blustealer | 96f62d789e0958b3dc3cf346997044f128d29098116e340786993b5308209806

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01-05-2023 14:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2168-140-0x0000000000400000-0x0000000000654000-memory.exe
Size

2.3MB
MD5

58ed8a64599dbf61e2d8083b2c40107e
SHA1

c19e34b59e5ccff5657a1da29308c1015539df2a
SHA256

96f62d789e0958b3dc3cf346997044f128d29098116e340786993b5308209806
SHA512

0a461dd6fbd337452e2a580d0b381642e6ea4cd8f9b863008295fc1671c65ee6dc35886d9dd5fd46960d1c8649c8334898f2be89224a0b21cc824925333fb531
SSDEEP

24576:8xgsRftD0C2nKGt0Djsf9nz4mloFQnpXUMPQDR6q79dA:8aSftDnGCDYf5zaCpXxPuR6E9dA

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 22 IoCs

pid	Process
1788	alg.exe
1120	DiagnosticsHub.StandardCollector.Service.exe
3116	fxssvc.exe
2884	elevation_service.exe
1972	elevation_service.exe
3952	maintenanceservice.exe
1984	msdtc.exe
3128	OSE.EXE
3584	PerceptionSimulationService.exe
2832	perfhost.exe
2220	locator.exe
4016	SensorDataService.exe
3708	snmptrap.exe
1252	spectrum.exe
1712	ssh-agent.exe
1472	TieringEngineService.exe
4896	AgentService.exe
2404	vds.exe
436	vssvc.exe
3804	wbengine.exe
3176	WmiApSrv.exe
2640	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\System32\vds.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\2254130cea807a0f.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\locator.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2128 set thread context of 1508	2128	2168-140-0x0000000000400000-0x0000000000654000-memory.exe	83

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\orbd.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmid.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\tnameserv.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jvisualvm.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ssvagent.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\serialver.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\unpack200.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsimport.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ssvagent.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b3161294477cd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002aa58093477cd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d34c6a94477cd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001d175b95477cd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007a9cb090477cd901	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009abb3693477cd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b721dc92477cd901	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fcce2a93477cd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	68	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
2128	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
2128	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
2128	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
2128	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
2128	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
2128	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
2128	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
2128	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
2128	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
2128	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
2128	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
2128	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
2128	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
2128	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
2128	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
2128	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
2128	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
2128	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
2128	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
2128	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
2128	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
2128	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
2128	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
2128	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
2128	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
2128	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
2128	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
2128	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
2128	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
2128	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
2128	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
2128	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
2128	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
2128	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
2128	2168-140-0x0000000000400000-0x0000000000654000-memory.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
648	Process not Found
648	Process not Found

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2128	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
Token: SeAuditPrivilege	3116	fxssvc.exe
Token: SeRestorePrivilege	1472	TieringEngineService.exe
Token: SeManageVolumePrivilege	1472	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4896	AgentService.exe
Token: SeBackupPrivilege	436	vssvc.exe
Token: SeRestorePrivilege	436	vssvc.exe
Token: SeAuditPrivilege	436	vssvc.exe
Token: SeBackupPrivilege	3804	wbengine.exe
Token: SeRestorePrivilege	3804	wbengine.exe
Token: SeSecurityPrivilege	3804	wbengine.exe
Token: 33	2640	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeDebugPrivilege	2128	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
Token: SeDebugPrivilege	2128	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
Token: SeDebugPrivilege	2128	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
Token: SeDebugPrivilege	2128	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
Token: SeDebugPrivilege	2128	2168-140-0x0000000000400000-0x0000000000654000-memory.exe
Token: SeDebugPrivilege	1788	alg.exe
Token: SeDebugPrivilege	1788	alg.exe
Token: SeDebugPrivilege	1788	alg.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2128	2168-140-0x0000000000400000-0x0000000000654000-memory.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 1508	2128	2168-140-0x0000000000400000-0x0000000000654000-memory.exe	83
PID 2128 wrote to memory of 1508	2128	2168-140-0x0000000000400000-0x0000000000654000-memory.exe	83
PID 2128 wrote to memory of 1508	2128	2168-140-0x0000000000400000-0x0000000000654000-memory.exe	83
PID 2128 wrote to memory of 1508	2128	2168-140-0x0000000000400000-0x0000000000654000-memory.exe	83
PID 2128 wrote to memory of 1508	2128	2168-140-0x0000000000400000-0x0000000000654000-memory.exe	83
PID 2640 wrote to memory of 2040	2640	SearchIndexer.exe	110
PID 2640 wrote to memory of 2040	2640	SearchIndexer.exe	110
PID 2640 wrote to memory of 3740	2640	SearchIndexer.exe	112
PID 2640 wrote to memory of 3740	2640	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\2168-140-0x0000000000400000-0x0000000000654000-memory.exe
"C:\Users\Admin\AppData\Local\Temp\2168-140-0x0000000000400000-0x0000000000654000-memory.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  2⤵
  - Accesses Microsoft Outlook profiles
  - outlook_office_path
  - outlook_win_path
  PID:1508

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1788

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1120

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2896

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3116

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2884

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1972

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3952

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1984

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3128

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3584

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2832

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2220

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4016

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3708

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1252

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1712

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2952

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1472

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4896

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2404

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:436

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3804

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3176

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2040
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
d77e649edef0f6f11d55eab6ba329324

SHA1
2a387429f6acc984d6c451cd0fe5e47d1f7c2e10

SHA256
2db55d62604579871888cf039339c665a37f2a65c03124d603bf9fd1ff91c514

SHA512
0b757edd8e2c82baf0a7cde2f8a1eebcd5422056b7bf01c552d5e7b21531d720397aa18e61d55b6e1792a1e538c15abced56d110834f7c553477d04f7bf4fbd5

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
5725a68e50f1d6b5b0a726045bfee12b

SHA1
db49c0e4b7f4dd7668dd53fe2725cb2f67d575b7

SHA256
9f58bd48d519266062b0a3b79e3218502681ef276ffa0337c03153fea92f67a3

SHA512
c5390256f3088375975a4ed2c2d074956dd8341c312c2a51812813eada74666138bbfc382d9cd20d4dec8c927bc87c6e3ab84579fbe927a4243ff8788d0f42b9

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
5725a68e50f1d6b5b0a726045bfee12b

SHA1
db49c0e4b7f4dd7668dd53fe2725cb2f67d575b7

SHA256
9f58bd48d519266062b0a3b79e3218502681ef276ffa0337c03153fea92f67a3

SHA512
c5390256f3088375975a4ed2c2d074956dd8341c312c2a51812813eada74666138bbfc382d9cd20d4dec8c927bc87c6e3ab84579fbe927a4243ff8788d0f42b9

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
56238c73607fa428909bebe399cba4fa

SHA1
7ca3029e654b6e0a13a9a400c869b0f5be166fce

SHA256
2ae5df7c837ca87e8660e2a9c381d342f73b39c9cd620f8704fea240548c2187

SHA512
c990a98be4c631d27d3f307b71ef799302691104a03cb2522b7475de1b861cfe586c33e6a9d13e3b376adcae08bd0b5f3954b56d61f3a8bf95be8bb1295bac0c

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.4MB

MD5
f6881c0491600d4390b94248e67b0117

SHA1
095c5e653eb6f50d3ca3fff407b3165eda22a654

SHA256
662a16000412a2078149f367a6826d31b78dbb1e445b1d7a4402fc9dad7285d4

SHA512
417cd39939b9266a32fbf9df228f63fd0d02a391024df292532a6aeb7b633eade2c5e6f21a2b6a25fee6baf97a113a25d6c92b73fe89e2b106a60e7c8e11a582

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
e3c8c3439738f1405e06fd1dc955efb8

SHA1
57e89d17eae1b2168e01d39c78e2cae07e7c802f

SHA256
0c30201fb01b615bf00f3155267810a1966b42cd19932891a40d00d253d48fea

SHA512
f9101845077f0c08436c1fdb5c4b72d15d69f885a290f69ba50c2f5fbe7a59aed64e4583d224ad110a13d7ed88364a7df79c034b16367ef1bc1b3089e717514b

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
5a9371ab49f038ea2f4667ba91cbd34b

SHA1
96c8a0db8cc22e4a5fbe9c7d560074e0a15f4e0a

SHA256
706c9bfae62a458d1ffd4ea2ca6297286cd1da52f11c43e7e0896de7f7131f1b

SHA512
cff903ee389001c72df7c0f3ed3b00b134989183514f11e73cb2fb42f268792628419b5b10835d1d84dde6facb3887dcc7b4e22297d10d62658d903f40310ed9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
7364b2f3f7ff54ef0a9f297f7124afa0

SHA1
24d80d4bcd0bfc76f22be53fc6b71e7c81427fd9

SHA256
b06a236c631c85f6ce20ced7cc1bd3aed01d72cd0e2f0846553ad3bd2ae888fc

SHA512
c6ea8151f491da1a82473fcc4d9f50430cab2bfb49f2135b07914760a7085267c213fed9ff6a68ad18222e497fdda08b366cb6863fba6e14a13d4e13ccfbed29

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
45eabd6f6b90e8b52d61aa6ab5896131

SHA1
6d91b59a2ad4515865707a1f7529fb7b97341306

SHA256
6220e4105731da64b77038205e07e90b090b83f31412854670d555825a2eb79d

SHA512
f298b1a2eae656d143ec2caab06a797fe3a880f7eebf7e44a159aa0404a44a5900c166112dacfb3880bc2846fdf45fd3eb85a2e14e98498ce886252ac8174a00

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
269b8c32243e51c798b87655e0276374

SHA1
4818e1a13a3d15c6907a3d07b754aff0b2c963d0

SHA256
a689812ecb72f61b971546b1f007b8da5affb2fdef795e8689d267282028e3c9

SHA512
bb386730f83c469b261a5e3f0d321fc2409d5d14864a51ca52aa0db6265e63e3451ee53fc12318c7b179495ba2c6cb5843ff982db76304cce9674e320ea3098b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
5284418c3b18268def06ded464c3e589

SHA1
94f92869082907e14a63c6967270b87c3b5d1dae

SHA256
3a070a65fcaa05c30b33ba9004879e1066fb35418a136c2384d4b7b7d91a780a

SHA512
8071ec45358c89346c9a293f7cfeb1001c655b8d0450c388c101bcfa69638197f4855f0be8d9549b06e09834282939dd5200c77169dd52a8c7f649ae9a283fd3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
63e59f0d87b2152ea1ff76c25e30ab85

SHA1
fb6b0b840c75716ea5152f3db7c1002b85167cc6

SHA256
935a7a338d445762a00351d62d6071b64752d00ff3fd1299f585e56a229e4117

SHA512
2fc173f474cb234b965a2eb70b31abbb8d8615b76577eb9f51282db732bb1dda8763a211bf6ca5afa87fe57fc7d9a56a78ca2ee50d76248c8b3c8b3f34074d29

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
ebdbcc8a750e59568e7611916cc49a15

SHA1
7f747bfc50eb402ecb2725ed28168b79e51db8a1

SHA256
ea56e1d9110abe4c5d9edb8e2234ca4bf226d765aaa593b76b1c28ec215ac359

SHA512
f5d9a6d0888a1b82ed5c903b43ef940efc384ce88ec046822b9b2e6c77165764bf889e60a2c1d683f8a1ebe970ab5d3fb717f7be61d0f56d65f568e340c540b7

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
a565531317746d77249f4a693d3b86c8

SHA1
9828dba20b3aff2f59dc9f02af292d92906adc3a

SHA256
e8972b5e8ad76fb706d390073e56d7893d337f3f91d43b191c1291234aff8e2f

SHA512
3bf6a1221594bb5f317ea43fb4f60ec266ad4e33d2b2e55085e141eb58c3cdba46acc5bb03e5c4fe144d57beb6e2818e4bb8fdc6515bbf677855b923b5ca0c43

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
d57f8caf4c45011fdb33478994b90d01

SHA1
324183d9875720d49eb1cc500c14e1452dea3c5d

SHA256
9368a5cf569e92057f8c6288e4bc012d3ab783f0ec3a76aa7192f1ffd3525671

SHA512
6a2033ceed23cf28307aab769e48ff4fb02105b409723480a4181c28b7823356b29acf6aa3655083c1bc15dc1af3471f9fc9f592b25e6df35c04ef98dffc8801

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
5ce9257825109cd44495f3efa6699800

SHA1
45a153a727de1215f880ef73c1d467ecdaa6ee44

SHA256
aa088271ef36e8d88039e58bbceb5ab4bcb73370f5e8a2d81875da8763be2f9c

SHA512
a795b2ed2410ff063da368aa8dbe1b6244f8df65ab876d573ce03f5b4b9151b4c185d345b5f6b00da719900233f0a9c12281bfb6d8c4b81e6fd44e88dcc72b5a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
d4bc79966409169fc16554298afc0aa0

SHA1
41f203510c346b086be42acc7e8714ca1ba356ea

SHA256
ddf7cac4bad25d798afbb8532119f1ccddba610e94648ad6107efb11642c6f3b

SHA512
4c0973d4aa97454eebca705a2e5c31b39ed586e2cd578ccde2cd19b60f8e1ff941cae15b06335e54651feccf5c56ac7aed10350863565d8901584747910f68d5

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
32bb97d34701f0f630128f4f6ee98f5c

SHA1
95e5872be72d81cad4c6a69f883c6bf66d6eef4e

SHA256
dfaed4678a44602f48501af47d2f3639fde58f3dd865ad8be1b5a8f9725084d9

SHA512
e5a088190cb629bae4cfd4e6e50eaab46cf4846a798ca68b2a7f6c32615b3a606b698c810c7f086d6e95e8488fd87b2952116514a08cee5cf460203d7081a012

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
90ab47a6766bddd1db1c9ad1ea016a52

SHA1
6e93d813ea71ff9fdfefb494ab8be0b790deedde

SHA256
8cc8380b8a7952325ca2cac302d4be76b7cf31aaeaa052dcc173912d533e7558

SHA512
ad327e53e54d0c024fa683f9916995a3a289a3307d7cdba995706bb8450738ae11732525e2e0ebe553a3b91ee6fde24f9554bc386801d3e6f287508f67110741

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
f41775fdb2aaee691155fef11d270b04

SHA1
49be03f7df599553129f42d15b2ebfd2e4670c02

SHA256
65b1c8da04353d97c95fd43163104c9aea037e913d2ef56de17c69c3d2e99b98

SHA512
5d230597bebcf416449f72351e7e9030ea65d4f6ab5da81be595545c68bc724bd6b9a33e3eee575e0776c5e64a014124ce19537e5aae6532c47794873bc15d40

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
35b245887c36c94a41845f753b1427f4

SHA1
efff80ecb3e972c60fb3013f74a6169ecea7957d

SHA256
aa25f8b32e119701b2c3524efd1e1c0fa219807576d6b5bf97910ca9122cc8cd

SHA512
df13f9a395d82884011dba1592287e20abd627e20df9dfbd2b359436b1ca565629094f114be3490a0b3a8fb2faedec999e970e95a51128d2e86b065523e8a3e3

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe

Filesize
1.2MB

MD5
4866cc938d35aeb399199ab8d2e70f7e

SHA1
23629b6deda858d27a32e6bfcc0cc0b91c530752

SHA256
59fd77601aefc750ceccc3e76cda8b3395b812b2acbb3a7f5bd1578351ec2270

SHA512
9768e0d2e916789a995280d49607fc2f8b07b6e4f902cfaf42f5d043ff2886f64b595a0cdf9e2e1184a19400f4ee79b742328c61f3d97ea654fbd727e64b519d

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe

Filesize
1.2MB

MD5
bff6007a45b408c94411af5bacc2b73a

SHA1
04204fb2e4cd7ad6f6a11542218974169dd4a956

SHA256
a10f016ef0b6214e006149fe4f5008c054130cf4552f7da3908042d78e949dc4

SHA512
99a5af9d5f43fca428c1700286f89bd0bea46b89d12974cad2ee803af492580266a72e0d815933653ff76e352719c72f8406c74fd97acc908e11b90a5a9e78be

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe

Filesize
1.2MB

MD5
c00e285a46ccda01926fdb0470430a18

SHA1
72c280fd0034b4c1fa5a1cbb63838778d2869f7b

SHA256
74166d1d31d5c9cac395b865235f0f782f5d9d09c6fc943d24c7ca00060d193e

SHA512
a99b5af8a48b59c8ece2c1ad73228f65c10cac5b0e2a901bb48fdfc3dcabde37a58ad9d3cf15ef78cb14b45bfd551f791c607b7676e749842045bd4e5631c53c

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe

Filesize
1.3MB

MD5
355086895564866c0346b3d5eec3e862

SHA1
489743ae35e598e262f345c88592462fb76c3edc

SHA256
03152934626302d679a05fe1edc61b9655d866e6289debae42e9c1c0dd4295b2

SHA512
0222fb3da49f9e219edd6d2bd85472651ab25f75473f6c809b411317c7d256fbfe73c50be2093a1ada3e5a2b65ac7b8399268c6351529fb707d8b2d5a9b0cc35

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe

Filesize
1.2MB

MD5
40bbd05f0a2e255f283569911df23d80

SHA1
c5584a58e926196a9df8ba9f6f334508af446e4c

SHA256
0a8889fc1162457d4a448650dfbdd7c3bc15e4dde5157611825c8ff6087a5f7d

SHA512
6e50fd2a3fd2bc9f97e7898445e8b4b91c32fa42f793eac59b3640e9fa0f36e03a266e0fea2137dbe9d750150eeffb10afc1ecb35732055bb4a70f100be6b70d

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe

Filesize
1.2MB

MD5
7cfef69e002411974ab9852c3853101b

SHA1
078574dd866f7a504c66e2605c9c739123a4348d

SHA256
ca127b9d73a8f71677af54c6cfdc323b8528006d52008f936a12cced6076940f

SHA512
40e711802ed0909adea60d1828678a006742697bbe339eeb79fe771969cbb11b2cc2afe2d2ad73ad801eb0ebbdb529685d6de810402dee196f34c6ec517bc2fb

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe

Filesize
1.2MB

MD5
189646f986e3670104ccb7ac18ccd684

SHA1
6af5299009fb6c3cc4a963b34253daed146f33c6

SHA256
14f57baf032d057ae3dceb344db01c33c29bef16e4ea80d607b82551307d1bd3

SHA512
eed7be55ce0c41d74371964cc7240c95636abf7a533b42999e04040204284d2f8e40ae5a644086a307ac7b6e2d0c36906cc9daf6fba80578b55ecc539c0fbe19

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\java.exe

Filesize
1.4MB

MD5
3606f73a80abc95f7a997b34d0e3f71f

SHA1
ef8ed0ccbe4378ce2c573bbb984cafd8e05e86bf

SHA256
18d8ff775b999d2e605b2454850d418385737553ebf57d42d3d2e45dd74f1efd

SHA512
4ede83cc41939db7c5d4a7d4129393e5d212b5b7e35900603d7cc01bb32891c5c0e4825f31d4303c3338573913ff02af508a5f3bcb58ba27ac747a9fe3d2ae7d

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe

Filesize
1.2MB

MD5
d9d8e7d7ae2239af50342b5b087bf26e

SHA1
b525607633b54035559c645ee5bd0a9bcefcbd7a

SHA256
3ac4c43f6e8c736b7353261aebb37e6ee1bbda6d0b8558b95771b1fc0e92c123

SHA512
74bc952fac73f80965f14076400fded8be8aac5d51fd8726fc71026001931e83dc729640d01276425890ac6f72c9ba2e61d5b8a32429ab00aa20adf10bec552f

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe

Filesize
1.2MB

MD5
4439507286a2a84e479a1b679a06cea8

SHA1
be467cf6a16f568a98fa96c691a177be3c64b42b

SHA256
d0b75f52d4749c929f4d12543ee2f3065b6ba8313efef97a4286b677dc689865

SHA512
06259d656031662cb4898bae8b0c79206eda5630acebcff96365eeee09695ca8d410a8fa1f44ff70c8ddac9d6d89906f12540099f5a4539171c9aa47fc62916c

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe

Filesize
1.3MB

MD5
f764af76724c2d901b985c42ff228812

SHA1
2415c25db8fd4005ddebc6c3496b148f93efa616

SHA256
7253bffbae4d9ef2812dd6cbaf8c43501e4bf18f335be82477d766796554325f

SHA512
1c46a8eb5011cc74f343bb9273c8e8e490669fed7ef9253f61fd85b57dbaf552aaaf38bc3eb8981404e746d05f3ef69accc451fcb23c4284466a55e0d8b849c7

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe

Filesize
1.2MB

MD5
c9da3160e9f00330bf528bff8b073f87

SHA1
7c4ca3a05fcdece66c23c8db362b5d62e704dd8b

SHA256
b4e1d1feede35d534c126e945d005808a4d75b68db958a7c0c8f272804f3bafb

SHA512
e5c5d28716f263fdda38229f97f3313ba08b662ce83bbd92da4317a44916305a463a3e2820157c32398ec8e5aab565e8a95ddc6486af1dc73714e27350280bb6

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe

Filesize
1.2MB

MD5
892cb77bddc0605e0b9bb4f172a830ae

SHA1
4701e4b2a9858b4f4eeb107eee41c265e3001e40

SHA256
a63a024fc1f0478b8500c7ec0bd8a08f7c23ff568ff8530106c7a51cd0168127

SHA512
45912dcdfb6c4402e04419a1d22606dab701e98d3fd73c45552471315c9a424b6b495bbab63f823745d913b0b11927002e59cb9284d1b347f56bef8acce900a5

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe

Filesize
1.3MB

MD5
6a4f7664659f385c81ced58444bca8fa

SHA1
2b7c1db972d4705a9dee24718a1670b8b93d93e1

SHA256
1758183ae496925f1350c0926bbda0dbbb4183a8a013e63c73d5cb2b745252ae

SHA512
bafb575126a266dd520fa6dd14d55fd28410f5c7653e93cccc509fd0c02fc6c8db32feaa95fd1ffbfc501047e851d990a21d094fc7fc67155fde8b1b5ca7ea45

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe

Filesize
1.4MB

MD5
30c83a56f002e5322e49e1ec84a0e0f0

SHA1
94999a07a14d91921bf95df979dcea0b22b2719e

SHA256
fa3cb3fa7700192a47e8b6b0dcabc6a54dbb458c92b8774d720094deb605c69a

SHA512
7da72eda09ee4b4beae2aa26f4f6c43fbcd20fdcb3a2887d35cc8c02f22eb1eaf58fb3daa07c4e2581b1bb51b5ee4557bc260edaf68e0e0fe21c9ce69b3e67c9

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe

Filesize
1.5MB

MD5
6698a3d84dddae3529a4cd3e12e2dc8d

SHA1
dee7f64eb7bd5250d46afde21007ae7ffebff60c

SHA256
52cedb872f9f1fd160874f0cfe37d9b33fa58db1850db15977e36b670540bc5e

SHA512
c7265e3bd0bb7988308a8d84fe14d825aa826acae4e0826aa571bc96560009613e3f26b9124881377ec4fcbc898a874e5af316117fe52e37e8c8b6e84df2c774

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
6842b9b4a183936a2681054ffe2fce1a

SHA1
85081806b8736bea6277494ef7d280911ae7f55f

SHA256
5c9554f7bcf9327307dc040e20f24d6f0a052d1e1035b0db7a2c57abd367e38a

SHA512
e6fa46ffa7b7a546859f2a4189c7078f01065f0a06c7ce504d40228793f7a92055f829cf0ca9ec5834d4bd640eb9f92e47aee2849caf3eafd01ba7d104e7d0be

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
db8d03f5fe7fa21d0300bff6d9b0d903

SHA1
175022946c58ff43a40369876e80df152835216b

SHA256
13174889f2972397de7ba40cebb76064342a1cb7618e38f8ba441431f3310f64

SHA512
a18ec96be19701e49af1e3957c1e28dc4f5a4c2a07c6e9948b896f09e3b57652549c6f361e9215408e09a201e508e2a6392230d4bae0d758eb118f0571cfb1a9

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
284dc260120bef3655e0aedf03e7b574

SHA1
16f33e82d193f946bf07c3b7d382d1432c062e58

SHA256
c1e8b4474458c257de3578c690ac9ef8d27b9e14e286fb6e8da5d9d64f8e53d5

SHA512
208f0b7172895d77abb12f3caf5378bb76922a5660b03d4c4661de11fe191979e9eb95479c239474de253cd6f24ba92d833bd283d8ee0e41cdfeb1e569dd49d3

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
cea5ef5e52ef9b1850bc62f471e1ea2e

SHA1
37e7138c62f4542befbaf692bc464eaa8f5b29f9

SHA256
f6a9821e30a3f4977ec1a431c4675d5696b008326f5fa2ff6d2b7a0ea088e976

SHA512
2de1b09186656b6fa2559f5533c636810b0d95323014177b59cd840de26f8f81929166d097df6943aa8c4439abcf133d3cf5a2201e6f3f4f3745370f9245eb41

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
e094e1d6e0fa94009b3f0fcf0f3607af

SHA1
a725698edf8665c300ca3982ac255385cf10c910

SHA256
bba03f0382b04bbd21ee05ce497ca176cd0945ca4049aa293bb2fe14fd271842

SHA512
4783620a36d75af3db57b58e0b782d999bf82358d1b3a5e5fa82f1d16997745afcf8a506230fdf7b4cf8e18d149037cf5169ecd532c43036dc021dcd2e728f6c

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
0a1365ed195544e92673da7d778651a3

SHA1
96f9675f86ef205a3cb5b03871c37ef3b28bcc7e

SHA256
39e357244163be30325f06319c418ef1ef8679559166cdabbfb917baed505149

SHA512
a44f84d7404a03b608b9825408f6486bf33e6c2516fccf56c8093e7ef6ddd9555edbb162f69c3fd48f41463c4c5638b1e85458fd00f71527d6d29a127fe9771f

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
93125813f850a9b20c7ebb0ea66cf6c1

SHA1
d9f2d01495800dee844abe1f6b0b4e239861cdb7

SHA256
b1bd4fd27f4b0dd89487943640018a04fe5d5f6344dd6bb940ae8ace592d929a

SHA512
d9005cbb42ffdf944921af7bc9a244fee8afaf2f2cc42c4426d2fc68a773498585fafe20e472df1383bc5ea6d97d2472047b2626ef9299516f4799703dd1e869

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
93125813f850a9b20c7ebb0ea66cf6c1

SHA1
d9f2d01495800dee844abe1f6b0b4e239861cdb7

SHA256
b1bd4fd27f4b0dd89487943640018a04fe5d5f6344dd6bb940ae8ace592d929a

SHA512
d9005cbb42ffdf944921af7bc9a244fee8afaf2f2cc42c4426d2fc68a773498585fafe20e472df1383bc5ea6d97d2472047b2626ef9299516f4799703dd1e869

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
ce94b18a4c274d51f621bc5ea2c26d91

SHA1
638c636281d00f7bd6cc68c06c04d98863754d19

SHA256
aca3e39c10ff59973a2f27fdd485a6e427c80c80cb84794dbc939da593eeef20

SHA512
8c223064e8741f86921abb7e29179277210d9632faf5b256bf16662395e6f86318d3f63ddf64129a4f6967553036116e93ba22c4cab228481c59b5b885f7062e

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
dda5463c6b961236fd7b91ac0f5b4a1b

SHA1
f3ffd2d20834ba72b33f41a606a50c75f144bc76

SHA256
579d6e12f7ceedd331351833abca6f623c3b0330f20d591c4293a4b8f1264439

SHA512
0bebd4ee8989286be9cd99dc16d3cd04e108de0c3738825c7e0600b5a7bc3e17dbf01b2378a21ba473e142cf128ec690bdbedfca90abf1d05e43b83199d32ba9

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
f729a34561e39dafae8349d8aaf6e8a3

SHA1
453eb7ac6a441e3ba68c02bdce18fd6918cc8716

SHA256
b76014964e935d7cf3177dd820d297b56cbe34b58358882099b6f579b7ba6bb2

SHA512
8b0f95d27c85ea117bdafbe4c5dc4acf824337ba97ad7099fb12e34f0c39f0943c89ceb13e3e3e330572651c13aad6f964d1d9263644f1d0e17a0b97536552c0

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
f729a34561e39dafae8349d8aaf6e8a3

SHA1
453eb7ac6a441e3ba68c02bdce18fd6918cc8716

SHA256
b76014964e935d7cf3177dd820d297b56cbe34b58358882099b6f579b7ba6bb2

SHA512
8b0f95d27c85ea117bdafbe4c5dc4acf824337ba97ad7099fb12e34f0c39f0943c89ceb13e3e3e330572651c13aad6f964d1d9263644f1d0e17a0b97536552c0

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
b0f75b9649bfaabd1fc49b4949076d55

SHA1
3db0d3dd98f111534ba22172b8d6247153085094

SHA256
311885f2c1627114c87360c5b597c9b28fba5e35cfd0fc76c87e4ed49c490aec

SHA512
afcc239c6eab98703e237dd790b39bcff666a5cefab9ce9f2649e864b284f1ca9e66087dadb542bcc9e6388e6b70c53db34f3ec5e02fd6778936887d91280911

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
e3607b481f033859e901095b451a666f

SHA1
10398d4608a1e1d73d48ab2d9d8e826cb92688d3

SHA256
bfa40c242db1e23370990f10323eb4e77e2238906fc61809ca44d2140335135b

SHA512
19f955d278508ab1cbbc9de47f4c7fbcc9dda1fc5498da84b2d3477580f2b541b08944bebdae7a752b44db45680a38984ac88d21fd9b0d417646f998036a0779

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
96068d8915290f835fdcddf443242c47

SHA1
12740c02e7303ad5e74a381d0918a16223b0f555

SHA256
6b563d10d16c3de11632b56219958209bc7ea4e425f0dcbc6526acf6ffb138fc

SHA512
41f72846b1918e3397df0f4670dfa5de17425787abe3800015932ce4fda6a3b693641d42b6868a61155580b9b1923f130585e771032e9344c2f4e019a0f8472f

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
d4002dd280afa73353caa646019d674b

SHA1
3b02d1a4e4f3db58b9438931d70a1080e5ff3c97

SHA256
e1ce9ef3b73a89c6da0b32e537f68030acf2f327ff6373f311a1139a452e06ee

SHA512
965e5a44be56eb2501004a5048a1a039c3ef05491e7a10e8b21a04e139990ec756df26bb077a06c945450afc864ff6dee95b7555ac9b39a3e2775cf45e5f2aa3

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
8c14aa00291312ef257e898f59026214

SHA1
00d85691df9d84a4d4dea1f4b47e5c6a01675c6d

SHA256
d344a57a7aff35bff561d91c9f98d364351eb1c1a60466d55a5245555d758bb3

SHA512
0f58fdb0a88b5d03c6dea644b8c73d8df201665fbb7faa9b035d239d84cd8a635525f193889b0ad3561e406190d57a4bbbc81907632574541d271e80ef7451bc

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
0a42a98396e9ea63f9211640c616128b

SHA1
2ea1e9bc8d20e8eccefb6204f94cc78ea60de8dc

SHA256
c1dd01291f9c3a684aad4e109c388eadc4a6562076816fc283f01e94572a94f5

SHA512
5fff7d073d03ca1be771e8d93658548f67997c18f26bed8007cd5323a644824675fd69870d9cc5dd6443a5ea96382b45f6a4cc4db3329167904e1251c4d1412c

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
85310e04275239b28a5692fd2142c0ef

SHA1
acc413d3ef2c25a35308c53401a55be027fa3766

SHA256
82147b0e7e2297693dfb4bdd9cdcf7cd4256e49c461daf85ceebefbe100beb09

SHA512
e824f31edd39af70dd5d10258a3b63fd092d9b0b1ad465b97722ecb4e0d3cf338e727e61e5afd5211ca2c8599c5ddb76a94b953a06413e4c578691efc44064c0

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
a46581a6263aa9f1d4fc9f3683b553bb

SHA1
cf4469c84b1ad2e11bf0191080ef007c7f26f1d1

SHA256
1aa4fc725107d00e4e7a043075a289bf3c7ad9c982a84e902938822a31068b9e

SHA512
74a5893a1df6e4fee9d188c7807ae832ccbc251ffa67a45e4e37f1c99d34181571e39e1f1df635ec5b2cf72e93c2247130cac32631efe2c5600f1e4f7d2f4339

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
c22eea419594fd20c0d3da8c40a3cd9f

SHA1
af550628d06a42d21ab58af13230467f5ac5a7e0

SHA256
d9625ea8ac684cc1bf32708a58c1d2de6b1e55472bd19bb87a0b4bef2fb98f76

SHA512
4c4e60817b145a5a5ca6d0093ac98331e034c50abdab896f4c85512181ec7f19aee3fdc8215dfbb101421531cf6cc29d3d5f9b4c5aeba4691aab0ccaf283bfd1

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
1.7MB

MD5
284dc260120bef3655e0aedf03e7b574

SHA1
16f33e82d193f946bf07c3b7d382d1432c062e58

SHA256
c1e8b4474458c257de3578c690ac9ef8d27b9e14e286fb6e8da5d9d64f8e53d5

SHA512
208f0b7172895d77abb12f3caf5378bb76922a5660b03d4c4661de11fe191979e9eb95479c239474de253cd6f24ba92d833bd283d8ee0e41cdfeb1e569dd49d3

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
520bb66822629ad29cdfd786ffb3de43

SHA1
5959315ac705354b29c75f1dc13dffcb0d66fbb8

SHA256
6adf7d10802a63298144eeaaaacae359348ef50e1d736f8c1e9e841c719be257

SHA512
717335d4f26c9474b432fcd64123020ac17f96e1fd88c474757ec7edbf933b37d184ecc478367e983116e3e3ba79d32739e49a4346c939ed5206d9dcce09e0e4

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
95c05beb89923acf429e7ddf8c2d9081

SHA1
4264d8184114a95a574664832eb32ed05892da68

SHA256
db281e9dbae7e0e27847fcde0d4dd8dbb4b55700a240753e3992c4bbcd25f8b2

SHA512
c0902c012dd5a0a93a8dab230cf0e1139a84d68d834f696e7fb54ca0a2ed23cad2c7902a915d43851d4355df5c9bd8ac62b1002a513e0295cd3b1d00b3934167

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
e094e1d6e0fa94009b3f0fcf0f3607af

SHA1
a725698edf8665c300ca3982ac255385cf10c910

SHA256
bba03f0382b04bbd21ee05ce497ca176cd0945ca4049aa293bb2fe14fd271842

SHA512
4783620a36d75af3db57b58e0b782d999bf82358d1b3a5e5fa82f1d16997745afcf8a506230fdf7b4cf8e18d149037cf5169ecd532c43036dc021dcd2e728f6c

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
cc1bfcc7bebd2f03723215c79a76752b

SHA1
2fe2f0f5111cd0b003046706c07953e0255a35ce

SHA256
9bb998252078eb6f5b274b7585238ef27a98d5354175453388ef95941ed3d890

SHA512
4bffed9b93282d222c343d2162f661d70673adcd0c5355f57db4bc849f25058026004126eff745fc9de6a2c6609df26ae9c494a4baeb31cf687afdb831ff7b3e

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
147cc8807a4271259888d0bcee8916db

SHA1
fd9851cd611f3456ba5d47aff20a690fd719fd58

SHA256
a59ef5f1cefffd32210dc74ac7282d0b4b0a84aa6fb1d52dc57deefc3f4467d9

SHA512
a78bc39a3dbaefea9a92eec5b56e800019f7da44152f6be499277d9f433a4132708862e04ae0663ab3798088165b389363b7f93f678ad342b9be11ecdca729fe

Download Submit
memory/436-600-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/436-369-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1120-165-0x0000000000410000-0x0000000000470000-memory.dmp

Filesize
384KB

Download
memory/1120-159-0x0000000000410000-0x0000000000470000-memory.dmp

Filesize
384KB

Download
memory/1120-177-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/1252-588-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1252-316-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1472-340-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/1508-208-0x0000000005900000-0x000000000599C000-memory.dmp

Filesize
624KB

Download
memory/1508-215-0x00000000056F0000-0x0000000005700000-memory.dmp

Filesize
64KB

Download
memory/1508-193-0x0000000001100000-0x0000000001166000-memory.dmp

Filesize
408KB

Download
memory/1712-338-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/1788-152-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/1788-154-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/1788-395-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/1788-146-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/1972-195-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/1972-490-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1972-202-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/1972-201-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1984-225-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/1984-544-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/1984-226-0x0000000000D20000-0x0000000000D80000-memory.dmp

Filesize
384KB

Download
memory/2128-364-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/2128-133-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/2128-134-0x0000000002500000-0x0000000002566000-memory.dmp

Filesize
408KB

Download
memory/2128-139-0x0000000002500000-0x0000000002566000-memory.dmp

Filesize
408KB

Download
memory/2220-295-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/2404-367-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2640-615-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2640-438-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2832-293-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/2884-181-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2884-187-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2884-204-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2884-492-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3116-191-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3116-169-0x0000000000E20000-0x0000000000E80000-memory.dmp

Filesize
384KB

Download
memory/3116-175-0x0000000000E20000-0x0000000000E80000-memory.dmp

Filesize
384KB

Download
memory/3116-179-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3116-189-0x0000000000E20000-0x0000000000E80000-memory.dmp

Filesize
384KB

Download
memory/3128-259-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/3176-399-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/3176-601-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/3584-261-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3708-300-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3708-586-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3740-669-0x000001D1E4ED0000-0x000001D1E4ED1000-memory.dmp

Filesize
4KB

Download
memory/3740-649-0x000001D1E4ED0000-0x000001D1E4ED1000-memory.dmp

Filesize
4KB

Download
memory/3740-648-0x000001D1E4EA0000-0x000001D1E4EB0000-memory.dmp

Filesize
64KB

Download
memory/3804-396-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3952-216-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3952-207-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3952-214-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3952-219-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3952-223-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4016-570-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4016-297-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4896-342-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4896-352-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download