blustealer | 35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097

Analysis

max time kernel
151s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01-05-2023 16:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
Size

996KB
MD5

6b5440ea657619e7301f3e923654cb3c
SHA1

1fbafb550989c2c944d3941545b68bd553175704
SHA256

35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097
SHA512

a652226f01fdbe1efe10ca765a029fa72a972f04a79b579153e61c3c02fed20bf265293f722a386da3985a152124b2334f140b8620d82862fe2401103f8a2c74
SSDEEP

24576:wxgsRftD0C2nKGe0Djsf9nz4mloFQnpXUMPQDR6q79dA:waSftDnGpDYf5zaCpXxPuR6E9dA

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 22 IoCs

pid	Process
640	alg.exe
4232	DiagnosticsHub.StandardCollector.Service.exe
4432	fxssvc.exe
532	elevation_service.exe
1892	elevation_service.exe
1780	maintenanceservice.exe
452	msdtc.exe
4280	OSE.EXE
4744	PerceptionSimulationService.exe
4296	perfhost.exe
1748	locator.exe
3028	SensorDataService.exe
3912	snmptrap.exe
3800	spectrum.exe
2612	ssh-agent.exe
3744	TieringEngineService.exe
1544	AgentService.exe
1400	vds.exe
384	vssvc.exe
2644	wbengine.exe
948	WmiApSrv.exe
1912	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Windows\system32\wbengine.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\3c46cc2fc0346ca3.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Windows\System32\alg.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Windows\system32\vssvc.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Windows\system32\spectrum.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Windows\System32\vds.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Windows\System32\msdtc.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Windows\system32\AgentService.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Windows\system32\locator.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4788 set thread context of 4256	4788	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe	112

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaw.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{12B41477-B896-4CE0-B721-49B4FD6AD28D}\chrome_installer.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\xjc.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jabswitch.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jjs.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ssvagent.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ktab.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\servertool.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\servertool.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jp2launcher.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000699c6194497cd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b9b4f893497cd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004a264c94497cd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000064040a96497cd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000040780096497cd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000001c46894497cd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000054c2c76f497cd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000edcb390497cd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fd97be94497cd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	82	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
4788	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
4788	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
4788	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
4788	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
4788	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
4788	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
4788	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
4788	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
4788	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
4788	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
4788	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
4788	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
4788	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
4788	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
4788	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
4788	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
4788	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
4788	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
4788	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
4788	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
4788	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
4788	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
4788	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
4788	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
4788	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
4788	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
4788	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
4788	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
4788	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
4788	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
4788	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
4788	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
4788	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
4788	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
4788	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4788	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
Token: SeAuditPrivilege	4432	fxssvc.exe
Token: SeRestorePrivilege	3744	TieringEngineService.exe
Token: SeManageVolumePrivilege	3744	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1544	AgentService.exe
Token: SeBackupPrivilege	384	vssvc.exe
Token: SeRestorePrivilege	384	vssvc.exe
Token: SeAuditPrivilege	384	vssvc.exe
Token: SeBackupPrivilege	2644	wbengine.exe
Token: SeRestorePrivilege	2644	wbengine.exe
Token: SeSecurityPrivilege	2644	wbengine.exe
Token: 33	1912	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeDebugPrivilege	4788	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
Token: SeDebugPrivilege	4788	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
Token: SeDebugPrivilege	4788	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
Token: SeDebugPrivilege	4788	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
Token: SeDebugPrivilege	4788	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
Token: SeDebugPrivilege	640	alg.exe
Token: SeDebugPrivilege	640	alg.exe
Token: SeDebugPrivilege	640	alg.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4788	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4788 wrote to memory of 4256	4788	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe	112
PID 4788 wrote to memory of 4256	4788	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe	112
PID 4788 wrote to memory of 4256	4788	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe	112
PID 4788 wrote to memory of 4256	4788	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe	112
PID 4788 wrote to memory of 4256	4788	35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe	112
PID 1912 wrote to memory of 624	1912	SearchIndexer.exe	114
PID 1912 wrote to memory of 624	1912	SearchIndexer.exe	114
PID 1912 wrote to memory of 1092	1912	SearchIndexer.exe	115
PID 1912 wrote to memory of 1092	1912	SearchIndexer.exe	115

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe
"C:\Users\Admin\AppData\Local\Temp\35ab280f808e981d3c77d1c4c38a8b84ac102cb6b08f11b6a632d11ccf7be097.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4788
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  2⤵
  - Accesses Microsoft Outlook profiles
  - outlook_office_path
  - outlook_win_path
  PID:4256

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:640

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4232

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:228

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4432

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:532

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1892

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1780

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:452

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4280

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4744

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4296

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1748

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3028

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3912

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3800

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2612

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2372

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3744

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1544

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1400

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:384

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2644

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:948

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1912
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:624
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1092

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
b5c0638ea57f87715d87c164f6ac32e7

SHA1
24819fc2c237ce5c6cc9f8990c5cde7241893def

SHA256
a0e43c7bf228d11738398b13ec6c822b4c2b0a0f3d7118b9a32608ff32735693

SHA512
aa40b5794dc50cb404b8a06ccb61fd766a830235422501d0dbd30f7091ed2b5457fc7414315fd5a50320f8ef1f64d5fd88941dafb213bb70d73b73875635fff0

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
d61b0e8f9957f7aeaf22fef32c6edc69

SHA1
3a40949f9975c85370ea112886719ad65f28b572

SHA256
cce2f13be4cdd3dcc956776ddc30bdaa401badd1f5654bcf9732dd6743038a3b

SHA512
27886ce08f0207113dab579f33cbee357eb3cf9dd1b4603e8d968783915e0eba2c09d6db27f9a891e425a21dd2f14493d1b41672f267263ec80f41865ee7d797

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
d61b0e8f9957f7aeaf22fef32c6edc69

SHA1
3a40949f9975c85370ea112886719ad65f28b572

SHA256
cce2f13be4cdd3dcc956776ddc30bdaa401badd1f5654bcf9732dd6743038a3b

SHA512
27886ce08f0207113dab579f33cbee357eb3cf9dd1b4603e8d968783915e0eba2c09d6db27f9a891e425a21dd2f14493d1b41672f267263ec80f41865ee7d797

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
a9fb116e3335127bf12435a359606d59

SHA1
70be601d42692747ad65dea887e744f9b659a9d3

SHA256
8482ad4a99270ca80e52be7202b01f4da365523fc7049f9af7d4d912e1a0504f

SHA512
3ec7a23c04826270b8d7d0f6308f20ce3dcebb5e610bafd2abef3b2a3d88466df43a0229d2e9800736831e4ef54820a381e9249dc69719fd98ba65bfe12d393d

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.4MB

MD5
efab64b6bf992b882abe214bbbf3daf7

SHA1
df6677bc52b03d2aca2797972a76715c2c9b8e99

SHA256
0efcdfe2b8287dd2eca1e43db2ab24cdd07e130c668afd525801b4941fb8c365

SHA512
26bed6a95d22d087e1ac3e497d8592a241b46a7731e7c57b71051e9a24a5e6ca2e717d1b2340b89b42830ff2d2238647b985dbc9ef3a3aca4e9a0460dfd6c906

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
56f7cc9277b63f49c80ecc3bf5cb7516

SHA1
4c53f989ecc62e433a84ca0c27d898c67f88df24

SHA256
773ae3038b6af4539f975259013c0bdaf5604b616b7ca5ee87d7e7e845165ee5

SHA512
e954da185e1ea0e0110ac6cf4f5a50185297ac51fbee9db8e427ee83489cbf830f2b3ca3dca8159de4b75c69c8af82338d6cc024f8aa568fe8602cf489d19c73

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
a3c2e8263348d8eb2b48e89637618c15

SHA1
9b3c297115f0fc22d804a8230593a99df2be6114

SHA256
034299e25488be99b5bc273620d14b5dcd292fc754c9f203762dadbc3bee35ef

SHA512
efae94dffda4242916922582eadf7026ecc72924f03cbd1b3d53f21b78db5a0f0ce6bb83c9fd688d71a33ff27434f99988d6da0936ee24ac4229a2ec72141e22

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
e43c3c87e90544fb2743a034f7ab166b

SHA1
2eb1fc4fb697343be154ca858cfb2687bcbec5f6

SHA256
0fb28d0ed14c72f97951aaef4482d0b224a08cb2e1398a761a602fe5bbb17ca5

SHA512
4f6685ce00b1ed6de12a45700ca83faba4896b34f07751594dbad3db2944c75d59893790353695d9ffc580552c62fe046130976fc7da9e4c6554c0338d6e280e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
d265985b7ea60d2eee8e60132aa2324c

SHA1
32769c19d8bd617b6d853978323f5be1900e6953

SHA256
780311ff0f3031e86b9857053f2b9af6d2090be943f9524dfcff8f63a30a5b20

SHA512
86ecfc77b3188f960d66925465521c0a4e295d9bae870447889a79e021782d960cb80e2af81080d73bf64365fe6044915aa45fdbcc4165cef1d2794612b6b535

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
d6e25389b4483ea5313815a9ef9d7dfc

SHA1
73e1ab24a9105efc0ea27c6592cce6db74f46da8

SHA256
936d33f6d3186df23c8295742c6fae7f87cbd2091ebd71554473c6ca8bdf942a

SHA512
d7122281296e72a240e040009823047e4fa2b78e12ef3d2c7d558de1effb73c265c3cb7b6636d86c38f5fa7717b5d7cd6d44ec82854f8eb67b88d9ffbcf06f88

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
9cac283613536814e58e2bfdb80d070d

SHA1
d24a5d7ed4b86a9fc3872ba80e56764795d1148b

SHA256
bfaeda9d09b117e03cd017065685b79fa78561348176c0e4641fc8d3bb3805ae

SHA512
2cce8abd9998a7e75255f8237280ab6b467c5293471ea45e2bd07b21131e43dd2f4699d31044a4794cc6f7881bc566fe387205703658d768c3d9da872e2e4c86

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
0cdb2c68a954091c48dee70c8fb87687

SHA1
e1f84178c3426d066dc8da48261be37975445c76

SHA256
50e4b2a16ff44cdd44a4011cf5c7bf1b7d7739958a64d97c0892897d2d6b0414

SHA512
1675d249a0092626407df566f940166123a94fd69f991c23d2181e4942fca4166e3ec43b6f538353f68732384dee675ac979bee27f35bca29dafde9cbfeff791

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
a68a3b2738167a55aa155b4f65587356

SHA1
270a110ce7bc7bd8991a170698af4446eec1c937

SHA256
ead01cbc9d416b90a5ef51357ec48c3dd17fd5393a254728744fe8a6b2b05482

SHA512
d9007bed9c0bcb0ffb042c759b9c79a329c83e99da3cfbcead474396d98175777d384cb32770b6b1cc30e8f614a5a983dfa0d5ee00187d73f52ba2d7ca8db2fb

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
07962f0e3538b9df82394fb344158156

SHA1
9349d15f2730807df99a79ad157f988fdc49ea0a

SHA256
4d0f2668e4d5d315cad9573d9673b4b9897f7b23362c0ac95d81147a96ddf131

SHA512
3dcd939efd7d150bd7a19f7b39b3498cc28db113a9edfc8f35409edb4e4a167659609666068e98c77b153a3702b2c0c4c7c5df13cefe5539bc49e87a7991704c

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
487aa50f32b0e8a458561f8b07d7e9ba

SHA1
bc0fa6f9866c0a96b4289a01fa13507f6c21c342

SHA256
9fe0e48b338ddc6e363cb111977870f14b770d1ceba03497bcb0d2972efbaccc

SHA512
a2468e01891d2c03fa7733121e518be4c249a59d0090eb431ce51c452a3e2739856e5055df45c8cec40d0851d863fb9092226756ecbf76eb9318f172772ef57a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
0bab2d3955d69700307b5567901bd59e

SHA1
e1e5972bafec2efdc9800291c9b46878a122b7b8

SHA256
ff6cbcc63e1e3569172b714b4f76bfbee740f532c5f24700f3fb69edb740d0b6

SHA512
55f9a7648930e16e1aed31647c633c0ba00d19c1094c58aeb7cceda6afab0858295b07f51f48bbd699d97824b4c77719eb1ea3b4eda97cbbd596bd1e60f5e301

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
8fef02870660f118e06f5fb3520cc08b

SHA1
ddde703e7bcb46ce03c74c2e45f6e40814742766

SHA256
e51040daecb3ecb46da691670bb8321be30ff9f63fbcdd8fafa94caab7a189c5

SHA512
c2cd8cbb17d34303d3832d13f650ef41ae074e2137862bbc94f7691dbcdc360307fb5245b45399fb1108b84935236236418f1f5f075f9548ca4a186884d4ed92

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
3fb3505835de1353f277752d32b74a6b

SHA1
e07cece35626c31b7ced8a6d94e2bb49fd8a05c2

SHA256
50b4d647eb920cf46a03a9d27772a43c52850d602fe1c4c5ca5b00484c77a778

SHA512
7b4ddecd87e388bf23b3ac2a655817125daf899a39d9bf44bb3585c38d72102706a5554edd3f81c2ffb1cebb19ccf601792db6d74f9a23bd28c4b8f26a0f0694

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
627f5ec336ec7d360e2bb297ecf2c919

SHA1
41c0dcbc31785cb13915af445eb53e3eeb6df95c

SHA256
bcd9fbf93547f315450058b6c5e7bfeab627e151263fad18609c7ca84f6d0c7a

SHA512
1508c0f986f47a823fe257bffa853303d70770a5820294af64c61f2fe46682eb1d8d7d5e5fc273252bf47de1d853689d78861579d6f255e560f81a9905146662

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
7ac33b6388178901caa045ff406099d3

SHA1
b08cbb3d2ac7c5b4292fc47d73688ca125da7737

SHA256
5b0d7b33242d6ad7408e2a07fcf7d30df1d8b9ca7983b432697063cefbe818c6

SHA512
c5d756bb0c61db0ed6280d992452d8dac6d847932b1f9d35fe1bfbb8b2768a9546fef607a691ebbfac1eb597718aba3b2665ce242c222b7eab789bf68a2030e6

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
a1214b21a1c20a73d9ae1ce536a43194

SHA1
1d7a8d33d5ec516e8b1f7d2a1d92eb1c8f7d05ec

SHA256
107f750180cd1254c8e2ec52dbe708b9b39946986e13034466cf20a88736c31f

SHA512
6dace64213953790af44fc74e350967701f8a2d7d8899381c9d0720141fd252924ce9cdce58a30e245d21073351ac26130f38ef2b9cd043c71c4982fbc0f2d43

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe

Filesize
1.2MB

MD5
9e4224d382caa0cae658a05561fd7215

SHA1
ff162433b3136d175513726079bc47d33281a48b

SHA256
270b443a3c4d6cb5832ad1c55d371a00457e6a10d58cf5c817ed2d7d933b8ea0

SHA512
d4f739f4265997ef8d8c2fa317b5a68b103405275f76133e74c9559d843084f1a8e51a2a98a25fdcf2cee459d59ce34bc07a45302709cbc48ea8752bd9ca9318

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe

Filesize
1.2MB

MD5
dba02c113c247452d0ef37787f698d48

SHA1
84bdbf1264b52e7cff23af3b5c1558709c55684c

SHA256
609fdb7635b46e226a550ffe48aba7a35da840512d0377983eb4f2df3e2ba8a4

SHA512
73c50cad94a020d23855ff013242d8a80b27b09659aca266825eaf226afb171ea3a2cae3cc337d980e2505279092f840608e54104d051fc6e74c80bf5c9ab373

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe

Filesize
1.2MB

MD5
bcba6fda17c4edaadb10947d002b335a

SHA1
bf11c753c6756d8d81cfaa19fd95862dcb82e523

SHA256
123aade595289815a93069695758730ae2c89d3a8b18f5c299f6828c9c6792fa

SHA512
a53611e388bd61ec475b82adfb74bbdf9bd62f64fa0e383b89365867ad5dcb4b7bfc32f166978aa3a3b12ef8a609a2f2a08a0f9cb7a58612ab7d84bb992c6b3d

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe

Filesize
1.3MB

MD5
e8142f4f43f97100bca1a68eeae3c798

SHA1
b02a76d994892da9960cb50d2bd4c5fda4ad6ada

SHA256
ea8d5a544c459e2b91fb896fab46620476bbbe7be0aa86482ed862a060bb324f

SHA512
8e6481d8bf0e362af8390037a2cff5f633b8029deb491d966ff79981dda0157df09d465e15b3b28e73ad4ba2c366fb14ef4febc2dc60a68d6bcec57958bf6ccf

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe

Filesize
1.2MB

MD5
23ef31708868343863f9ac6132ce199f

SHA1
23929745e1e5f75740780ff4254963808715e836

SHA256
6a38d50569477e5897478bb455dbea97e6f0aa61f8ff4103760c3283176ce97a

SHA512
e40e83ba85fe457f319fce29bb8d8ca45d59164912057b2b9eda8635285b65488ec664764a8a05c2f0da633a62d8ed4b853897b81e06ae7b1c51b0702e5547b4

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe

Filesize
1.2MB

MD5
1546477ae998f0959c8857593a7fdcdb

SHA1
7743e46bd008dd8d25c55f3833482288c87debf3

SHA256
35f6f676e5bef937edcc960a57b5cb053de8f8247992a4fbd629679bca289661

SHA512
ddcf7ff4f5d8e4f4685646e89a3be66d3644d919285f8c81bf8734613eb94ba52318e29e17265ae2da9f9564be5da11a42c7aa8ac857a0eafb530e3037014b42

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe

Filesize
1.2MB

MD5
fd09266b242862d5c6642794ef51b437

SHA1
ceeb8264fe53ec728542aaeeba8812e35adfc592

SHA256
c19a1f25cc2ad61aed0089bfad672f71f165f4586dc5e376c278bc567c761f02

SHA512
c183b8a9d4443aa6673993fef686e5fc6e2980c656bf9d2afdc650be883bf1e594d22d9fc5c008875203c8587c62e561711fffbf511e42697df9ba139ec21af0

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\java.exe

Filesize
1.4MB

MD5
35657b07044e792798c03bd32a5c6be9

SHA1
e7f96e59f59a6669e2582ac43e0d6dd15edada38

SHA256
4922a04f412ea256204b392f19cf26072fa2c37276cccd3aa1f2dbee3fcd8ac7

SHA512
f095d8339889c592ffe628d98abdcc7698b26ad2f9f5c89f23a8697659e1b18a878bf662614ea4ce7420c795c2660423862010e8bcf7323c4d8d5c57ad56a1b1

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe

Filesize
1.2MB

MD5
e15cc29c4ec83b0921ca0559dee49c9f

SHA1
efcd551988cc5c9d57931d2ddf8b99e5ce611bda

SHA256
fa95539c8954c70660777f56a47401d83d9a7c480ea1224efbe2526b06347002

SHA512
7847c0c67f29604a6bd44deee733a610045fde70d314b45133f7f6bddb07ec0c4ad085fc21fbb97084d5430ae0932a0e93c0228d0288de78cdb0b630fd571dd3

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe

Filesize
1.2MB

MD5
57c4b51b08df910ab27a0006bae0acd0

SHA1
3317e8193fad92dcd7e5e52b6b7569f280660662

SHA256
abe64f0d04efa2b3fed7f162687d0711955a297f117038cf8107207ba5ce802d

SHA512
6d8605814587552683d24653ab7ac190e0d0ed24f495e17abd75a3b0d73474307499e509f23cd60b1b5700e8d604969c6dd09beffe76edcb9d936cc8b03822bd

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe

Filesize
1.3MB

MD5
7a2bf9dc6baf52fba4aad1910504b820

SHA1
112734a4baccc1961320b76c267b138331b6b13e

SHA256
fca401071087ddf8eedb6e6622cac41e81890336bb2073a1917eb53bfcd6504f

SHA512
9dccf908af455bd63e032e2e9965404902654729bde820833a3f48e4f3c7b034c89af2b85ebbd77e75614a936258dd20cf5149ea304c680a1dc9dc7be66ead6e

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe

Filesize
1.2MB

MD5
0f9dbe4bcbf39845884c76d7c15876c5

SHA1
c8a6aafca320235b52d10b25ba979b8c58ea0ef3

SHA256
88e404959fddcfc56cbf6feab5945406aa6035b5be792da02c2f8e325e6f3d22

SHA512
8ec9c364b30bc51a24b1279935ee045c981370fe6d55a109fdaf939c952205e25cfb9645b85bcea0cd2207aeea9acb8e119527ef58b3a38a7bcf2bb58c623e9e

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe

Filesize
1.2MB

MD5
03c9ed6b31c9dea256dc2831e8204888

SHA1
bf861df06499a22d5ef0f792b07a98b5946b2fd8

SHA256
453b49a08ba3aeb1562ac8d111bfcdb5a1cb4e8df8a6cfd3a104e5330c6b861d

SHA512
96d844f8fcf69500efb7b5c22f30ba14a78650de2e0a53518fed7eccedfa0c9bc03b2ffe3be7bbaeda460c1a56646996238bb8fce4afafb12530ffabe687667b

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe

Filesize
1.3MB

MD5
708b3158a55172ddca62f4690d3b1c33

SHA1
86ce050f5007e4bc70b656f4d9ee42458cc4684c

SHA256
e1c57fb1cd49b90d49779b3635a1e5d6847cb05d5c1d99b19582010784f84ab2

SHA512
e6dd9807b496955a5b9129221d8a7222a572c8c3bcc172311e1037ba1d258d2f2c3ea862ccd6f818baafa043f95fc155c2a76ebded8e83ce8bdc11a5316681a3

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe

Filesize
1.4MB

MD5
211cc2a3ec01c856c7f401d28e7f377b

SHA1
39d6428860ba9f00f114fcc4b1c35ee557a7dfed

SHA256
fb80766a1f2ca9032d70b47b89c4a8572f75203a70ab1da8762ace1371c92178

SHA512
c5f48f10e5d2196c9a07fc486defc774328c7178bbc5844c4795053616f48a8b4025c194fc40bc9516cbf17ed56d1be46320d6c85ba4e6b9cdc07eaf1a55f3cd

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe

Filesize
1.5MB

MD5
25eac17988eea597328998f66ef2938d

SHA1
8b5eb52e2667f0ed7d97c603049f8f1ac4517a18

SHA256
1fdd1de7792c2fa10146073b98b378b566742a80b07c70357c43708a501c0d40

SHA512
06d2f5c779cd0931ea484664f7480df3cb66fe131bde9d5e4189574b898774269c0a97401dc1efd0f941d08c800a5b166b45006a14fec786d5c8a13328858644

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
b18b3247c8b612494e4f6663ced091c6

SHA1
5efa1a117d1d9f5bfff90e59e75483dc55b51a3c

SHA256
f47663a57de48e71d7714b32078f28bb1a949ef046d69e2af372806350e93294

SHA512
b2d57439304738da0ca9532e0547f3b994372822efe6bc285ebbeee0d36714e39f88aa693d5fa12ec186afee56487278c6bb9145f351760795f643fa7ce45148

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
046ac11c95e53a4ad2d62aa1ecdcb1bb

SHA1
9f05e8a2a7cc0ee358da7fd2e43a9b9d9b4138bc

SHA256
1991441beaf35a7926f041c86da7d69108c295ae3f645d4a26dfbcf989f480b3

SHA512
10ce159696a4ff667df036e77cc455d21add0edfdd082efca4fc068b19324e05b02037aa2f792ede56c94f3abeebe8e845f463c67cdbfdb3c687ac35b6d2959a

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
0c9418748f94521ecec3ed773a17feea

SHA1
6a229e546140bb91f5eb43d72140df7f985227de

SHA256
cd2673b7888209ad7967584c0a709d00b025ec3812619f7aa5ae6967aa8d8c31

SHA512
997a1aecd8f3a8feda8768f201a178536c413c6c64c4aea682211a9afdfef539111fe488da9fc8b092c3f1ed1a8dbae3ad7f9449b377fce315afe90155a7a90c

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
1fad8e29c7f02510eb67c53eaff95137

SHA1
0f09767f760f6f1abb339d1a79f982de7f7399cf

SHA256
33fb5729490dba7b968e9008dd33bc22f719f16c29a28e00d4d12aa1ed00eac3

SHA512
ff471e323874a77917065baf431b330a4d830e52e64ba70c547a09856b9186b5e9b8f7c0643975cb858216f9859a74949bc1df40ddcdea32cc7d6b19c9779828

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
7dc3a85a769ec85be54e1e2b79982fa6

SHA1
559d16c6895eaaa9bb5ac0fc4e752176b30c3025

SHA256
47e30d491565af49f5cbf8441c92604027d6a6478cf088985accfc489cbea9d7

SHA512
5c635312f9921f40914631747f3659cd2fdd74ebbbf0609ed3476826793b201f37cd0531f17eba2dce54d5272faa13f6996895440394f4917bb56dd9a06a6b90

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
77154e5cd605560f197e71ae786e2d19

SHA1
87843528b2c036e1d161d88a1f42d9cb91073c43

SHA256
3e3af6cb387cacf00502f0140c948de76d797b328296a97987ef690014f1298c

SHA512
5f2cdd84f52cbf045a1f3f53b937d3191241244b3b213b896bc499c70596c5a70c1ef99203d6ef5e173c7dc9d7514f7f524dd851775c020c83ff6e02612ee425

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
7802d864670d0b83fb702a574915874c

SHA1
cc1b4e29b50403a4dcf1d1208b019d449570b629

SHA256
f5aed43c0f79d69a45b6c76d3f45e603d7a74f6f9df3a73a595d9d9fc7f1f6ba

SHA512
af9163873dfa5a78b7031fa7b6eaacfd7768b35a318685890662ca7a23d079fc251c689ad4a2770f5226d0de0ef95255757b50ba35a46b2f60a7d6c1883ffb46

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
7802d864670d0b83fb702a574915874c

SHA1
cc1b4e29b50403a4dcf1d1208b019d449570b629

SHA256
f5aed43c0f79d69a45b6c76d3f45e603d7a74f6f9df3a73a595d9d9fc7f1f6ba

SHA512
af9163873dfa5a78b7031fa7b6eaacfd7768b35a318685890662ca7a23d079fc251c689ad4a2770f5226d0de0ef95255757b50ba35a46b2f60a7d6c1883ffb46

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
56e29ce9bd500691099bbdbfddd264fe

SHA1
6e00d814800c9eff2d98bf4d2a8351ccb3084b4e

SHA256
84f20b80e1f6b7a800510af2c7ad897036b7787d44d128bfcaa5f3778d0f09d4

SHA512
d2c4501ae2370bc6a7c760eb35817c529b76169e364c245951e667b0833b2df8848351a1216c5769a1bad7f27613658b21a45b77cf1667a6b6967454b4581577

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
aa85a694911c6dbfc3557808bd2183bd

SHA1
146df580c2aa7fae4aa45026b8dc22661aa340cd

SHA256
038ab97aadec1c21685fcc671c848523f55c7aba4631f070234535898d1f1e69

SHA512
6ef8570bb957168bb1c47ccd3ce63d20d327bdf71e9308eefecad1eaa8a7efb6f212198f4c51dfb82631b84ff3dc8bd23ef47125799aff14541c9101a9267e19

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
099fbcdd01da1085438da3fa2728c3a7

SHA1
68a606d3d9ba59949aac0bd4d2481441afba71ca

SHA256
60c87f57a7bd52c0883919b4ebcb2d1229c28ad1c8080df7895cac1b40c5e93c

SHA512
0d7e96be3cb3f1f6bb52c64ca07d92fb24a8eaa4c187401cbdfb5400cd0dd78dcf2eeda05f311cee088611901f75a305f26b2c83112f85fa73d0f96e391e3075

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
099fbcdd01da1085438da3fa2728c3a7

SHA1
68a606d3d9ba59949aac0bd4d2481441afba71ca

SHA256
60c87f57a7bd52c0883919b4ebcb2d1229c28ad1c8080df7895cac1b40c5e93c

SHA512
0d7e96be3cb3f1f6bb52c64ca07d92fb24a8eaa4c187401cbdfb5400cd0dd78dcf2eeda05f311cee088611901f75a305f26b2c83112f85fa73d0f96e391e3075

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
e44c4cb08c70a4864466ad98aea0eade

SHA1
b75b65715f817a8a015a3a720c0bd403defa0af4

SHA256
69da7abb0f2e6e615501cde5a3f7ef7ee0babf21e21d02e2a1eb3d9782776b8b

SHA512
c41d913c7e549805b39ea156904175688c21aa41622aa842d46d5e86d829e69da85e99dbbc966ea5031e56a81f38c2f03b2b0361a9e5d707efb14e9c1b5fdb72

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
53b36a08d7947d491db494788ec79263

SHA1
7adb91ce39c21da3743516cb09a0c42e732b46da

SHA256
6318bf7f38fe7bd58e314a36245f29f2b5689471c7ee7235fca68294a96f7a9a

SHA512
8744c787a518b12829d4d4d652dbfee02d41ce12bc7b0d6fec19e0053940125a883505d8e77916879a67faefb224fb605a29938e49b6bfdf46dfacf41766eb30

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
18175c0f2d7ad5041f2b9438b56bbb5e

SHA1
6ff93763be696f472c1a399da6d90daa54884247

SHA256
e3d1fc5792c49e5af73017131117f2cff42a0a73c99794181dd1f2de44094325

SHA512
156e88d2d74118adb67b3272d614b489c93c78fd1334eb336b3e9b7e1f30135b7c9272d1328c84e7b0144c2a9c1454fce1eabf76aa8d864b12a20d0108495519

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
23a06aa49496fb152e49ef11a4a12f81

SHA1
c187ffc769e6781f729a27e82f3bc7b7cf029c2e

SHA256
b136b5427455479a16e595da256f38c7258d7ce631360c7f1b821507da3deca3

SHA512
23da7fb26ceb78d6854bf4d4310c0edc6720417204fbe5c5dab2d7b9d2bdd76ce54674060e9b593e9003fdb99f05e14ac90d36bbfb9bb8e8ee6981bed8de2a1d

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
75d151327af9c5aca1d093afd9a95b70

SHA1
07dd4a420eb2fac08fea1bf2ef58adc0531dd43d

SHA256
9a7226a2702a27a848ac14a7756e6fed751a9f4840164da85b0aaae49ef9c5c0

SHA512
b0950b6ec732c4e3ce978b21cb29a406f191517cf8f4d720eb451613c4828135df274af2c4ce7827f3b3bc2fa4eec82028c7af58c324bf5d5d4ccd62370f16bf

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
27e8912eb0474065e243f3e7fa055750

SHA1
4085bdbc3ad8a71ff9fb484fc576fd030086a177

SHA256
6b3e4733976ffe4a73edae5e38dd54007d6138b194113b098101940f86738881

SHA512
ef121f7a662ef9e3876ac01740fcde5f8e3cf12bb6a0402e788a8383a038911660c6ca4ee4aa0f5982075882a2bbcb7bee70b19a5bc161ad145b3d63e92c3a5a

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
31297f5e3dd4747c64ace3799738b991

SHA1
e009d0be5666d67365f0ff989d55d4a9c3293096

SHA256
f478af1285b3dcd292a3c3540926ba054194db6a2419cf4d33e24bd02c1de4f7

SHA512
3e8ac54ceb9903d84d2589ac7b8ee298abd7f74d75b1d990cc4f958017d94db300c8872f72b62e20616724e62969a21f6eaf4e44a782e3b670ab9a9c440ee167

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
427ea1aa839fe6d0a3823b4ffaeb2018

SHA1
a28d3dd1d5141c409b116504c5ab663a35c01990

SHA256
4ba7ee1b47452848634bd99fef0f0919672b714da0db7794ef0935f0b01e5aad

SHA512
a2b2269c64811499ced3533cf74e8a09671882bc6c67b34493b94d0d17d09a1bc23c628294a48b1c4e78c67b7d4f982a21a7d663889b26c691ff811188f4613d

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
49fcc31ee87934873f82005c6a33629f

SHA1
44bd6ef73bc2521024ee6929529afdde19f94d55

SHA256
a686ca56ffed7e0b1ec3d456b75b818c2f6a0c34f336b351d887bb63a7872bca

SHA512
a06587782d8a2e1b96d9ef0110d3bf069968d9fa9c2aa567765421f911f73e79101f5849aec8f2720181c37a6c68c44ebc4f643583888fba60f8ac8920549b47

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
1.7MB

MD5
0c9418748f94521ecec3ed773a17feea

SHA1
6a229e546140bb91f5eb43d72140df7f985227de

SHA256
cd2673b7888209ad7967584c0a709d00b025ec3812619f7aa5ae6967aa8d8c31

SHA512
997a1aecd8f3a8feda8768f201a178536c413c6c64c4aea682211a9afdfef539111fe488da9fc8b092c3f1ed1a8dbae3ad7f9449b377fce315afe90155a7a90c

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
1a81bb489619403fceac2ce23695523c

SHA1
11d25228910e112787c22815874366796d3fcd80

SHA256
cf620f6d30b7a5c773003e8356fb19af4569e0a75c55abdc22834d0f706e24ba

SHA512
63e4e4c98acd249e6b1c3b3e85aa2e10fea3a51f6b0caf3bd5f6ea6d0bbae2e9219617a33f2fdbe1690a1aaf3f6be612b4cb1cb81d6931af4079f200117b45f0

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
eded6b2f07c445dfdd129bc99e9d253f

SHA1
14ad306a27aaefc9f25784b3288d2d1d3cb00e49

SHA256
ccca00088ceb905666cb5de1851fe8a4149406fcb332eff5951235b1904df46c

SHA512
42f3d96a1fec271d7e822c284571425670864451769a0bd93576d6327f187246eb612742c9c454259c36dc8068eae4593c8bff1f4aa1ab353f159eabfcaee31d

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
7dc3a85a769ec85be54e1e2b79982fa6

SHA1
559d16c6895eaaa9bb5ac0fc4e752176b30c3025

SHA256
47e30d491565af49f5cbf8441c92604027d6a6478cf088985accfc489cbea9d7

SHA512
5c635312f9921f40914631747f3659cd2fdd74ebbbf0609ed3476826793b201f37cd0531f17eba2dce54d5272faa13f6996895440394f4917bb56dd9a06a6b90

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
59bfe90749fe115f84dbade8f877043d

SHA1
a8df54b55cafdacbbf37d6b8383d515a44e8f689

SHA256
395cdba2fa37389217303732fbf992916793340d612447077241661e26fdb35b

SHA512
91542100c2dd1d8dfc1afed914edbb38ee7225fd30fe43663fe45fda5e429ec44802851748f329d7a5b9918080b93be1a59c131a9876a4d192d6e8eef659421e

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
49ebac7744250dd990a9bf7f8483b34e

SHA1
009ecf54bf18a238ea64d990fa804af6500ec552

SHA256
1ffacff576454358557ce47ad1bc735d8eae8c848042322817fe690566da9f33

SHA512
61782465deda8d62557695d6260c01625ae3e15a82b0f9b1aa2a1dd23b92a2017f250ebda4683698196c5566399a8cb057b89778c3cb3a6b68a265b627d6b626

Download Submit
memory/384-576-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/384-378-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/452-399-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/452-221-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/452-220-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/532-359-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/532-180-0x00000000004D0000-0x0000000000530000-memory.dmp

Filesize
384KB

Download
memory/532-184-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/532-188-0x00000000004D0000-0x0000000000530000-memory.dmp

Filesize
384KB

Download
memory/640-146-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/640-321-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/640-153-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/640-149-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/948-579-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/948-400-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/1092-709-0x0000029C61150000-0x0000029C61350000-memory.dmp

Filesize
2.0MB

Download
memory/1092-706-0x0000029C61150000-0x0000029C61350000-memory.dmp

Filesize
2.0MB

Download
memory/1092-719-0x0000029C61150000-0x0000029C61350000-memory.dmp

Filesize
2.0MB

Download
memory/1092-718-0x0000029C61150000-0x0000029C61350000-memory.dmp

Filesize
2.0MB

Download
memory/1092-664-0x0000029C61000000-0x0000029C61010000-memory.dmp

Filesize
64KB

Download
memory/1092-665-0x0000029C61060000-0x0000029C61061000-memory.dmp

Filesize
4KB

Download
memory/1092-666-0x0000029C61080000-0x0000029C61090000-memory.dmp

Filesize
64KB

Download
memory/1092-667-0x0000029C61080000-0x0000029C610B1000-memory.dmp

Filesize
196KB

Download
memory/1092-668-0x0000029C61110000-0x0000029C61120000-memory.dmp

Filesize
64KB

Download
memory/1092-702-0x0000029C61150000-0x0000029C61350000-memory.dmp

Filesize
2.0MB

Download
memory/1092-703-0x0000029C61150000-0x0000029C61350000-memory.dmp

Filesize
2.0MB

Download
memory/1092-704-0x0000029C61150000-0x0000029C61350000-memory.dmp

Filesize
2.0MB

Download
memory/1092-705-0x0000029C61150000-0x0000029C61350000-memory.dmp

Filesize
2.0MB

Download
memory/1092-717-0x0000029C61150000-0x0000029C61350000-memory.dmp

Filesize
2.0MB

Download
memory/1092-707-0x0000029C61150000-0x0000029C61350000-memory.dmp

Filesize
2.0MB

Download
memory/1092-708-0x0000029C61150000-0x0000029C61350000-memory.dmp

Filesize
2.0MB

Download
memory/1092-716-0x0000029C61150000-0x0000029C61350000-memory.dmp

Filesize
2.0MB

Download
memory/1092-711-0x0000029C61060000-0x0000029C61061000-memory.dmp

Filesize
4KB

Download
memory/1092-712-0x0000029C61110000-0x0000029C61120000-memory.dmp

Filesize
64KB

Download
memory/1092-714-0x0000029C61150000-0x0000029C61350000-memory.dmp

Filesize
2.0MB

Download
memory/1092-715-0x0000029C61150000-0x0000029C61350000-memory.dmp

Filesize
2.0MB

Download
memory/1400-554-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1400-362-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1544-342-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1544-349-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1748-275-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/1780-215-0x0000000000CF0000-0x0000000000D50000-memory.dmp

Filesize
384KB

Download
memory/1780-218-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1780-206-0x0000000000CF0000-0x0000000000D50000-memory.dmp

Filesize
384KB

Download
memory/1780-212-0x0000000000CF0000-0x0000000000D50000-memory.dmp

Filesize
384KB

Download
memory/1892-195-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/1892-201-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/1892-204-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1892-360-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1912-581-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1912-401-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2612-323-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/2644-380-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2644-577-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3028-437-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3028-290-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3744-340-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/3800-303-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3800-516-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3912-504-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3912-292-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/4232-163-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/4232-338-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/4232-159-0x0000000000490000-0x00000000004F0000-memory.dmp

Filesize
384KB

Download
memory/4232-166-0x0000000000490000-0x00000000004F0000-memory.dmp

Filesize
384KB

Download
memory/4256-538-0x0000000005130000-0x0000000005140000-memory.dmp

Filesize
64KB

Download
memory/4256-495-0x0000000000B50000-0x0000000000BB6000-memory.dmp

Filesize
408KB

Download
memory/4256-540-0x00000000051E0000-0x000000000527C000-memory.dmp

Filesize
624KB

Download
memory/4280-419-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/4280-233-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/4296-274-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/4432-176-0x0000000000E20000-0x0000000000E80000-memory.dmp

Filesize
384KB

Download
memory/4432-170-0x0000000000E20000-0x0000000000E80000-memory.dmp

Filesize
384KB

Download
memory/4432-181-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4432-190-0x0000000000E20000-0x0000000000E80000-memory.dmp

Filesize
384KB

Download
memory/4432-193-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4744-256-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/4788-631-0x0000000000400000-0x00000000005A8000-memory.dmp

Filesize
1.7MB

Download
memory/4788-134-0x0000000002410000-0x0000000002476000-memory.dmp

Filesize
408KB

Download
memory/4788-133-0x0000000000400000-0x00000000005A8000-memory.dmp

Filesize
1.7MB

Download
memory/4788-139-0x0000000002410000-0x0000000002476000-memory.dmp

Filesize
408KB

Download