blustealer | 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
30-04-2023 23:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
Size

996KB
MD5

6b5440ea657619e7301f3e923654cb3c
SHA1

1fbafb550989c2c944d3941545b68bd553175704
SHA256

35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097
SHA512

a652226f01fdbe1efe10ca765a029fa72a972f04a79b579153e61c3c02fed20bf265293f722a386da3985a152124b2334f140b8620d82862fe2401103f8a2c74
SSDEEP

24576:wxgsRftD0C2nKGe0Djsf9nz4mloFQnpXUMPQDR6q79dA:waSftDnGpDYf5zaCpXxPuR6E9dA

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 22 IoCs

pid	Process
640	alg.exe
428	DiagnosticsHub.StandardCollector.Service.exe
5088	fxssvc.exe
4160	elevation_service.exe
1544	elevation_service.exe
772	maintenanceservice.exe
1860	msdtc.exe
2516	OSE.EXE
1924	PerceptionSimulationService.exe
2868	perfhost.exe
2504	locator.exe
2932	SensorDataService.exe
2168	snmptrap.exe
3204	spectrum.exe
220	ssh-agent.exe
784	TieringEngineService.exe
3400	AgentService.exe
2736	vds.exe
1752	vssvc.exe
4780	wbengine.exe
3800	WmiApSrv.exe
3580	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Windows\system32\wbengine.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\8ed5d87950d0d086.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Windows\system32\spectrum.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Windows\System32\msdtc.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Windows\system32\AgentService.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Windows\System32\vds.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Windows\system32\dllhost.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Windows\system32\msiexec.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Windows\system32\vssvc.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2652 set thread context of 4564	2652	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe	90

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javacpl.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\orbd.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\rmid.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\native2ascii.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ktab.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsgen.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java-rmi.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\keytool.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001d667532d17bd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007fa55f2dd17bd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007278f32dd17bd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000fc5f332d17bd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007cfa782ed17bd901	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f4438a30d17bd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007fba152dd17bd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cc9dfa2dd17bd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	44	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
2652	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
2652	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
2652	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
2652	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
2652	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
2652	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
2652	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
2652	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
2652	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
2652	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
2652	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
2652	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
2652	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
2652	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
2652	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
2652	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
2652	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
2652	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
2652	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
2652	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
2652	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
2652	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
2652	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
2652	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
2652	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
2652	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
2652	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
2652	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
2652	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
2652	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
2652	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
2652	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
2652	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
2652	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
2652	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2652	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
Token: SeAuditPrivilege	5088	fxssvc.exe
Token: SeRestorePrivilege	784	TieringEngineService.exe
Token: SeManageVolumePrivilege	784	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3400	AgentService.exe
Token: SeBackupPrivilege	1752	vssvc.exe
Token: SeRestorePrivilege	1752	vssvc.exe
Token: SeAuditPrivilege	1752	vssvc.exe
Token: SeBackupPrivilege	4780	wbengine.exe
Token: SeRestorePrivilege	4780	wbengine.exe
Token: SeSecurityPrivilege	4780	wbengine.exe
Token: 33	3580	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3580	SearchIndexer.exe
Token: SeDebugPrivilege	2652	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
Token: SeDebugPrivilege	2652	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
Token: SeDebugPrivilege	2652	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
Token: SeDebugPrivilege	2652	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
Token: SeDebugPrivilege	2652	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
Token: SeDebugPrivilege	640	alg.exe
Token: SeDebugPrivilege	640	alg.exe
Token: SeDebugPrivilege	640	alg.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2652	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 4564	2652	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe	90
PID 2652 wrote to memory of 4564	2652	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe	90
PID 2652 wrote to memory of 4564	2652	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe	90
PID 2652 wrote to memory of 4564	2652	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe	90
PID 2652 wrote to memory of 4564	2652	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe	90
PID 3580 wrote to memory of 5000	3580	SearchIndexer.exe	119
PID 3580 wrote to memory of 5000	3580	SearchIndexer.exe	119
PID 3580 wrote to memory of 2744	3580	SearchIndexer.exe	120
PID 3580 wrote to memory of 2744	3580	SearchIndexer.exe	120

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
"C:\Users\Admin\AppData\Local\Temp\35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  2⤵
  - Accesses Microsoft Outlook profiles
  - outlook_office_path
  - outlook_win_path
  PID:4564

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:640

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:428

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1552

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5088

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4160

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1544

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:772

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1860

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2516

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1924

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2868

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2504

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2932

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2168

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3204

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:220

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4188

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:784

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3400

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2736

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1752

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4780

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3800

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3580
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5000
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2744

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
a10545b6b658fb2670dfba7f2c0cc7e8

SHA1
271743fe1ee9324803fa2ebfbae1204c012cce51

SHA256
daca6894d2a1043c66c12bd03d82a6d177b11aa54b4f7ca523b5648d9c5848c6

SHA512
cabb91be3c127c8e7f3d1b7e7f2922396056e563d796ffba772fdcbfcb222696c0ffa8cc709c8029992030290eaf2c1c34a7cd02a712403d019dd0cec62d2ce7

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
ab600c7b95f0814435c51934787598b1

SHA1
f3d5c46ef4bda0503011ed34ccd6a586d2c678f3

SHA256
2fd63e54e44681c0a533e0d17cc9ca2c57b79a07b46cff46ab8d882f4a600714

SHA512
af951d31ed7dfe717f3769fdec09ec2a82a007932531b5c8c22d4c3017d4750e91ffd887b4f4962926b16cc3175d69c7172ec9cff83b65ddd8243df360f5d735

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
ab600c7b95f0814435c51934787598b1

SHA1
f3d5c46ef4bda0503011ed34ccd6a586d2c678f3

SHA256
2fd63e54e44681c0a533e0d17cc9ca2c57b79a07b46cff46ab8d882f4a600714

SHA512
af951d31ed7dfe717f3769fdec09ec2a82a007932531b5c8c22d4c3017d4750e91ffd887b4f4962926b16cc3175d69c7172ec9cff83b65ddd8243df360f5d735

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
0bd5a82d6bb4817b38b66c835678719a

SHA1
e641672a737bf2c51f219bf9b156e2ffb7103273

SHA256
59f0f6a35267dc7f29e04aafdf9dc15b7b795e984d59b12ae86d3fa300c4770b

SHA512
b5f17148bed52f76c5b82fac8577f1eeb23f8cfa36d5536a1fe2b4e201a027aadac47ed494225a8d4ec981b5bf499b22e4f0d77a6b408eb844495570bf188cd3

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.4MB

MD5
7dc5d7383d276677674ac651d862f102

SHA1
656bc9e8e23b47e7b2eedce976ed8795802c9996

SHA256
aeb1d618dea6c4af85ddeb211c299a82eef307bc945ca075d326501450bc1d0e

SHA512
e448ba6f78f56e0ab1d44b8c3e45baf29111e31087af04db27ba17dd424f0c7b9e163d8c3531fdb4d6fd9a4e62f32ae958346fad415c379d8f667f68ed11e931

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
cc77509387a2322341762c6374291e33

SHA1
9c2b876bd00fdaedc687000c3963d0184373451b

SHA256
7ec0662e674328e137a3ba6b2427709e3afa952efee8710a8986dfde63f84b53

SHA512
0388fc8cab1967b070aaeda61492c2a329dc10f235e31b8b9f5d33122cd0b967fc89d82ceb8ca58bc44629ee6335197d397d4d9639378d08b3eaa507e48e33c5

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
f5d2b3328fbcd038ed824d7b98290322

SHA1
447b54a00270e433237909583b9adcabbe410dc0

SHA256
24e80726dc0cc04083711ac9cfa8a79fc9101d195403a2ed198e8aeac913a175

SHA512
00ee9dd819327ed5e4a4a83fdb6380ef00e9f6833449a3ad5a9e80c7eb1ff1e1a2479cd4e637b5370a61b8f47d9c9ab8041bcfcfd637cf828849e83a9f92a932

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
4b7354403b53c7e476b56838b208dcc5

SHA1
eef00abb271c6eb9c59b9e38eb8afdecb9e04b48

SHA256
1ec52624330aa330c656aecc8e4523124738022a8c570867b6447ac39ab3fa10

SHA512
4ddb33c6eb601d8c31911a5a0c6bb1aa1483419bbbd43f7c6e0951d31c586000a447de252073abcbc86d4a1edf52e6e71a577683b515a934217c041d14b06ef4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
e39d994c5dc40909785fbc09df4dfc94

SHA1
113c484272dea82493567b4b68b8151c3299663c

SHA256
e6a088f4b89486ce8fa8df560fcaf272569771aec78798a61c6acf26304332fa

SHA512
62c6813eb6131e3a07487e37f52ad2e3afff06f9b2640abe12a63a55121ff12b2ecef38eec9f00f9f3bca44cc62c747218a0300e73c87220f31deabaaff6d3bc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
d35673b4f49aa7cbbbd0134d399e190f

SHA1
f79173f18ecf23a3048f831d2f778f163a5bd3fd

SHA256
2fad6545e676c8895ae1e23558c083d331f596689e4e061bfebf925ae66ef6fb

SHA512
5dee3604dc63d5201adab3d3043cb6a411264131054167e9dd18fc9f67402a035d7b826165cc2b4d5cc596545b4c0d25906b886eb3d735d273cf863356c1296a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
abb4c6a09c8a1462abf74ef0a49a8574

SHA1
043c00ff71a01f6ec93e73a908a3145ab58cbce7

SHA256
25dfa8340fca9fbd1a414ee9cee2d5fb3477b9df0c8324cacb99a19b16b8ac00

SHA512
8558fb174eeff7eed9215b809e14cc8567ea22b60409b0489bb12ed560410f508f73fa5e29486f12265f1d7de774006e7f0f39ef9ec4b11596817f6ffeaabfa9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
71659ccc18872e0982c5490b456e859a

SHA1
cc351f7854bb182489bcf8f3e97d7300355f2771

SHA256
c35c7d05412d2c01530fe4d1a443b5eccabe23ba8f59a71a2d5770e69294ff00

SHA512
15d9aa2eb1c3e438cc9c630316f7670ebb04801a3c3cf940ea670ee46963cde79a2d814cb327952e48f47863ec5e4ecd16ac0ac8d06d0f5c179f7914ef6631d3

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
8395d9c951d760d3c4c01734c5b349e1

SHA1
11d072507c1ffe095c8846fcd4418dde812f1170

SHA256
8e3af696166abee6dbf7bd581a12f78cf683be7c603186928500cb02b61e5fde

SHA512
0b2c9d705570f4fab9b199984e958e055bd2ea8a9e175e0bc8dd502ddecdca0ce3b5607b9aa9602d9e22789cb2897245dc09582e8ef72d377bb90df4a2b05881

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
180a8686edeb055b062d312253d3e103

SHA1
027715606f41aa47ef6bceb9c1fbc2b8f5dbe956

SHA256
f5de32b6b28c1afbafc15bda16eab4aa0290048d862d8d75085257bb9b8c562c

SHA512
513562d04a58ad380ed9a3adefbbbe7b6a7f04235e3e6d0e63f214c101b2d7089a60cec1f39c2480ba77b628c6eb94694ff46e2a797e490576380450e231bf0a

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
c6b20fcabf579dafeb927e6447f5db40

SHA1
61c9a7baa9c18e45ead06ddab3f359d5e46fd045

SHA256
394a5c004c3ccae77264d6ebbacf521333e916a4122ef486cdf30050acc71dc9

SHA512
99cfce3643a6f66f234cf334eb9af596c10dd56c46704086c2561596874614937d1df6e4d11dce7055866ee6267eeb6a3cc628b7d58072cb92ef7c595c58bc9f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
8d06a39c04c1ab459267956c1144e447

SHA1
2a3751914f9fa6afc0a292cf1526b28a6d932c27

SHA256
ebb95c090c9983b1643be38f90686fe589dc7f96a142ca64e40b31741b6796a8

SHA512
326199b2db4beb6df62e764877b4a3aa84801a38eda6d1b59d77c71c72539343241f72d1c95ba07015481286633601532871630b23e145e043c8472035e08efa

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
973e787272439d3ee1f4bbf648e13c90

SHA1
56016f293cb6b621c6c80e793065e03499903108

SHA256
f68d0e8855a97f4ced5c73c8a62558568a15c3ba5410b7d6cdefc6e6e6959322

SHA512
b231cd85e2b621198405b0b0f87fb50c08e37351563465a0a16ca2c7c6735decfc347bc3c34e1e5a226af8faebfb8501bcbccb845029dbd839a009ca4d7a604e

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
5a4ec4ae5ebd460f3767898af43ca598

SHA1
9e67adbb1aacca13dde0bf23e99a0466a064c17a

SHA256
6178dab13b7b26ed370fff9472d9518f256e867140fb006bb0bee764dba625dd

SHA512
90024dfe54680cfa88cc9f62b727a605031f03d18d0d5a0445929a5b500403f9b55d87cde88e791ef02edcd85169c9dbef7452cbd5bd9de0690fa3cf5153956d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
0c592366ff5cd3dcb4167bc6d44a3e53

SHA1
4afa7a4ea382489bcfe601e9fc71e49f94a262f2

SHA256
8bae907f1d1dbe620c69f73488d3108a3c068ab5937a658321806526284ce982

SHA512
fc501b53bd801cfebece70932e274250e831f6d8b0923ce82432e0682061cf55e9e4fb7daa99fcfe2d121e278b6f918261b917f0395efdd254cb938edde2e1dd

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
659833ae05d08ca8f72bd45c1348bcff

SHA1
8c98ebf37453d7793ce0da312e591db9a28642aa

SHA256
e95b5ca1c6ce2216e605d0a2f55ad908bcbc4fdc860932eb95a7f767d993631d

SHA512
15ad9d70ce832baa57839c465b3975b97d49e4e43c64403462114cb8a160569686e893ada336d0cb0b986bb97a058a5cdf3c918cfb274bd0a4284486c746d831

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
852ac045faba4ec2592d5ee87d4a6be4

SHA1
428578ed10940d0d7a1f0766e483fa25f73251ab

SHA256
075b18e25a4a91d9a8460dda990aa8d068a3e6f672e392757900e2f820471a56

SHA512
f81d6e63b88a8386546407e23cbc82a21333e70badff710c20e782f26af84bbaf10f4411a771594b41d5b8d9edccf71e03c8f8055671439871ca1b6289a2678c

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe

Filesize
1.2MB

MD5
9ce0468717ea141f7d10755e75d2fd76

SHA1
27c4b8dbb6ef2d4fffc9eb49479152d56a3b5a8b

SHA256
29533c6a5111c332beb06d14adb9115e7a619ae3d445bbfb5bebb0b8857ffeda

SHA512
831c22367ffe3c814bf0ac248657a0e57f80aae8a689eb81e5455ffd95dd090864bd1f8dee61ba0e285464881f8928fe361c97668ef3779fd4a7270d7a9356f1

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe

Filesize
1.2MB

MD5
07f1c65f287db7a403e7dd3ec8111cd0

SHA1
f3edee06a8c602047083c414181363771da987e0

SHA256
daee498ec53d40b613df6a520a551e29bfdaf25d8364ab1869a2cf9f7044dd82

SHA512
0d4b361292e840fce68efa8fdaddd73a8561426453890d678bbb91c4a4f4d9ef4940ca427dddfaa5c6d4992693e7c3c11001432b48d50215c71be576fa6cbcaf

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe

Filesize
1.2MB

MD5
041d81a0307c9e6921dc535b99d3f2fa

SHA1
9b2038ecfe321cf19ea4ff930313a157b6c24fe7

SHA256
c08c8453ecb116e962bd391bc09518ef0249d43e0d59bb0b0e210356b76f2cc0

SHA512
1443327d134d33c0b3e50b0f540a309956e0a043052bda9a912c0271fc346b71c60dd5c07c7d0a1a499fcc98fc89aa3a68fc02cbe509adc6d72f0bcfe9d1dd6b

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe

Filesize
1.3MB

MD5
f5cdc81969103f32485d57dc85d7b9a2

SHA1
52d2822cf86384dfb816f051691dbcb170718380

SHA256
c87a5ed77d5b487cd22e62bd0e08d7545b84b51d13df15caed021f829e7f04d6

SHA512
990029a0ffd315e3c30b9c45c36257dd81b11bfbddc9c63d8cc3483942d44cdfb7c29c47b52dcab6e25ff89398d2dae4a0c3054af36b42b899b9fc094fac2da4

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe

Filesize
1.2MB

MD5
138092b280e6289c90bd157f26cc973f

SHA1
f7e926f72ef1a357ffe51b2dae213ade0df61797

SHA256
7945cc7b8d93a453a4cdb2224a0ffbfc5461564b43dd5dd0ef7307b9d7702fe8

SHA512
0dfaad080bf98ac484a632e5fcf41de7c8268c92f727f664857840701b3bd20c17ce53e0fd27024b645d6b7692aedae3ce27aa02f604ee625901b4576ee0ac3a

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe

Filesize
1.2MB

MD5
6c3c6b63ec61068b913ce7b8c2291dda

SHA1
3cc8cd469155eab2961f94c6b281249285e86d07

SHA256
b2021f0bd9326f0c88411f1ad56ef1d9f32e6e5e257da5c7e49709c30929b77a

SHA512
4c49b83f666c00b015b5060ef5985f23667d36550419329f8fdb94f95ad8ff97f0bd71f1cd30d15ab28e0ddcb631ade2201fb7522933a9ee08fdc7537aa4ac71

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe

Filesize
1.2MB

MD5
cf671203781826d62861d7dc8d4f6098

SHA1
f35ba467253fa9121f33e42835cdefbc842ba6b1

SHA256
b057260ba9bad126d1881a73279be5fee9d3fceabfda1122bdc5571292b1991d

SHA512
e8b5692d73ab819e1d0b4e806e2fb9e779507ea47a15e28791b665694e65e2cefcdba93d6ac15e3927b5347c032ef1b368639b0d142dfed713f8d4682401abe1

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\java.exe

Filesize
1.4MB

MD5
eaba7ef704c22c2970d23a40a1eb759f

SHA1
c3287dda58e8925e722950190ce7a1e150156954

SHA256
b5ed10c4de88c6b12c8f914a871ab7b5ce96c109ac4a4ddc07fa94f2344ffc01

SHA512
543a1d1f5914c2abc922d75132bbe466caff8eb5680610a34e277a6cc2399d2c6a82fe8bdeff1ef3f53d63d7a0641385ebb1485f9fbf3b47a68aef4afb221d09

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe

Filesize
1.2MB

MD5
8a753968a1afdfc70d929f685c0037b3

SHA1
434eef7ca1dd90d442efaafd8cbfdf8a0fb85967

SHA256
6bbf45898368f6da3e072571467bea5c5e90d50a3f8ab2556fddcfb4520a9ecf

SHA512
e4c99c56e223de3d8aec4bc357643f1cefb8b088a123c20b053d02500eda2997e2c6d60c830e51b1f21496c0f75fb504da47dd3e0ecb3b60b8a05c45a5c8672f

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe

Filesize
1.2MB

MD5
9c9872f35419624325412679b9cae67a

SHA1
86f60b10992755d35f18e2cf3730991b3e7c0fe2

SHA256
bfd603e011237c33d3141a04d9832e3357dbab614e93495aedd4beb417df6ec4

SHA512
0c72efdf46ab2ddbd6b01bc9fe9b0e75bc334443787a05ec72e635fce548b5f30c40b0b2874fbccfe731b5f78d2f518b29b03422cb30087df944878a1cb179f0

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe

Filesize
1.3MB

MD5
99f587a62536f76345f9c710f56bfec2

SHA1
ba5f4d37b1df2a42d7128a43e48dfda40a083292

SHA256
5bd05d33bbd4d740e9d27abc3a42ebc0a6dc276599eb9af65d5f2a9cb8c153aa

SHA512
6b480adbd151b40699d86a715f526ef094c9087b5360bd81962469c417470820907f7dfcbdab0b63dc2ab5d8a0ec8d1867c2aceef154a3b39699fab03f6408db

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe

Filesize
1.2MB

MD5
0016ced96df146acc130d1dbb0f1be2f

SHA1
a9aa1e1f806f3b6e9efc293c46b56bf747f1ac06

SHA256
d2e0bb1080a41ce25f94351ebc4733064ccda1d7165b964cc2959d84e7430f6a

SHA512
0a0a9e25fe949666a0d5212fd00896415807637a6963badb91129feaa9f26e3eef7989d748117c214e44ec3d672aaf230c28eba6f2b13fa20dbd18692c7fe311

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe

Filesize
1.2MB

MD5
2182c73d5280c4745050d9b74a00d989

SHA1
13fb159cade06330a0514a33b71612b274a3df74

SHA256
d27b74d629c9bd6ad98f440d46794813d1c41a68156dd2a8c630b6878d50ae7a

SHA512
da49d3d45d891722fcbad12a685610b7d6b3698a1e334a612e85b7b8cafcc1ea121e59eac35d3aa94979010968503cd7165a860c0c872adaac6a0a494cebc941

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe

Filesize
1.3MB

MD5
1272644c2899842ade3d785c52decb80

SHA1
272954b37c2eff4f7e709aa93726488570340af8

SHA256
495ce250595a564add90a044da96f14d91d1e7ed149b1a1da038d0d79d746eb0

SHA512
37156ff86d82b7b5e68d01d849f2e0e97c6d67ababe09ada5d861811fafc9437d5a13d9cc74032febdd4f753e8be7ff918fcf6d0684c3cdff5bb2df7fe7d8641

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe

Filesize
1.4MB

MD5
2e6adcc065831f78e46882ff0ae3d0f3

SHA1
5968fca455d1aca59becc780dc6293daedeabb69

SHA256
10cd99845b44557a87d637ae8f162bdc8eabb60b5bf975dbd2e73721bf0f8d8b

SHA512
01c92763853edf24d0cf45a1cba93ca14747d40ee10fd45a26e61c023c18de252356ded44a11fe0475c609ecd78339a99b8a3bdf2f70b119507fee8f9454c4dc

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe

Filesize
1.5MB

MD5
9e075029ebdd142ba360b706b538aa2c

SHA1
09f0638a202d6e5ac53c725821ddfa6229d38018

SHA256
082d92d6d20b2b7a7ef5e2fd53afe387cbf7c159b39d59dc3f0580f897ec5d1f

SHA512
be874a857ec6917ad73992691561d9514c9cf7ad616970784ea7d1e3e45402dbf7d1dbceae3549c0f494f84d5896b9de0a3eceebe77ba0dd2663e62b30378d0a

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
2df2bfaf42072ba8a2c251569d9ff45a

SHA1
1058c4c82f722401f75ff702a0bee16678deabbb

SHA256
7dc9d39578748b16ac5bad5605e11fc86b1fd4588ebbb2e94954470452346674

SHA512
c6449c9b7db2311d3f14fbfae2db918114c72bda6004a7c132d543c5e9f97fc502249a744da1b204ae9b45625cd3b79a28e4f9cddebd640052d534c7702b8e34

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
398caf15898e6592487d1025feb0e000

SHA1
0cf86afbe0fdb5727cbbe58e99c6358fbb2d83f6

SHA256
49b535c23f8848b8735c022eb54ef02fea0a867a1cb3a54f87a6123d5b3a2f78

SHA512
c325d1d9b6b2e4ef48c933bbedffcae1e83148450885fa741e649cc90da97f69645c00f97cb73cfecc2a373a3542e6a882d65a6f774bf45bebddef532588bfd4

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
dfa153f3ec88734381548878ca9bb69a

SHA1
178219eff2651e9fdad4949273e46464e3693af2

SHA256
a34e3b962e4214115f57ce3f156b90b3161059b8fe82274779b09aa591810657

SHA512
f58a0f09cd8605b6b778cdb1feb50ca71bb1acc63af5843edd4107bc4b02c1b305782e19fed9433bf0e3ced335784227fda3edebcedcb35470f4cc34f66da364

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
bf4b7ae012dac57b1d25a01c33a56470

SHA1
3a7ff80fc8ab14c50372936246c553aa2c5ed693

SHA256
cdb34e5d53ad2ea6c347e5664134412e25df78a6099efa94e5640cf1bbd64831

SHA512
f3bb8cd571abd8141579bc59806464e2f4a86d818d298944d73f282ba4b7ede7b21a319f66be0c1d09069c1d2306d779d5b79c02dbc9dc2c6a6c55bb05b6ebcd

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
c68f7c85652a075200efa07aa9f91ce8

SHA1
f48ebd48fec6b2e2fb72a4b266d59d2a0a736b13

SHA256
1bd1316569b42b5cd8f37588d96c6ba648a4a5e15a62b52cf4f04fa95b51a0f4

SHA512
92900b61a66ce7ef4f540db54c726a7a69ceb520f2d8b7552275cbe854b9c3c0b846bbc845c2eb3bbd4f4e69170fa18e275768a61c98969ff5a0dcc2bae2e208

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
780bf062a648590ce5dde409f238cf6a

SHA1
d932f80b223603be94e3306cce868bdd523956e1

SHA256
55793fe4d71364d2f1358997e690acf01bfdc79962054abde4c76bd49d7a354e

SHA512
7984404e1690231fae1ff4f738e38226a68eb1355e5149fe80db095ce23da80a06fabb22d4aff37c793765c13bbb567a1da91997a1fd9f680cbcb3d6825f7ea1

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
cecc73669f49d8efef3aa3d9f05c445d

SHA1
79d7e50c78b95ac46e63b8c416e560030acb0e4b

SHA256
b7971df6ab39554191278539a8ca751b3e18a66f3cae08b6eefb65c2d79a0a6d

SHA512
e402259c83c58f49802705541bc4f19794cc662d65739a9c9a6758404522e674ab3ebc1c1633f9335f2c9078c3c36c77920c4d158d8e5e663d6f85be92009599

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
cecc73669f49d8efef3aa3d9f05c445d

SHA1
79d7e50c78b95ac46e63b8c416e560030acb0e4b

SHA256
b7971df6ab39554191278539a8ca751b3e18a66f3cae08b6eefb65c2d79a0a6d

SHA512
e402259c83c58f49802705541bc4f19794cc662d65739a9c9a6758404522e674ab3ebc1c1633f9335f2c9078c3c36c77920c4d158d8e5e663d6f85be92009599

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
3ed212636559c8fb8e333c2d4b842b2e

SHA1
4f80792763766d0436d82cfee02deab912e42a28

SHA256
f2aab1c840569f6de227adec4f251cbd607cbcc8431478c25cb8b2f4d54763c5

SHA512
912b85ccc5b8378f6bd37a7e359904af778fa9b9923128314c060e4d745139f69c8e7df29eb62fc0c11cde944a5be832f849a86689eda83b6322ce255d5a53cd

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
8c2c202e343b7361125dd08a6c4cb1d5

SHA1
84d088eb0a4f8392caca5d658881faaae7cf3c9b

SHA256
6aa69af8843aa370342918bbcf77f94ddd52d13fabcef2241495e4ef1ddf42e3

SHA512
3bd60612aeeacf871b8d1397fa13e8695522a2aa8d5e24985a0ec694793d67b8e20e0fc3142fcc2304fc387c1a6ad39f6dc1ee8aee5eae02b9cd34122d3b7392

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
bd21a79b8365e3e2e576101cd9f2520a

SHA1
b974b2797572da41a6334720c4f03a116d263f1d

SHA256
511c5eccc682b490fe67d02ec201b8eaafb7a341a57a0247db7f95490045e660

SHA512
c3528e70560d87fc6762500b4dd56fd9d7797112a8dfe936ad97380015015065f20b26742175c43f146bbaddd2984575d91f486e818182d0e17fe57e4ce15b2e

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
bd21a79b8365e3e2e576101cd9f2520a

SHA1
b974b2797572da41a6334720c4f03a116d263f1d

SHA256
511c5eccc682b490fe67d02ec201b8eaafb7a341a57a0247db7f95490045e660

SHA512
c3528e70560d87fc6762500b4dd56fd9d7797112a8dfe936ad97380015015065f20b26742175c43f146bbaddd2984575d91f486e818182d0e17fe57e4ce15b2e

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
f04347c42a6dee22db181295826519cc

SHA1
70ff1eb8fef96d0f81fabf7c6538818c9939b2a9

SHA256
5c0526cfe46212bbaf821da4c9a14e9d2692df0f40ca4dff21493fd2a2b8db4d

SHA512
02fef7eed1970da7aa14320ab88f22fefb3819440e3abe05c95268121228175b4662f5032d0eb65e20cd57da043fbb6d78467a1468a0c610de248175fbe99f8f

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
46f3e5a7dabbd5524fa12e8b0b0882b5

SHA1
620b5acdf9d5655cece708d8844e11cf8db9e732

SHA256
c83b08352f2842ad46d8a5fcd22282eee2a9d503966f20073a0ce23bc7d74da3

SHA512
2de0fc13f0afba830d646c4023600e0a6d49cf0f09b82e9b12a2d7681287ac669e9a9980de2ed140c6b9e0f3ef6011895dadf0207a8762d3a6422d8e77a0063a

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
39eb56a9faebcfde4358c922abc583a0

SHA1
a24ca806f978c95fe1f3c67e2478c33b4d728ef6

SHA256
89e46fbf7e8fb2e7334c37d9045728f04f71916d493eae542acf7289b6da6c1e

SHA512
6e7955915477a2110ff33c6287b677cf3361be6cca99f0bd50f4f54c23b29fbd6499dd3d1d79cbeca3075ec8cb2e647395b0b967b14ea80dbd27383265ada3d9

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
080da902c6e7816f8ebc1bf9073c7ab6

SHA1
7d69dc500b8ff17ae9bf014f446283c1dc17b9ef

SHA256
08f6951d400d1c90f6315aa3bb5c103953d92199f62b8850910fa661d1ab0622

SHA512
a8dd74d4ad862878349c0f95b8537b72a9f39c4feb00f8798b22bc0bf64ed77776e033d9b87aece5f77e50e424a278374c032269c8662fdb24f5023fbe15079a

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
19a45e4591ca7f4c47f940e46a41319e

SHA1
2e1e120c9f133d1bddb4e231eb1ab700031e975e

SHA256
1a9e3db776b1fef22005d4854e56c1b0a833682b704212fa3c5f35a28a061fc4

SHA512
32bd16f48162eaefc73f8b1264854bfaef90bc8e2cad6b6943ccc0bb0e116bf7ee7c60950e7af74eb9f642092cdac27ec730ce7fa93339d0db6d1d2357eb81fe

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
b9143695a0c3e5a593b9c6db71e00f7f

SHA1
3336655073b031821fdab3fc2320e01b4817782c

SHA256
0f850229b14a9aa83cd6543ddec45af828c467df55e3c8c637a0ed4163afc55a

SHA512
014ea1d74c847095bb9f1de18d899395e22b37d560c0b643110391a5574b7caab19e4f997feebbcc204f5be1fd3316fe44b5c4abf405c69bda442810eb128ce6

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
d11e57225dd3059af6f539442a7ede57

SHA1
d89d0082e0101f63d0400cd0d599ee2b6f881a96

SHA256
9aa4e919243fc13de1921b5652a9b5fee4e2e7feb5322238312d21f571879b34

SHA512
dfb238ad67ec8607f9104f5851104e0f222025ea9707bed37e459d29c0933eaf797e781442d31903e5ad5715c84d558c2645a0809db1763530222361ea97334d

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
b105444639d937077b8676b4ca610dff

SHA1
aed6697551a93b443eacbed89e4ef5581a1c3bfe

SHA256
e7d7a8681b1188d54732dde697d0bb49a5d473b5c0351c41e4bc253a44b6c1d5

SHA512
72166f934773e3232be0afb758de98a8f5e78c2c04578a60ae0c64affebf3342162bb4600030bf63538b59e04f2957f6db1af23259dbe55d412cb495b0e0bab3

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
8891f49078a6f28ddaa59bf4e51f7d71

SHA1
e1ad4088189c861933ac2f102e7c4cc05eb9eb4c

SHA256
e833ec818da26d2ed3a91ff46c0263b6fd565e6c1011dea73aee94ba8af64b10

SHA512
b3fa6e821d6fde9271f52c8027d8af8c499cfd6c1d90b5a719320ec00fbcccbf94394a6729a2acf614fe24048b7aa7a54e9617ff572aa3fbd9feb5e22423ce54

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
1.7MB

MD5
dfa153f3ec88734381548878ca9bb69a

SHA1
178219eff2651e9fdad4949273e46464e3693af2

SHA256
a34e3b962e4214115f57ce3f156b90b3161059b8fe82274779b09aa591810657

SHA512
f58a0f09cd8605b6b778cdb1feb50ca71bb1acc63af5843edd4107bc4b02c1b305782e19fed9433bf0e3ced335784227fda3edebcedcb35470f4cc34f66da364

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
4ad9a19dca44b1c038a9b6b52bacc6d1

SHA1
792b300f3218cccd38af11f1848ccfcb3bafa92c

SHA256
03265d89060ee665e6772d7960af8e736c6cbb6f90b5b8fb87b7515e13524511

SHA512
b1609476b338fb70464e86813eb3e8c7c53eb657e38441be4027bf227f685081890d7703ea4543c091aca7076eb08897b69b2f9b42f4bc0a749e2930dabf03d6

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
3e7d7a21aaae259deec680125df333bf

SHA1
346b846bb2793541a37bab13a550b3c410ed3bfa

SHA256
ec8199882bb383ed0415c0f2da5967bd09e5bb197bded1e664cacf66d2cd9385

SHA512
5cf3359998d18d005ff2d5638c11b9a1ac05a6e73d26166a9fba1450d032fdd14ffcfe8498e80f3ee2718325e5ea10a17b7ce9f1f033c17e7a5383f814da1a4b

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
c68f7c85652a075200efa07aa9f91ce8

SHA1
f48ebd48fec6b2e2fb72a4b266d59d2a0a736b13

SHA256
1bd1316569b42b5cd8f37588d96c6ba648a4a5e15a62b52cf4f04fa95b51a0f4

SHA512
92900b61a66ce7ef4f540db54c726a7a69ceb520f2d8b7552275cbe854b9c3c0b846bbc845c2eb3bbd4f4e69170fa18e275768a61c98969ff5a0dcc2bae2e208

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
35c7b9c0a9c02f7b53b4fd5a2809a71d

SHA1
31acefebda7ef187497b2df675dcd4fbdc2c0aa4

SHA256
007ffcc32f86c21cc612ade90e0e49df4aff043e9c8e011925b8a67016b5dd56

SHA512
efdc6414ba321358bbb6fbc19da7ab5e52d04ccff044c3c525c65322af4e4db889ec45ef0d30f4a68d9238f71e258a52d092ec065967376f6818dfb636f91e70

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
96f92ab7dc2b5f5420bd6eb031a0a05c

SHA1
733dfd71b435feb2f191e6b0ff47d133755a4c6f

SHA256
75d0925c100b0140720df51e3031f42d11980379f8d008416f7a92bc8d7d2f8c

SHA512
95a2e073fe3d08f11e4bca69b94041bbdc624cb050ad6a14eecf422653ef5a39c487e6a11523aa506ec89fe1edfa315974f2cc252887029d1ebcc7cfb37cc455

Download Submit
memory/220-577-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/220-337-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/428-160-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/428-166-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/428-158-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/428-217-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/640-146-0x00000000004A0000-0x0000000000500000-memory.dmp

Filesize
384KB

Download
memory/640-152-0x00000000004A0000-0x0000000000500000-memory.dmp

Filesize
384KB

Download
memory/640-159-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/772-219-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/772-206-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/772-213-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/772-223-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/784-366-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/1544-202-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/1544-196-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/1544-330-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1544-220-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1752-385-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1752-595-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1860-225-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/1860-233-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/1924-261-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2168-332-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2504-302-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/2516-246-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/2652-721-0x0000000000400000-0x00000000005A8000-memory.dmp

Filesize
1.7MB

Download
memory/2652-138-0x0000000000400000-0x00000000005A8000-memory.dmp

Filesize
1.7MB

Download
memory/2652-139-0x0000000002360000-0x00000000023C6000-memory.dmp

Filesize
408KB

Download
memory/2652-133-0x0000000002360000-0x00000000023C6000-memory.dmp

Filesize
408KB

Download
memory/2736-368-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2736-580-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2744-714-0x000001BE7B0C0000-0x000001BE7B0D0000-memory.dmp

Filesize
64KB

Download
memory/2744-685-0x000001BE7AFF0000-0x000001BE7AFFE000-memory.dmp

Filesize
56KB

Download
memory/2744-713-0x000001BE7AFF0000-0x000001BE7AFFE000-memory.dmp

Filesize
56KB

Download
memory/2744-684-0x000001BE7AFF0000-0x000001BE7AFFE000-memory.dmp

Filesize
56KB

Download
memory/2744-715-0x000001BE7B0C0000-0x000001BE7B0D0000-memory.dmp

Filesize
64KB

Download
memory/2744-711-0x000001BE7AFF0000-0x000001BE7AFFE000-memory.dmp

Filesize
56KB

Download
memory/2744-683-0x000001BE7AFF0000-0x000001BE7AFFE000-memory.dmp

Filesize
56KB

Download
memory/2744-660-0x000001BE7AFF0000-0x000001BE7B000000-memory.dmp

Filesize
64KB

Download
memory/2744-659-0x000001BE7AFF0000-0x000001BE7B000000-memory.dmp

Filesize
64KB

Download
memory/2744-658-0x000001BE7AFF0000-0x000001BE7B000000-memory.dmp

Filesize
64KB

Download
memory/2744-640-0x000001BE7AD10000-0x000001BE7AD20000-memory.dmp

Filesize
64KB

Download
memory/2744-639-0x000001BE7AD00000-0x000001BE7AD10000-memory.dmp

Filesize
64KB

Download
memory/2744-638-0x000001BE7ACF0000-0x000001BE7AD00000-memory.dmp

Filesize
64KB

Download
memory/2744-707-0x000001BE7AFF0000-0x000001BE7B000000-memory.dmp

Filesize
64KB

Download
memory/2744-686-0x000001BE7B0C0000-0x000001BE7B0D0000-memory.dmp

Filesize
64KB

Download
memory/2744-687-0x000001BE7B0C0000-0x000001BE7B0D0000-memory.dmp

Filesize
64KB

Download
memory/2744-710-0x000001BE7AFF0000-0x000001BE7AFFE000-memory.dmp

Filesize
56KB

Download
memory/2744-708-0x000001BE7AFF0000-0x000001BE7B000000-memory.dmp

Filesize
64KB

Download
memory/2744-712-0x000001BE7AFF0000-0x000001BE7AFFE000-memory.dmp

Filesize
56KB

Download
memory/2744-699-0x000001BE7B0C0000-0x000001BE7B0D0000-memory.dmp

Filesize
64KB

Download
memory/2744-698-0x000001BE7B0C0000-0x000001BE7B0D0000-memory.dmp

Filesize
64KB

Download
memory/2744-702-0x000001BE7AD00000-0x000001BE7AD10000-memory.dmp

Filesize
64KB

Download
memory/2744-709-0x000001BE7AFF0000-0x000001BE7B000000-memory.dmp

Filesize
64KB

Download
memory/2868-300-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/2932-514-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2932-303-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3204-334-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3204-576-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3400-361-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3580-421-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3580-598-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3800-597-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/3800-419-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/4160-234-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4160-192-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4160-190-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4160-183-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4564-222-0x0000000005180000-0x0000000005190000-memory.dmp

Filesize
64KB

Download
memory/4564-211-0x0000000005230000-0x00000000052CC000-memory.dmp

Filesize
624KB

Download
memory/4564-194-0x0000000000B30000-0x0000000000B96000-memory.dmp

Filesize
408KB

Download
memory/4780-596-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4780-387-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5088-180-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/5088-177-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/5088-173-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5088-170-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/5088-184-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download