blustealer | ef241b30e7e55b276b860ee69841d5062ecbe09d9bb5c156c03e2029730730a9

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
01-05-2023 13:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2492-140-0x0000000000400000-0x0000000000654000-memory.exe
Size

2.3MB
MD5

2648da902ed9cd72e1b0a129eea583a0
SHA1

701abc6becba1051ddcbc5652ec78dda7944ca76
SHA256

ef241b30e7e55b276b860ee69841d5062ecbe09d9bb5c156c03e2029730730a9
SHA512

1bc3751bb2494eb6a15a1661a135fecd1d5cddd51f0f3b7250c115a28808b149fd70ae7182f1b62442ffd2ecf0acd8c65c2799265668f410106cfc19328f0fa6
SSDEEP

24576:yxgsRftD0C2nKGH0Djsf9nz4mloFQnpXUMPQDR6q79dA:yaSftDnGUDYf5zaCpXxPuR6E9dA

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 22 IoCs

pid	Process
3492	alg.exe
816	DiagnosticsHub.StandardCollector.Service.exe
3400	fxssvc.exe
3168	elevation_service.exe
2684	elevation_service.exe
3920	maintenanceservice.exe
1028	msdtc.exe
396	OSE.EXE
1044	PerceptionSimulationService.exe
3992	perfhost.exe
2180	locator.exe
872	SensorDataService.exe
4724	snmptrap.exe
2436	spectrum.exe
2040	ssh-agent.exe
3384	TieringEngineService.exe
4040	AgentService.exe
1488	vds.exe
5052	vssvc.exe
4460	wbengine.exe
5088	WmiApSrv.exe
3912	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\System32\alg.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\vds.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\locator.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e5b6b505c9ce9937.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2404 set thread context of 1880	2404	2492-140-0x0000000000400000-0x0000000000654000-memory.exe	88

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\pack200.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{989CBEF4-A34C-4AE5-A19C-57B2F66BB278}\chrome_installer.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec64.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ktab.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\unpack200.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\policytool.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\servertool.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmiregistry.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jp2launcher.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b74c72f5437cd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000edc2e1f3437cd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000692987f3437cd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000339078f6437cd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000719918f4437cd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000092d83df5437cd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000175aa7f7437cd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000719918f4437cd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	64	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
2404	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
2404	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
2404	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
2404	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
2404	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
2404	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
2404	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
2404	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
2404	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
2404	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
2404	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
2404	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
2404	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
2404	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
2404	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
2404	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
2404	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
2404	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
2404	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
2404	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
2404	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
2404	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
2404	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
2404	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
2404	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
2404	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
2404	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
2404	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
2404	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
2404	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
2404	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
2404	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
2404	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
2404	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
2404	2492-140-0x0000000000400000-0x0000000000654000-memory.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2404	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
Token: SeAuditPrivilege	3400	fxssvc.exe
Token: SeRestorePrivilege	3384	TieringEngineService.exe
Token: SeManageVolumePrivilege	3384	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4040	AgentService.exe
Token: SeBackupPrivilege	5052	vssvc.exe
Token: SeRestorePrivilege	5052	vssvc.exe
Token: SeAuditPrivilege	5052	vssvc.exe
Token: SeBackupPrivilege	4460	wbengine.exe
Token: SeRestorePrivilege	4460	wbengine.exe
Token: SeSecurityPrivilege	4460	wbengine.exe
Token: 33	3912	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3912	SearchIndexer.exe
Token: SeDebugPrivilege	2404	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
Token: SeDebugPrivilege	2404	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
Token: SeDebugPrivilege	2404	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
Token: SeDebugPrivilege	2404	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
Token: SeDebugPrivilege	2404	2492-140-0x0000000000400000-0x0000000000654000-memory.exe
Token: SeDebugPrivilege	3492	alg.exe
Token: SeDebugPrivilege	3492	alg.exe
Token: SeDebugPrivilege	3492	alg.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2404	2492-140-0x0000000000400000-0x0000000000654000-memory.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 1880	2404	2492-140-0x0000000000400000-0x0000000000654000-memory.exe	88
PID 2404 wrote to memory of 1880	2404	2492-140-0x0000000000400000-0x0000000000654000-memory.exe	88
PID 2404 wrote to memory of 1880	2404	2492-140-0x0000000000400000-0x0000000000654000-memory.exe	88
PID 2404 wrote to memory of 1880	2404	2492-140-0x0000000000400000-0x0000000000654000-memory.exe	88
PID 2404 wrote to memory of 1880	2404	2492-140-0x0000000000400000-0x0000000000654000-memory.exe	88
PID 3912 wrote to memory of 4060	3912	SearchIndexer.exe	114
PID 3912 wrote to memory of 4060	3912	SearchIndexer.exe	114
PID 3912 wrote to memory of 3144	3912	SearchIndexer.exe	115
PID 3912 wrote to memory of 3144	3912	SearchIndexer.exe	115

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\2492-140-0x0000000000400000-0x0000000000654000-memory.exe
"C:\Users\Admin\AppData\Local\Temp\2492-140-0x0000000000400000-0x0000000000654000-memory.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  2⤵
  - Accesses Microsoft Outlook profiles
  - outlook_office_path
  - outlook_win_path
  PID:1880

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3492

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:816

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:368

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3400

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3168

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2684

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3920

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1028

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:396

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1044

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3992

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2180

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:872

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4724

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2436

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1836

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3384

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4040

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1488

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5052

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4460

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5088

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3912
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4060
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3144

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
6dbb77c042a1be4be6d5a7694decc487

SHA1
25d7361a6154fb9078abab697903a463de5efedf

SHA256
d41c7b405ecbd067db2f37cd8ba1fd4957c499a12c4c93d26afc595a9a717f17

SHA512
4af34e7ed537f01d0d8ee29d72e161986d84ed77eab2f71b179784c8bc63d4665c1d58afa078f18aee401f2b789ac57b09cc1fbfd8b501ee030799699741181c

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
619eab066adad24ccf3cd6edc6c88d2e

SHA1
48e876556dc3bd223617ab5838f69226e04b3237

SHA256
97b61a91ac597de74d2206097865355dda6c94087290672b7bf8009934378a70

SHA512
5110eb96603c0633f2bea5dfcebdcb022bfc46d060737a1e5666b7507ff9b1723b9c3eae03c8b1e39cc46181e2ef621ec9ca7b09ae28138cde5eb9bf3751223b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
619eab066adad24ccf3cd6edc6c88d2e

SHA1
48e876556dc3bd223617ab5838f69226e04b3237

SHA256
97b61a91ac597de74d2206097865355dda6c94087290672b7bf8009934378a70

SHA512
5110eb96603c0633f2bea5dfcebdcb022bfc46d060737a1e5666b7507ff9b1723b9c3eae03c8b1e39cc46181e2ef621ec9ca7b09ae28138cde5eb9bf3751223b

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
94654cbaeb5e84aa73d934fc5b6aeeed

SHA1
a3a6902968a9b3b1b1202e10f8c4beac552b825c

SHA256
6ed64bf64a9c2aba46c36e66d15fc9afeeee9c6ab6f31ee4c7d6083a42e79153

SHA512
91f56ea138e5849c28ffe757394ea5aec87bda7ff164269084f07fe8647468c92ffae7818368614da75b5ae327ebeeaca78383e31e5764b820ac046cbc185bf5

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.4MB

MD5
bde0d74c254d4d1aef4ea4a3c4f70247

SHA1
4b00606685413010a8ac414863ebdfa3b53c3f64

SHA256
9f9a07107a947265ab02d99b13cf379f6324e7dac66959b1a5d35253938495af

SHA512
68f25426b4cde960cf4e5807073479bd6a67ceb6bb8759e1dc42fd9fed3bcfdad7acb9701c1829ff2b7e0064aea75ca781b45ecc4caba0f4327275c7d433d081

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
1e0077a2886a9fb42783d311a337e101

SHA1
9ecaaefbce3d16278362ec0b9238991af9c4bec8

SHA256
a2275e37a0c07e322ce266ec455f3657b29e1062583885d89e6daa6a489addb1

SHA512
b65dd619927841d2a9ff9e0e29beb5b68bc923899fccd354c3abf3eaf414cc42adc12cdc17236809bb9338d160cd3b898cb92516620f5f6190326e3221dd607e

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
818dba17a1eb4e46c01332451f47d540

SHA1
1db45528a96aea06ab59d1a7e2a2d215fbfd96c9

SHA256
277c2a76155004a090048b4b0d0503b264fff089014a4baa0af32a84858a0c7d

SHA512
910c95745926b34673bec4a3a97623756a9ae5516475cbe9b616c8212214ff2ec02f3cd14cda5a671caae692042d78d7f5f5f46aa6a94c92097e12c394a07e48

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
617c11682f499df0da014fdce3b1bfbd

SHA1
9bf81114cbcd0f11a0fefc17175dbcdccf1b9989

SHA256
2cd693cc2edcdf4268ecda933f43747adf96b40cf1afa261f0ed18d4855f8857

SHA512
e4cfee742b56d7d8f98f356775b73aad04dcac28cff0ce537d6d0b1a4ca78614d95a981dd36b24fa4344f013ae6eee3df77a2b21dc61514e332bc655d30c3e0a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
bdb7beca7518967c56ac1f2bbec8bf30

SHA1
c4177ae6b7a946a393f4f1dd1536d4377ba4927e

SHA256
fadf575b8f2b3e6c6fc5ec4c3487d372a94934649d6bda5247d8546584440ac1

SHA512
72ba6d18340d226a7c4b9870dc87645237e07e72d4d1f2856f2960e2074f66979c11d5a689ae0e7aeb7fd938fe7f0b5cc53b894faae54adecf732ea251223bf0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
5aefa9c2e2c289ff817727185da4e91e

SHA1
cd8ea6b771d405ca77c1cf5b811732511cdc83e1

SHA256
8465074db66c5ceee7bca56ffa89bdd217889d8dcbc6b82810ecb0413f13268b

SHA512
4197837530499a8c249e4f0e09df57b74b10f5af5c3d439a379c375bb9216627be0c713a33622a9b5b5fbe567da17d0a2ae6ba7346b8742e4720315c1b0a16f2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
930b8ab2ebe4c97f8c4df6388f4d5be9

SHA1
f7399c25c411f328752590175cd8b83e7d75305e

SHA256
004bae18cc9ea3edf5b830f1ec9e6dabf0745599a1fc2328b748ac92c628de7c

SHA512
6f78d68a829091a89769e0e87944265f55f838bacc78ff7e12aae0f48179d57958990267fec4a9a4d6bdeb3b8013813ad42e350cdf226c6424f53a4c51be88b2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
9724ac3363678c176b404ad95b3c8e11

SHA1
60499153715fe3680ad225b9b47c52edb825532a

SHA256
7fb172031caaf11680391fb695275796f4445e97b984bd9c6ad5d038a61d91e6

SHA512
036ad720d0ad91fd48fbdec636f273637e5f073bdaf0f6a0db3cf2e8699ed220c421f7402403cf59964bf8fb321d57b4e2294360ae200bd4df1653234c5945cc

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
0f197bbf9a3df35734fb62ea548eedc7

SHA1
9843a853bef1a99abd8086a4e84e3befde91c92a

SHA256
0650e06218982fcde037d342d46953d60d4393a16c3c0b95eeabdbf59a2f9c05

SHA512
bd24e6622af8f3efe5df1a1dd6b26fa6df7690d1756b1d4e2796c983ff0ff12f3f726c31ff8e08105432c02cdd126a03fcaf137de8ccf7b9e51375e033b629b2

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
a61944346d04685775821d32e5d2c0a2

SHA1
b21f2337f7a51d3e62ea5ac9e188f98a91c0f59d

SHA256
7052e1327ae60908c79f588896f2e0a5fc24288398384476b03955011b54c9ae

SHA512
3aea46812ce9b2c27fd9d1215b2a404d248f6ffe51605359d1aba95c9cb117c0f4ae00e46809ad565fbb74a631dd5a625ffa77783d63e1e4a44827716730ba81

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
b90202f202e88bde2d4aa2f69b7c6ed2

SHA1
34bda1b035e0e8698bde3ee5a3274c6fc08d06a3

SHA256
3a29a97ac994beb4961aa5498896a9c4423671356587e3b3607c9dffa3fc1156

SHA512
a3a130752889fbd47ae0d7e8e624e39ffd260433d3f77fb19d964101aea856ba42f4430ad623a38b45b3aa12f85a306bbb754f7873d46819d547618d0da0af40

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
e56141e56e9d55e4b68b8a48f9e7f4bd

SHA1
27b5e47f0b726914ae33497d50ce2cbfe1dc433f

SHA256
3e224c285fe7a0aa4edc57a7a665dda200892ed1ee3868d94ed400b618fb15d3

SHA512
b00549466179e9c49621d8906f5efcaa0bc6e45905a72044292659bc356b335b5af40b5605081c006cee6008235dc6ca1619574a0ca24cfe2c1875e84d50f3ef

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
eca80594ad6dca4877a2a0f1fa020ee0

SHA1
33e7647aa2bb822df420c1f6d9392f73a4f7519b

SHA256
813765700be4cfe8ea1906469b9f7cdceb047538f6b38ca8fad9105f9385e9a2

SHA512
d6a5fbd9d4eb7ae946aa38b5be96460c65967640fd0c7f64c540a9e08da03220cc40d0ab0f9eb3e9687e261c5cc401df04596f8983903a599cf3dfb0a82e5c43

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
e5911ab45b55af1a51224a1bedf460c8

SHA1
6cbb2344c66dc41b1bc6229a176432748aa5a98e

SHA256
20c12befd236e838e535d78f7afb6c6d470335c6490ee52cdf57676e2ce5d762

SHA512
353632cc9665e714a45ef7208ab23fa65fce17b063d37eb5d3a4c1c88cac32d4bab699bd103961db495051850592fe6c3d09fdd7573c239eb7cca498d554d347

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
be69b417cc21cd07f9c866019cdb9dd3

SHA1
16705146796d281001ac0edaf3722f9dd9f58094

SHA256
09d76e1278cd24ecbb9e3a2822c4297a7204d8bce8584d1c4a299238dc79df5e

SHA512
34f90ed75947cd31f0844c9898b657f452f953ce7d3bff0d909a5da8782d55486520cd143c6a9957dc6ee1977063ab22d75653d03e0b66b8b98d80ce88faa740

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
6d0a80c7b9cfe324ea2dc746d9f57b55

SHA1
3c3ea2f6ae03d5b42565b788ac44d3b5389801a5

SHA256
069c86481f21958cf2b8ff89747b46b500196035fc1a02a794643c11a48be60b

SHA512
93d05fac684b54664c1ec7689fe5cfa025bd17229e5ee1f28a1d3820498d92d70de01516e63ca1b06bbe89a22496c9098d0ecfcd18c2e6445902fcc070261138

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
a6b2bec608763e0a8ff9accdabbb52ed

SHA1
9ad78d3ef6c83d80bd4705d802a8d18d5112ac09

SHA256
119d1af26330a69fa0a074eb223c2fcf6ea6910857b46d6bc72eb8942c74fb13

SHA512
2902384ddb359731540ae95d04e8def81a08f289ee046a51931b172a85e332e9187abdda64b81770658f01440f1be80e99a2584e96dd146e84877d372fb52fb2

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe

Filesize
1.2MB

MD5
207b82a065d40074a2ec02bc46983ef0

SHA1
03090aeac9b8c894a27564012f2ef17d818d84b4

SHA256
13a46710fe21bd958cfac3a4a43dad246a2679a92d6f1ccf6e6884a211f46079

SHA512
6532931f47b19f9d55433a7e4f10405e2e6d93352b609694af722d97fda4cd3e48ef204916e448d1dbcc8ed9ca526f0d61a8782a8e911c292c88229c9820e23e

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe

Filesize
1.2MB

MD5
4bc8348ad4c36f6e4a4398e380a68ec6

SHA1
c316d9b8fed162a5b328a16aa3a4a724cc508fd9

SHA256
2e3c1a6186c052d89577f92186ca2c81464e6eb96c576722007162745bbdad7a

SHA512
a61906516c648aedcc134db6efc20cc589a183490b8c775b92fecfec2df82be013ef2e5c09c83a654e293954f7aacdff56b1c4e396bea520d8d45fb92b3e6a68

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe

Filesize
1.2MB

MD5
9c6339c9823dd3a68a50904c11023e7c

SHA1
00f90b8379cc671d4c8c9d8860a9552705116a15

SHA256
a197e6c302434e5878e1ad7a7feae8dd6d24267db681987a5e460ffcd6d06bb5

SHA512
a59f5580785ac9fd453daa4bdf3bebc41c43800ad6abcc025a66fb74235dccd692833786ca6979b98f90687c19a3b0d42135d0c0e10c849eaa26e4350090c5e9

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe

Filesize
1.3MB

MD5
f8be505e9cd6c72beba15286f17b8610

SHA1
f85668447deb471aeb69b3f45f6ac00a29aa97e6

SHA256
34b61e5b9532c0b8d4cc730412036066a867193b623dc4a1a9b622570b32e3c3

SHA512
a459ae557933764fd2e3a10adc2fe1154f396d140a76df4cc6bedd37f3cd2afe56f55daee4321d6e9175a60ef9bd765b744c0baabcc93868a96ab652fefbfb8f

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe

Filesize
1.2MB

MD5
aaf435d98666736b4de5584b2261a014

SHA1
2508116571510dd9e6065249a42ad963cc4e85b5

SHA256
f4f6ca4c3c9ab26d6589b658398e2879fcb0ca1e30700eb46313209aa3dd7a18

SHA512
8dfc6b0cde254b369fee39a07acef491d1f36edb3f334868c1258cb3a0dda7b70f37abfb08a4166801712a11d5587063a2379e4a70453bc5fff5ce725d7f6580

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe

Filesize
1.2MB

MD5
6313419e4e0bc6303ca75190a2232c2a

SHA1
82de2a4eeb2517695fcdb6f612bd8abcb38294f8

SHA256
35f365e52f5e3c98c00c9551be44b24a189b71d8570b4cedddea55c2223d7ed8

SHA512
bb23f0e3776b357e3d7437dc7e88e05c862db417be70c2f01cecdea3d2d731124a2d2e6168f8fc6c3bead6ea33e97568010e50c9dfd45a9f6ec1b8ebc1c65c53

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe

Filesize
1.2MB

MD5
9ca6b4b32a349892265622a1bcbe22d1

SHA1
0013760afbf36edf504e9063c16c881130c77763

SHA256
243009f0b31185e90764f37f01bd13ffddfc19561e67d0746cb0c4ea99563bcc

SHA512
0308bba225be448ba349012fbbb7b8f8b30ba93d632a71ace5e32da552a945fd55ff0a03a12650b17d3788ec0a38ed4d2c2486b6fc76c0a501c65e5de57f1602

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\java.exe

Filesize
1.4MB

MD5
146831321d78c8e3bbb9b88336732b22

SHA1
596a76c0876dc474051fd48af8e3e56dc5d34ed8

SHA256
5e1de4aed9e11f8492e241c45cffad243868eece76be09f86acc0d963f236ac7

SHA512
2069b2e81aa3111f8f04bcc9e2d74dc27c56bc5ea28a0d50091954a36d12ca8135c1dff8d73d18385005bc2d8d8836943b395e9cce673b83d1c67aa642708778

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe

Filesize
1.2MB

MD5
be2403e04c7505023b4316cdc22c2a97

SHA1
5877ecb1c61570bf5270c0aba7a9472f01fc06cc

SHA256
d2d026654429ccd0d41e1d6101f94004b19a396e2f909af5accf922dea5a6e54

SHA512
d6c04c008c43648d701b7f64a4f47e9fc64d2a22cb39df5876ee43d5f48730ba3eca243fdaf6b55a9cfe20a9fc7c8881fa10c8d624fd82aac0f267a1389fc3ba

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe

Filesize
1.2MB

MD5
1988fe595eedeb99b89ef3923e215836

SHA1
5deb85c3c1013c39c5a96378198ffe4b3827cd33

SHA256
ff4713f22bafc69ff50612c33e311918f3c6aa1c439145c8237fc7f1b95c907f

SHA512
e5b6954a1d0abc9d65e2b5eb99f112715d828c680fe627c9db700a0fe96a8663e0477b387b4d226bd76a6c7d0c05901d65582ef637db51cb0e7d6715307df8ff

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe

Filesize
1.3MB

MD5
2eaf95af4f12cf0835145d6c0bd242ad

SHA1
59eda7629aa6cbeeab0fe85f5ff2d0395110b441

SHA256
e71e2cac00633d8a3a7ef36dd07f35570ec0f276e263093e82f1ba83f7560df1

SHA512
b5a3992d11f1afa60a2ab8bc7854c694972b5c40b5c8b516d105dcc82770d2977f39fdcaac139f9c0a9b439aa2f09f3fcda92c1fb38402d30c8373a09b14ff1e

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe

Filesize
1.2MB

MD5
f90100e08114cae4c68dd27bb043bfec

SHA1
a26ad3fa8acd5d96309eda1510891bd5e9a85dfd

SHA256
b6fd96f47de0ebc9cb590624e0d1dfe0aa67dc905733b0d5861f588eb6732110

SHA512
6243c5dbfc1ab7fd0cd727602738d8642f5a929e651e50c67e3c86fadf62b10e1a885f253c6232e863454611e5a3df966d5e3ee6ea49e2438409c700420f4c3d

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe

Filesize
1.2MB

MD5
79c691888632bd54525b188a84799030

SHA1
ea30757cc7401382830578f53fa9f12c0d59ed85

SHA256
b185f9c3d210c1b461aa90db5eb31965e7dcb9b4690cd30f896d6f9c4774be22

SHA512
a7b58f3de25785f191ec8f2a8d322affc480ac31adff70a2dbe2067a1d80633f3fe953be4202daacf9da6563932c9996928df327152ad50f090fc9a49ca390c1

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe

Filesize
1.3MB

MD5
79fb182be4bb7a7345497c9bd93aa751

SHA1
fbdcde5547a27e3832be7b532c24acc5ca1f5c77

SHA256
c789fdcc6c3ba31a83ffdd8a6062b1b05d5894d3668d2f3b5e2a195426aac199

SHA512
306461efd8b6f74e16e35fef8a3a71c0f1c274aaafdb99375db704000813ea5af81913cbe4f9b4deabc96bd6a0a6994f4326c5b2aab717baef8f0a56a1ac2471

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe

Filesize
1.4MB

MD5
cccf96eb76c549755c53e1916c12fff0

SHA1
e9447a9f416cb6fe0944cb7a065264d245181182

SHA256
725e03abb1897fa9672c7ddb8ddcb925e345810576f1aaad4a479295cd106871

SHA512
4184222069d1b998bbf54c116f001c19e1f127134a3329a3b3b2ad376969e237628bf657624663c57d1e5af460fcfebf5acdf8f5d5317a9c07b83913dd14d0c8

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe

Filesize
1.5MB

MD5
9f720fc6c27db423263c7413b040be78

SHA1
5784e6998930d9ed125bbdf4ba80d038fa70c920

SHA256
8b0fd9748586e6a79af0ae27a80a7b39f6b929ec1013b7791676608d2ce66967

SHA512
67520fc61affb5bedc702eed8eedb9edf38fef97087155b8c0eeb7e250655a21bff9542461a2648e2054c7e232f1b04cc6347b93aaa0ffc069e41cf589d27544

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
3406e4907fbe2f5563f3cbb4010a05a8

SHA1
49fdbcd687e42045a73a0159b3d618f917c8f71a

SHA256
4953daf3f58002a108db0f3d8359091f726c02e5220648ac3ca16f68e1ddde32

SHA512
bf91de70045febed1886d91152808e6707d5b47a81d65a68e4533e0b476faac51cc8b1c546bf86716ef30156ea7ad0c345a6ca184ac68a8907a43619417764be

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
0c7bc97ad1d0edd8c813359038b71b54

SHA1
838ddfa3d424acb8de1239f7eb72f0bb1b3d256b

SHA256
8800e6b5194ffad2cd843558d61cd0a7345b7bfe737fb9d122a01a0638bbbe1a

SHA512
9e104a7b3ced5f822a093e7cd245a8aeb8e6c40c50cb2d07c8674b816bc5af1899c7e215b73bee83e56fe65855e6cf7cfbbcc96b8ec088c44cc3c4bbae16cfb9

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
f85a335172005af3c755214ef75f6518

SHA1
29cbd67974902fdbd407dea3feb539cb669c6970

SHA256
82cd171997d9457e864aea1adc40bb4952f507cc1b58150be73c74a6de08180e

SHA512
ad25edc58286aa6a8b68e2d1970188ce5e56cbb84c94ff11d624c3a670288d026ac1115b8a26fb0ba5ddebc90ee27cf57ab0fc0346c2e51340c253e794c44191

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
a60a65b50b19834b9a71cee2e8e7c256

SHA1
02a8bb1c3a690e5d52d07c449778340d1e402f10

SHA256
3bdaf8b7c6c326fbf304d6ab152d4abf4406188b8973a7ff01cba9a0bb183dd6

SHA512
a8b33387c542d1d9f94983a25339d6ea09c0ed9dfe6e241e6ddb03385690e035cfebb46df0ffc230ea869ec50a293b2c730af38e25a3b2a85abb40721d731677

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
c20de2bd823b9e511c36874faec81e8c

SHA1
fbcf64eec686af0b95495e15b907d20364880899

SHA256
a5961c9992e21ff58e3e14ea83792dc7b0f5746c54f7866501254c7acf45f55b

SHA512
0229c7698f6f7efc8bb76e792a3b341d0627e6e962466c2ee787e857293aa4b1b660b18c9eca36bb5b632af9a5879518a9a1edaaa64b2874ca94fa1558de4fc9

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
979e69ffa16593c9878883360fc1e5f9

SHA1
f47c5e806eb35d7934b51327e378480c0b4bdd7d

SHA256
091f528b8eec0fb19f2f1b3dc52dbfa93df1d4862c4c48c93ee21f1116d2690d

SHA512
135110b2caaab1756faea1ca57891a63a91173978f2c6b9282af457056bddec47127c66f57d0db586d1f4b6118218e8f2014bb8de39e5ac754a5291112687b32

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
e57d61a9fb2898277a0946da158af412

SHA1
f6460c08e9d295aff0198a05f592c187c815c8df

SHA256
5dbf74a2243f71ae02220e1ec847ed72a5297c4ed559e92918fe0a796292a415

SHA512
6ef6e15c665430fe51fae62ac554faaaf155f84ab65798756fbccb0eff6a18e0e33a625b87e4b56168474af393e2b6382e61d1f200d1e6bc77165349203ae1f8

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
e57d61a9fb2898277a0946da158af412

SHA1
f6460c08e9d295aff0198a05f592c187c815c8df

SHA256
5dbf74a2243f71ae02220e1ec847ed72a5297c4ed559e92918fe0a796292a415

SHA512
6ef6e15c665430fe51fae62ac554faaaf155f84ab65798756fbccb0eff6a18e0e33a625b87e4b56168474af393e2b6382e61d1f200d1e6bc77165349203ae1f8

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
ed60cc965515813046d37d9c568f166a

SHA1
7677099a8c14f4cd19fb3c5bb2900c04968a0951

SHA256
ed883c581845703606cb4d987350657bcdffdd22432fb3b7a78491f582f8084f

SHA512
f5a4e8376c3fc33fe7874cf38a582b6618940e73c364c550d2d3f1e013371ab15fc507a37373b0d88abcf9b1638be6dbdf991b20d32b46f2d5403dc119ca8065

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
11ee30860e5cc9641a3b6d8a80eaed5f

SHA1
1e4c725ee258c2e85b3cd5af433fa6cd2b9e4a7e

SHA256
329116003f824c6310138b5ce416661b6f2fcd07554750e9549ec871ddfbde76

SHA512
5a67401c05f938023603f48e4138a07cf2ee6ba875da0d98ad8ead0281aef2bfc9163a557f7e66b15266b7b8702085bee5e89ebcff2d3878f49cab3dcef58f5c

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
bd5ce4bec137e4552ca74c07dc2d8196

SHA1
c17eb5f3f3015bd790a6f41ef3f401618ccb4b6d

SHA256
60e4b750b8fa8b9acb331e1c3bb507dbdd60da9b3911a6aea731dadd6b1a18bd

SHA512
a6ec87774fed387ecc503d2b0a028a9b121a8083c50f292442111ed3b40d32a60aff512c79961ec5850c44ad129d129fc3af912686b8ecbd3adf62601ff4b89b

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
bd5ce4bec137e4552ca74c07dc2d8196

SHA1
c17eb5f3f3015bd790a6f41ef3f401618ccb4b6d

SHA256
60e4b750b8fa8b9acb331e1c3bb507dbdd60da9b3911a6aea731dadd6b1a18bd

SHA512
a6ec87774fed387ecc503d2b0a028a9b121a8083c50f292442111ed3b40d32a60aff512c79961ec5850c44ad129d129fc3af912686b8ecbd3adf62601ff4b89b

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
0e448fa659f85778f41561aba7ceb98f

SHA1
927aca6aaa9dc1f892683c985e7dbf731a52593e

SHA256
ae1482af5fc76e981406f777ad4ce70ce0577122698c37b3ca9591acec6aa83f

SHA512
4fb0f3173bf461dd2e7f5acca1a4e547e1494c1b2ff48bb8fa26ef66491aeaa31a7048f825338a2b688c44b546fb8921b5073ffe790677f47a71213ec4547828

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
6b08da517f9a4cc779e3f01f153d0c54

SHA1
5981ae51ce24140f7dbe94c84ccef7ede577ebe8

SHA256
d1927fee66a757412b6536f1a81cb847e8c9661205eec88a9685536e3c59b1ec

SHA512
e170f091780939df38d3046e3c7ad5f25b3f47e65bc43fb98c7a9f4a0d7cc9d74ce8198988ffe79b6391e58f525f2f6261fdfc64108b0cd717e35ff84790d015

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
339faffbb6fa3ee555a407cf844e55c7

SHA1
d3f811b40e0e6cb62ab12b7518ee95891f986865

SHA256
b01bad283d9e1319698cc5275b04cb0909e46c1f0c04fe7a87f493d5c3ab2ccc

SHA512
6f1e1f265a118fa8e8e0ab806cdd2419cd7e8a6a47b57501c19ad3c937db90d531fb27fc71802d840ee1276b6f87bc32cdfdbe145c18fe35f2f98781b67d4d41

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
a9a53d1c621687dd68f8c27233a589f3

SHA1
e740fad86bbcebf5dc855dadeac831f042f36e0d

SHA256
f86753ced1d9e0a20631c462f290d06b49e650211c8d684835fb1b9b4bc279bb

SHA512
2f85a8c7bfd0e0ad5e0472f308a92f745cdd49d6ffac2024c6e023cfc6556de79908a985acaafb0c4b947807874fa721e8347338e9986919e6522be5a4a6d97a

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
05d39d94b0e5c367fa76d915e11c6bd2

SHA1
fe02f0cdb99658ccac1d27b7df2cd3eadfd8eb5d

SHA256
2a13479b5c5818289164c421f5e2b198dea446de662f3b157aaed131526f3001

SHA512
c98c08581f77b3224a53fda115c56b28dbf5591ea62bd870b1e41511103686a7db975bfd10208a1f21df5beae6e1a64776716c203476362d297f345ede0bd618

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
fe6268b3d169b8153736e04bb819510f

SHA1
3561a445d243252eebe50dea11b9140d6e1e148f

SHA256
60e26bd7205ffbd548b338074ed67d147b242b9260d0a525fc9fe7c6d26b6fe6

SHA512
8ceefc1112a6104dcb7dc7bf35bbb4cceafe445271326f2973af7e04b9cd3d145254569ded0839d403ee121e35d46911e61a7fecab600cc02f499f2cd6b335f7

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
7a773c6c9bdb0354c2664ff05db1c1aa

SHA1
22af40c6b90b5d50f5152e9c0ce3cd96861ce3a4

SHA256
3dcd5107466b49c43b5254c5c72dcbdfbce1e33a140e6c8f7630a6775c2bbf40

SHA512
539e2bb52b135690886f9eea1e8e3c69adff94a5d82ff1ac8d1632fcaa1780916edcdf3243ef3d7582190e2eb44bc844c982246b512ecebfd3a2dfbbe9d66795

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
271f2fd6be8fb8e03515997042a4f2db

SHA1
e79ca827fa0541b94b567e9d8792616c70669de8

SHA256
6186ee4d71ff545efc314efb4d7dc5a75999c99991d7f6292a5b3518f09f6781

SHA512
26a00fe40e06fb5db0560176b8c9d4fb118452bbce5b74a9e9073ee00008f3070a27c3aada82ba7637f147c7d5862d9b4b5aee3242cba2f20f81358d6c7cbf8e

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
c97a60cbab6931bcac28bb9985c42660

SHA1
a3dd99ec2dc0ebd2773a9627845760efa7c039b5

SHA256
58879c879741f8f5b96023d6f1ce3a02fb8ca506a7bc51bcd6017d46c4b6b16a

SHA512
3bd23347c93a326738f9824db22377f332818c96fe12e3281519a8e60026e8c9bd7fa8405c134a3793df9387be808a6864c4b79d3d11c072c5558305baf5fc3a

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
1.7MB

MD5
f85a335172005af3c755214ef75f6518

SHA1
29cbd67974902fdbd407dea3feb539cb669c6970

SHA256
82cd171997d9457e864aea1adc40bb4952f507cc1b58150be73c74a6de08180e

SHA512
ad25edc58286aa6a8b68e2d1970188ce5e56cbb84c94ff11d624c3a670288d026ac1115b8a26fb0ba5ddebc90ee27cf57ab0fc0346c2e51340c253e794c44191

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
36710915dcf9ceed0eb5974802be4856

SHA1
9a6e58d1b1c6160ad4d3b874cf1b0462ce623f34

SHA256
5bd458ef840d88f3b839389d8cc559e707a95e6e03625521ff5dbc6cb4e75167

SHA512
edd21d48e558751559d55d76458dba7d42fd6c03e1aa06f71f17ecb1e0bd53191489848d6f672c9468d8c71c373f50b1ca4a6f6cc51006314ed4c222bfe33266

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
476b78c5f68fc9280f3c53c579c9621c

SHA1
500527f42ec454b6b8a4670785fb505ec1172e83

SHA256
6b124af79bbd465c2ae7bebb42d92c98b763d4cd55468e90b7f08dcd135c63f3

SHA512
b11ffcf33ed8079f215e9e6eca7f5939baf2a45d80906b1170bdcf756372b8e7efe81c213f0e26fa98734da04242fc9c8527e37be776ce28edca01c2c5d48e24

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
c20de2bd823b9e511c36874faec81e8c

SHA1
fbcf64eec686af0b95495e15b907d20364880899

SHA256
a5961c9992e21ff58e3e14ea83792dc7b0f5746c54f7866501254c7acf45f55b

SHA512
0229c7698f6f7efc8bb76e792a3b341d0627e6e962466c2ee787e857293aa4b1b660b18c9eca36bb5b632af9a5879518a9a1edaaa64b2874ca94fa1558de4fc9

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
e39bd87250673515b7788e9c6db356ff

SHA1
4c64493553afe436882a52b8afbd42305deae8f1

SHA256
dc6baded8faaf211a7f627adc62a3fa5a361cb01368c8d7cb9b25040f0603445

SHA512
daee7e9ce4cd5a971dbeee5a1d156379a8842cf2f352c932b7e781a1453f260a3991e2c3d67c02268789724eabbcef235b591c78e6f23e57445519ede11a8f4c

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
5b4fed2c4408ec127fabd7088dd482f7

SHA1
26962592f841ad6b461dcf10c1525d6ab83f484e

SHA256
81e045066e8c0130d9f4947378f56b9f23368b57995cbdee1a6d4418fc19db57

SHA512
cdaee5f018b77d144c166d0313efe19f9237c0a73d85fd853a9a2ffcb24f1c8ef9634027286ee85f663989eda535c6667e271d56b0d263d6572d6e87c1a79c72

Download Submit
memory/396-562-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/396-236-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/816-158-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/816-164-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/816-168-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/872-295-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/872-574-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1028-224-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/1028-240-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/1044-261-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1488-365-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1880-215-0x0000000004F30000-0x0000000004F40000-memory.dmp

Filesize
64KB

Download
memory/1880-193-0x0000000000340000-0x00000000003A6000-memory.dmp

Filesize
408KB

Download
memory/1880-222-0x0000000004E60000-0x0000000004EFC000-memory.dmp

Filesize
624KB

Download
memory/2040-588-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/2040-317-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/2180-293-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/2404-133-0x00000000023F0000-0x0000000002456000-memory.dmp

Filesize
408KB

Download
memory/2404-143-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/2404-138-0x00000000023F0000-0x0000000002456000-memory.dmp

Filesize
408KB

Download
memory/2404-363-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/2436-585-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2436-314-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2684-195-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/2684-449-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2684-201-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/2684-213-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3144-700-0x000001C6540A0000-0x000001C6540B0000-memory.dmp

Filesize
64KB

Download
memory/3144-641-0x000001C652E00000-0x000001C652E10000-memory.dmp

Filesize
64KB

Download
memory/3144-772-0x000001C6540A0000-0x000001C6540A3000-memory.dmp

Filesize
12KB

Download
memory/3144-771-0x000001C652E00000-0x000001C652E03000-memory.dmp

Filesize
12KB

Download
memory/3144-642-0x000001C652E10000-0x000001C652E20000-memory.dmp

Filesize
64KB

Download
memory/3144-660-0x000001C6540A0000-0x000001C6540B0000-memory.dmp

Filesize
64KB

Download
memory/3144-699-0x000001C652E00000-0x000001C652E10000-memory.dmp

Filesize
64KB

Download
memory/3144-703-0x000001C6540A0000-0x000001C6540B0000-memory.dmp

Filesize
64KB

Download
memory/3144-659-0x000001C6540A0000-0x000001C6540B0000-memory.dmp

Filesize
64KB

Download
memory/3144-701-0x000001C6540A0000-0x000001C6540B0000-memory.dmp

Filesize
64KB

Download
memory/3144-670-0x000001C6540A0000-0x000001C6540A1000-memory.dmp

Filesize
4KB

Download
memory/3144-661-0x000001C6540A0000-0x000001C6540B0000-memory.dmp

Filesize
64KB

Download
memory/3144-702-0x000001C6540A0000-0x000001C6540B0000-memory.dmp

Filesize
64KB

Download
memory/3168-186-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3168-190-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/3168-180-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/3168-448-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3384-339-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/3400-184-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3400-170-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/3400-176-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/3400-181-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/3492-146-0x00000000004A0000-0x0000000000500000-memory.dmp

Filesize
384KB

Download
memory/3492-152-0x00000000004A0000-0x0000000000500000-memory.dmp

Filesize
384KB

Download
memory/3492-166-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3912-451-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3912-615-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3920-205-0x0000000001ED0000-0x0000000001F30000-memory.dmp

Filesize
384KB

Download
memory/3920-220-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3920-217-0x0000000001ED0000-0x0000000001F30000-memory.dmp

Filesize
384KB

Download
memory/3920-214-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3920-211-0x0000000001ED0000-0x0000000001F30000-memory.dmp

Filesize
384KB

Download
memory/3992-582-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/3992-263-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/4040-351-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4040-341-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4460-394-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4724-583-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/4724-296-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/5052-367-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5052-600-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5088-601-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/5088-396-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download