb2bd01eca3ae6313aac53bff0e52a4f2898384609afd9

SHA512
47c3411ed2935f42b051539d24269de60d4d2ec60077b39ddbd8770f7ba803b387f4f9862e34741a22140ab3fc3aaf73cd3fb9e3cfa8bda66ec4006576f40a54

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
af384babf2b23e3195820b13fbffafc3

SHA1
bbfef5d5b3b46ab0bf2bc72e1aae201516a6892f

SHA256
cd20d7d22377fe1cfe9992f82fc2d2ef6fd461948fb2caa9af520dbe868beed3

SHA512
afb640ca5e62daeed85d61a84ab270c1a4ead60838143d19fe96a9e5b5d4d8f0ab736fc1fa7f25bfacde9236936dd82f288e345a1cedec95dc9b7f0e84f505b2

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
e3b013d7413523b53da9132f3b79c79a

SHA1
2087bc9f349b399381fd7b849974cb2f93d85502

SHA256
255cabe465a92391b060a398c9e4284d847261e760280c1428819a89622ba6d8

SHA512
c7a8a55ece303b345885377e4ae9d9ac0751c57b8603f8a0d3e48372d8991f42d569716bccbca1407d9170673ffb367ea395da80e809ef3010b133a4a04eddfc

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
83608d01e20bb25c03ed0df0ed22c5f2

SHA1
1344a6e70cf47cf4a8adec33aec8216c313de51a

SHA256
9ffa64929990594f3b2d43ced99d9f85dd5d5fedd7670bd6e7bcd6b8132fa847

SHA512
2ff9cabb4d46e53c59f31fcd8e0d364b4b8e2dd1e8ed39263eed7dd9f3b15e2fab3eb5943f45dd6ba53531a6dd5ba9ecb6496e79a4197a67989ebb8286d4b5d8

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
c70e665466d779b5e7a7965ac6967d90

SHA1
a0612dfe64bdd465f07dd540056023d81f4f771f

SHA256
679d1b3b79bd64b3c70bbec72e9c053451233e01f4a3eef876adec8b2c6a8f50

SHA512
58ca2336e094218da1bb6fdcb3f56dbf18dcce617eafa4ac49b3b0c687735378d93b84da5d2f3b4b9d340d269264c55104ab7c7a4d239833ec4fb2b65c34492c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
2417b32eacafe3c2727a44fe2ca5573e

SHA1
665dcfc22d0694e3ab2fced8f0dede7eb8f26f7a

SHA256
c64031b4c94d70849726b458d933fd452c84b6567e7442b6162b1f0283c8cc62

SHA512
ebcc701be00c48b15a9260d65978c164a0ff85d20557e32a4b9c717feacbbcaad083fdc0b626b125fbd6dd90ec959d7fae5f7d8ea2c84412913eb51248449c77

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
ca575cb27da34885ebdfc00a0011f9b5

SHA1
07850ae9b911c41dd62c26491517ae0d92c94cce

SHA256
47902522e5660be80d8be333203200c22e1437ddf885d3a812276b3a40862b68

SHA512
d55ded8a7679c28a73d4ae02d6c8e44a633906efbb6b1fa8a12dae0bea83c73d679891154444a09ca05cb2583e74433a7250d23d519bc5fc6e58ff020a0dda97

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
916405ca1193aca4eb1d8bafc78ded57

SHA1
0e6d137fe2da33231b9757172ef7bf99166d85e7

SHA256
d7b319a8209279a792a2bc1706f5146e1020e2235dea397531c36957c1212670

SHA512
d88ec8135d850ac75d9af660232b09a82be631a2b1d051728f2bacf98d491f532dda025b439ef3b6e291f3eb9b045e640a6c38fc77ade7bf73f7394fc26504a7

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
b5e287a6cc96bfa0e5174fc899ea0de1

SHA1
e97e4c54f222cc5a42b798fda6e3d9f796b99d41

SHA256
8b438c388eed7c63e81158b07710abf2e51e2ccdaa9988ad1e0637aa6dca1b7d

SHA512
041233317008decf47bb1e76b826f2a3cfd3617037436a5ffa1307ddeed2e3f727453f0e2dc0b916c1efed3b13aa38d08de79c37a8b287fc5f6a57c27e228ffa

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe

Filesize
1.2MB

MD5
0be006ad6512161c7aca49daa6517750

SHA1
5ef26e3c48a65b7dfb815a5501fce80746d916d7

SHA256
be0db9242b43ae8b1cee8c94a70ad85055a0904bc1ef7db453c98fc45b720d61

SHA512
dc1fe5f36dea762dcd0ebe9ccd94c74c5141e0f2b2c90b8096515fba386636d902263d8915500a53d4432a331fb58d3a3f18f8229e41375d19c650b222fc0cca

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe

Filesize
1.2MB

MD5
0d0cc72dd00e8549d6ee56b30964e010

SHA1
c97da35edda9001c86fd09e18f4057afe610bba2

SHA256
ff1c33f7adcd47fcc828ce516e664b6ea7ed60af6994d1183b8aea7c29803db2

SHA512
41b9b0968b144230fc8658abf39b52c968be41a34c15fc5e1a3a4a5be55d13952ea28c247f4e8c48e6c8df2b94681e53ea022770c664887cc956c7bed64baa7e

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe

Filesize
1.2MB

MD5
d895ba8eb8ba78df8e24638fdf8fe103

SHA1
1179449787dc6e0034365736b61220c7413ad364

SHA256
0b34ae0b205d4d3ca3f552f466d31866514376e8728350a6f2e22cd3d2c1291e

SHA512
0b8655eeae1d3afad924c0ea464f35d47a8714312f16891c0b33fe439350a95d4b946ba92deb81b9bf886d98910f84ea9cd278088079bef07fdd9b0cb59923a6

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe

Filesize
1.3MB

MD5
1773f5469977b00475fbee944c10ea30

SHA1
53c312e6ef836fc351e614740824ca647639e706

SHA256
0c5cde3033984a80348bc7b93301bb0441309e01d99fc4842e395d9a0563fbc5

SHA512
28627081639e152eb5df16cb34bf22ada279924faea09295e22855262abc5567cac337f54cd7b58864c6684e1089fc017e24a8d7662da5fc9800a9a283c143ad

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe

Filesize
1.2MB

MD5
f172df37712a396dd4fd17d6434bca30

SHA1
0e7cbd058da6fb04f8aa2a2b8e66582a4a5dffd0

SHA256
6ce73e1a356ccd793df28a85047d133866b70f742edf583bab8ab6ef54d261ab

SHA512
19e207e3ccf75ddd65c23b6c15f5dfa2d8f05ddea0a95032088c5d11f82c13c0ec844ffb1966d9109865b88bf1d3d039427f93620ab0ead0f8ba8c5571cf8354

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe

Filesize
1.2MB

MD5
4f0c5e47a268f9208ea8b24cc2a4d70b

SHA1
69950efb40f62f46ede846163bbf5b5cda9e20ea

SHA256
3bde0b97726968cac4ab9aa19e5110c7f8135da18baa179501045f0b6df397dc

SHA512
ca6508f2ffd936b0e99c3ce3f62c298b7034085af99c9381351e0798a44b0fd6e6ffe3d86226b8bee8345073039f1a605aa3e3fb70b4013aae51a3be20d7a522

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe

Filesize
1.2MB

MD5
cc2864e0d1e137d9bf68fe437fd061c8

SHA1
50efac819f7b44f2e2d66cb5d09a95b37de07b5a

SHA256
50af5a5760163f0520665f9478521c2fb3e21a9de4c3b55815026e6d5e5aaebe

SHA512
f4b4f1089cc358ecd925edd7272fe0b042b9d1fea14fa84e1046a8be190c6cc7b59362b94e56c2477ba3fa1a34f488fc50f60d6866065d71e14888fd3693dfe6

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\java.exe

Filesize
1.4MB

MD5
f8837f9c78c15b9e33633b741c471edf

SHA1
55570a1dbd62b4a0a2c87559312c3b51d528a2f1

SHA256
2489ea11f333bd148c889b8137623be3e14542ab1371c361899c3888f63fdbb7

SHA512
fa85adaf9640c6f6b95d00fdec9cd64dac340df9093e02d66dcd781529db13bee4963aed1910d36047401c2aaa83a25d51a6850cec3d609c519786acf8493ca4

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe

Filesize
1.2MB

MD5
02be8cdaa244260bcef365e833bc6481

SHA1
1952246656218e9e64f22417fa6f330f7ae0187e

SHA256
9b925dd4f6752701b3ed46d08082d8e1f3f6aba38112fe7ad7cc9a5f1897c71d

SHA512
aebda4ea6de7178b11f00563e0feee0e87261b515cb6b7ea558ee1672d0bc2bdd2abfb2066f12fef9956e8003d76cad6a245b7de34435fb21d1a06889afcfb74

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe

Filesize
1.2MB

MD5
a1a8db8a68489ad2df4a9414e28b55c9

SHA1
c58b989739c6a449c776964116fe08adf92e7020

SHA256
7e87fe96451fb06e4b5cfcd5b2907dd2abfffb05f2d71f4e86c3e1c12bd5fd0d

SHA512
3899061b5d46de44c69348f31389eadb276383c9c4f478854d5a9c1df2cabdc4d91b2485de1bee195cc4d4b6870e5598204f476ef3a23ee517784b12bafafb68

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe

Filesize
1.3MB

MD5
8a62f6b3da29872296f1dac1ac696400

SHA1
3e73bc0cf791450e808c2da0b64d9202f526d282

SHA256
3d1b2234be6791c997611bf10a840c09b61f44fb1e2759be13adc950421ff0ae

SHA512
91bc247a1ba03e08629980afb90694845486f915aabedcaf4e78d0578166df48ddcc6839b115e54140c8d6b7ed01c98d41dbd362afe836d31c2827d80c242dd7

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
7a288ee92b6818b54936248ce780f550

SHA1
d123a74d57578e51381ff4cff4be4f53f556b4ba

SHA256
dedc32d9cceeec6ca0f3ac124da4e4db8dc951f55ba1378561ab1bf783b661c0

SHA512
7a410dc5f07734be66859dacc173bd1d6daed5939b591b86c9af0f2caabf68d2970896e15b5bdfb2565527f461d7d58ebb3636b75e30d686b36346a05f43eccb

Download Submit
C:\Users\Admin\AppData\Local\Temp\iemuq.f

Filesize
1.7MB

MD5
1140e0ab5c6766629efcd09940ef76bd

SHA1
dbc2b06e30b3fad81dd5961f5f233391446e87ed

SHA256
ce0e0cdc76adc6ef5cd7a2f59255e98a65461ec6f1ebc91f9d01f8d0d4ead5a7

SHA512
58abddc8b7511e9b3621a280f790631f05ae661d5aa107a8437733e3dc3f9492a657b6b819253de62fea37f4af679477b59358796b564e3db5ea6c5ab4ce153f

Download Submit
C:\Users\Admin\AppData\Local\Temp\octkeqdy.riv

Filesize
5KB

MD5
aec7affe4d9f705f31877d5cd359ca9d

SHA1
feb8bec37e3b762e09f288e2ed2dca1b102ce503

SHA256
5523ada4c712d23e28a5785cd99c3a245532e6683510d3e10cfa6ed18003c84e

SHA512
32abc8e8a793cf7dae96b3ea5e813ade061abb3a96fd30f6fb6b8bbf0fc9034689361a209ed2064c5e78402a5d7642f4e49485525adb0d7b0870ddb68493a4ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\vyjlolms.exe

Filesize
254KB

MD5
cc6a2b79a494ed7cdaa7dad56e691fa9

SHA1
6ea3deb2ffeaa7d216b7cc60effadc7782ec6b71

SHA256
7f9b74f34fe1039a0f0fe010c89d96c498b2388c8349ac1487c3d421ca5fadaa

SHA512
09b1c4229b65f67432aa97e6525103fdf26793d50c4282118f33a7662eb5528a3a3813713bbf65bf9fa66aa2a511c088c02846a233cf7c83d423bc9062cbc346

Download Submit
C:\Users\Admin\AppData\Local\Temp\vyjlolms.exe

Filesize
254KB

MD5
cc6a2b79a494ed7cdaa7dad56e691fa9

SHA1
6ea3deb2ffeaa7d216b7cc60effadc7782ec6b71

SHA256
7f9b74f34fe1039a0f0fe010c89d96c498b2388c8349ac1487c3d421ca5fadaa

SHA512
09b1c4229b65f67432aa97e6525103fdf26793d50c4282118f33a7662eb5528a3a3813713bbf65bf9fa66aa2a511c088c02846a233cf7c83d423bc9062cbc346

Download Submit
C:\Users\Admin\AppData\Local\Temp\vyjlolms.exe

Filesize
254KB

MD5
cc6a2b79a494ed7cdaa7dad56e691fa9

SHA1
6ea3deb2ffeaa7d216b7cc60effadc7782ec6b71

SHA256
7f9b74f34fe1039a0f0fe010c89d96c498b2388c8349ac1487c3d421ca5fadaa

SHA512
09b1c4229b65f67432aa97e6525103fdf26793d50c4282118f33a7662eb5528a3a3813713bbf65bf9fa66aa2a511c088c02846a233cf7c83d423bc9062cbc346

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
db9266329ad41c12425e9c641e1c580d

SHA1
d2388a1b1e34cde0b318f58805353a4a1369233e

SHA256
56f397a19a56fd7b9e42d617e2608cd9b931da9f3b60a1a7f0661ebedb93143c

SHA512
f444a6a76f8833d2d187ca9afd412b823278e920466845331ef84fca316d03c7a240526c1d7cb2cbccbaff5a3931744187719ba37552b25bf5420f2d9e63c1c0

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
0a6c7492d543a60bc6adfbfcd940f984

SHA1
1f5d0287d2cbdefb47c11e5dfb205422647e3603

SHA256
2b02730a0f2b8d40dee4df41e8a524e502b022a335a3c8439fc9317577bd8b8a

SHA512
02fca1e432791b1b6a5a24e6c84ee857277876543b95ddbc4efa89dfe2eff5b2e29714d9c622d48827c8dcd6b5d75070067af5ccea93d6662c4dec1f0a38bf79

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
4489e96889a69d27dadb79350a547edd

SHA1
dfe5d57c6e19fe2675de612ff5d8482f81c6d7e6

SHA256
0e3b222573b6b7cb5f86d5ad9282ab3fcdfa37110efddf6be0c9da17528cbe5b

SHA512
577f9df553def5a882f21c3b983645367b88ff6e2f8a724851347594cee0cc49265afd8d2ea092e1cf6981c557948cdd788b0974094dcb711b417a9d5c5a5ebc

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
d9d745110b81c9c2ff5541e2b321011f

SHA1
15dece7a4b3d96c969c0cad0995f0486ca07e179

SHA256
155d49c4bb192490eb326567f051cadab2e3915dc656f58f5e821c1dbc413da7

SHA512
5ef28a4b164142c95b279d3bae28d70f104f64316e51061ec7d27cfc7eaa761fbc86d88cac96c4474658774a6b237fc3495ca105f5d9401e8a9045bc740b04e1

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
05e8dd02a247147d3c252fc9b3b1573b

SHA1
9f46e4507fd7b0356e0726d9d28e52aeffb2be67

SHA256
d164a9e2aee1cab5f07a64f229a1b6bf95dbd0e4a59ab092e0592416756c0308

SHA512
8ec76f42d0f3b9a212e87a6f4b28811675d2f53d68f92ce244d6a9b05307f1999ddce1fbde428e8ca25d5673267d70eb1af36c776dbf41a68434eeb345a57e93

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
16b7d6b4131bd92758491afdd28927df

SHA1
f0fd5a0e8ff747530a01ef98579dd3ec7acf6b54

SHA256
98842186f6f2aad20255f921ef4242164690ea10530dd668259ad09953b364b5

SHA512
290ab3fcb2829239d8873a5507bdd5690e47547d11d4c606f12865446a71303c64d8da9cd5793506db932c6afc36f4efd42650c0e9e1bf7bdb1f51fc66b8b58d

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
16b7d6b4131bd92758491afdd28927df

SHA1
f0fd5a0e8ff747530a01ef98579dd3ec7acf6b54

SHA256
98842186f6f2aad20255f921ef4242164690ea10530dd668259ad09953b364b5

SHA512
290ab3fcb2829239d8873a5507bdd5690e47547d11d4c606f12865446a71303c64d8da9cd5793506db932c6afc36f4efd42650c0e9e1bf7bdb1f51fc66b8b58d

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
5b286422c21da33770dad318b16a4522

SHA1
e3df0de66b97c10203dd869428d70ef09a4f543c

SHA256
21f44c4710357b4917f8cfe36d59d64f075214db2bc9a982d4456d342056c3d6

SHA512
7e86df1181a222e5cecd567c86eaf1568d601360fe213c49a134742afbc42b0e4e158340a2ad817cac3b2a56f69644e5f94cad34664cdf2ee15af45b8aef896c

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
b7732512acf083a4aeb3deb14cb96b24

SHA1
2077e470f2ca2fc1bfe6649aa95cfc504e870147

SHA256
ef1e7bdb531b81b2b80f94684bd75b6f77de427f51ef0e2e106e82a42eb7f7dc

SHA512
f54d67c327a42d728d587dc6a8ab1ffa980d15f65c78b50348031a7483700d844143574b5c311b1082821b6ea208c2ac355f12f14c435a78f1739bc0ebb4795c

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
8b1c26f04dbc12b188ebd160709bf3fc

SHA1
851083d176a4d7d6856bff09c8e9a2820bd16226

SHA256
451ab9612f66fa743da1e186194f095314e1d7bb81bd166c1cd3b5260893848a

SHA512
b85b9437d9fc7bc92b96cec3cae4852e5e93383517f92b6a58c58545219f6803773d68e026feb26d68ec25d6dfb0f954829928c74ed9a4db4da4a6f25524ced2

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
8b1c26f04dbc12b188ebd160709bf3fc

SHA1
851083d176a4d7d6856bff09c8e9a2820bd16226

SHA256
451ab9612f66fa743da1e186194f095314e1d7bb81bd166c1cd3b5260893848a

SHA512
b85b9437d9fc7bc92b96cec3cae4852e5e93383517f92b6a58c58545219f6803773d68e026feb26d68ec25d6dfb0f954829928c74ed9a4db4da4a6f25524ced2

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
c62f9696c1d8bbabf53a2dd80139a24b

SHA1
e9bf4898b2901d00fa07ff864be6e0a33689834d

SHA256
5a127deb34417af8e2421801e0a471406aa50ea68465e54e40748b5a841c4bbe

SHA512
1373b182713e484ca85b0fbcf86e88d6f7f29901d516f0a451721920e2462d5cd65960a58faca9734252caca62a488f133f96ca342808969be53deec5d47c358

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
31d20f236e4dc822cef509b0ac30001d

SHA1
a8f63d5c5508671a2ce1bf6c472d5ac5403850c9

SHA256
6f54e3b24207298c71aca6061c894750fc544a4178bac75c43a43095dfaeb3b9

SHA512
129f19d00b85d50e8d50c88f8296ba09787294bfea7d8e540e1f5183767aec2e1acfb9aaa166690cd864c40a2f218e495114e8a35b3db778407f23657c510cbc

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
7e4fe0c701fb38d1754b605c43e2c1f4

SHA1
f04f80683a7b99e5cd1d0837eacfe2d01d2f61c1

SHA256
e17714e531b9e16a56fa328b29b819f4d0545c97bffe2f754d93ce4d7de93a45

SHA512
46f90bc9428bad3941fbc31a07b970610952fc9f0b2bd916ee490d7a823fdfe966be69d7e141ecb49abcc01f4552c6e6cec6a3ae4e44f64543741d3c8fe1e77b

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
57a20887a58b7b0179a27d34dfdcbe2a

SHA1
b309fdde1557b2cab097b480417198a2d0047c8d

SHA256
287658d154749c3d8d8c90e8cac72422be14a61c2e796a26a06e87b09d54a7a5

SHA512
7fb06ff84270fff994fb8b7b6e350c54a509bb05842590800b8cb54925976bd3b63eecf9d45dd01d616beab8062118dcdf51090fc8da99d50d7054422b289975

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
0a9503257da83ee4f04c6ebc1aa42279

SHA1
835fd16495924551a34c6035625471cfd9774efe

SHA256
32fbb381af492ab21a61f902d93d5af465d6236af8b73073b11632c302ade7b3

SHA512
93c08e5707b48c760e6dfe853f6345ba7033ffc4fc4084ca7ce602968ef155a4c09f13b013fbd71910866a3c4de2bccd9b93725ecc5a358d1fb421aa5609896b

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
cbdbb8bb9085c487125b572cd747c7c4

SHA1
aa059deaaf09e2ccf24fe41fc53a2318d347257f

SHA256
b8abcd640f2261e694d5b94349a6a9e37a929ac5e1fe56b05b4d29948fff84e0

SHA512
0d2193dbed559cb9087ce9c754beb076c57b31c656641b6ff5f55eb6648505664251e31887cb0adb6badaada38b52ad923922d38a43b48daf6005a5275bf25df

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
b025c8840385a5729dae3f168155d83f

SHA1
d98f33499a31b82b49b10ae2ca793a2400d3bd22

SHA256
5ac18ccbb7b3c9d619066f0082dc4b305c1c872b011b38edb1c14f097eed681f

SHA512
d97ad13fc4d18daff6d90b7851345862031881134c89ae2d3aafcfe76bf13ed5332432aaa328dc471ef9782e7998eaddc1aca7f49fe5f4d750c545d410f5d11d

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
8c8c59d4c028d06d3d717c7aea1d32b8

SHA1
82aa3bd2d1bf0fa005e384063259c780f6adaf92

SHA256
468faf6ca990a0eeea206874fecf283fa08dd15b4c720b5315d9ce0be667634e

SHA512
95e41f054c3aaa2b3981c991c90fbbcb62b308cd3a2a815e59dd7ab9f8a23643ddeea007f7dc26e810c9bcac0eca035807280169e61666ae3c3be730eb6bba93

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
ce4bf3a30d0124c18b0e98ee6794a2c8

SHA1
c850bd285845be801775ee0cc45624ae316d590e

SHA256
9e396ddf18f92830d4bbbeec8b884dac815e73679f27b4842954fcae647e7b91

SHA512
cee71656788ef139689952692e0b56908ec9e08ac274a0f6ac7ab9ed2281d3ddb5c87e1e5c6db9a9af0f425e64dab7ea541d1867d897a0aa55ee022772990242

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
1.7MB

MD5
0a6c7492d543a60bc6adfbfcd940f984

SHA1
1f5d0287d2cbdefb47c11e5dfb205422647e3603

SHA256
2b02730a0f2b8d40dee4df41e8a524e502b022a335a3c8439fc9317577bd8b8a

SHA512
02fca1e432791b1b6a5a24e6c84ee857277876543b95ddbc4efa89dfe2eff5b2e29714d9c622d48827c8dcd6b5d75070067af5ccea93d6662c4dec1f0a38bf79

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
60cc6afc666da877b42044756a269560

SHA1
b59b68e9bcf0cf1f38d90a814fd4d49e0facf545

SHA256
4534fe449e13d668028e8ddf62bdbc1859fd7a1929140198dab96a24fce05fd0

SHA512
8d4749b2711bce8e6e68e42be91892f86eba0eb3e2eb9995dd32e86a0d74b29285d3707c77c6b8f3909d72cd525a658cd2891a169bcb77ec37ac00756994b4b0

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
396bd987f0283de228940dbf272b41f0

SHA1
b4b3555645b88a46c5073248d5f3c7ae598d53e1

SHA256
c38d0beb2631e4fa1517906e52be96aea2479aedab6004f0fb06a21635110181

SHA512
c8f48510b8a85f2fbea6bc765b656b0b062ea6bb49b27af815febbab1110c02ed14a013745ec1a31364335d615ab78b61dc97afdf4edbb2a65f8dde2c1b9350b

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
d9d745110b81c9c2ff5541e2b321011f

SHA1
15dece7a4b3d96c969c0cad0995f0486ca07e179

SHA256
155d49c4bb192490eb326567f051cadab2e3915dc656f58f5e821c1dbc413da7

SHA512
5ef28a4b164142c95b279d3bae28d70f104f64316e51061ec7d27cfc7eaa761fbc86d88cac96c4474658774a6b237fc3495ca105f5d9401e8a9045bc740b04e1

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
f32396b9551e3c4b582df8ccc6212802

SHA1
39ee8e9b3a7df34fc6c7e071d5e4dfb074e20a3b

SHA256
4e91d0e89a18892d2472c41d867343349b1558f48a559af8832419d9c6826c2b

SHA512
b95e89457a72fd1130fe09e6f78589dd6ab481ffaafc9e3734ab3078e39708b1aa98a21d6d161d04d5df7667eb3938b26ba1140012aa5a30a95b04aa8feff635

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
a7e5b8cf690c773860d7276c25e5e016

SHA1
09d8786190fdf904300db5ce902997fced4e60c1

SHA256
918f06979c1552aed969b4921671e57d62aa9f85fce47fd831436c8d7a795ed2

SHA512
cca02ac73eed02bd4232d64f1c4b90220bba731425793767e03dc230375c12e7248707b24bf5668c4f9d07392048b13ec266d56a097e91aa3656ed3ce9146770

Download Submit
memory/8-199-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/8-189-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/8-191-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/8-183-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/8-202-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/656-159-0x00000000004A0000-0x0000000000500000-memory.dmp

Filesize
384KB

Download
memory/656-165-0x00000000004A0000-0x0000000000500000-memory.dmp

Filesize
384KB

Download
memory/656-392-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/656-167-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/772-504-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/772-316-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1000-364-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1000-367-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1092-331-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1092-547-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1256-295-0x00000000059A0000-0x0000000005A3C000-memory.dmp

Filesize
624KB

Download
memory/1256-205-0x0000000001170000-0x00000000011D6000-memory.dmp

Filesize
408KB

Download
memory/1256-290-0x0000000005830000-0x0000000005840000-memory.dmp

Filesize
64KB

Download
memory/1368-219-0x0000000002220000-0x0000000002280000-memory.dmp

Filesize
384KB

Download
memory/1368-225-0x0000000002220000-0x0000000002280000-memory.dmp

Filesize
384KB

Download
memory/1368-228-0x0000000002220000-0x0000000002280000-memory.dmp

Filesize
384KB

Download
memory/1368-230-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1960-293-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/2160-479-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2160-194-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/2160-207-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2160-203-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/2248-412-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/2248-566-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/2892-209-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/2892-486-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2892-232-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2892-215-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/2976-693-0x0000024332010000-0x0000024332020000-memory.dmp

Filesize
64KB

Download
memory/2976-671-0x0000024331FF0000-0x0000024331FF1000-memory.dmp

Filesize
4KB

Download
memory/2976-669-0x0000024331FE0000-0x0000024331FF0000-memory.dmp

Filesize
64KB

Download
memory/2976-762-0x0000024331FF0000-0x0000024331FF1000-memory.dmp

Filesize
4KB

Download
memory/2976-694-0x0000024332010000-0x00000243320B5000-memory.dmp

Filesize
660KB

Download
memory/3060-288-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3348-289-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/3364-394-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3756-397-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3756-564-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3880-146-0x0000000002500000-0x0000000002566000-memory.dmp

Filesize
408KB

Download
memory/3880-330-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/3880-156-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/3880-151-0x0000000002500000-0x0000000002566000-memory.dmp

Filesize
408KB

Download
memory/3880-141-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/3880-361-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/3880-145-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4288-234-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/4288-257-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/4324-363-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/4340-332-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/4340-548-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/4496-178-0x0000000000650000-0x00000000006B0000-memory.dmp

Filesize
384KB

Download
memory/4496-181-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/4496-172-0x0000000000650000-0x00000000006B0000-memory.dmp

Filesize
384KB

Download
memory/4512-399-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4512-565-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4516-439-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4516-569-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4596-317-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/5048-258-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download