blustealer | ba90f21e249436110f895833ddbb4f0da58497250cbc56f1dc60fec823e64a08

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
04/05/2023, 01:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
Size

1.4MB
MD5

34aa0ca40863c30653a0b6ba10d3daa2
SHA1

c5dbbc9a3f6d537ab49aeb89223810cd67c256f7
SHA256

427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9
SHA512

34e46909f3ea586033baa5f73ecbf1f5072f2d05cfaf77f6ab2535ee0798f01427b1e62719fc4026f4b38af03e445a33ff2deb22ef9817ab42e506cfb5cb10d2
SSDEEP

24576:O94Lauo2BLrZ6dj7Wd50QKQIsBJXkQsUc/i/Egj87qLom0Y5m6Uy:O/uHrZ6WPKQ5X0QsUN/EgQ7qEmv

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 20 IoCs

pid	Process
3408	alg.exe
4488	DiagnosticsHub.StandardCollector.Service.exe
2568	fxssvc.exe
4944	elevation_service.exe
5012	elevation_service.exe
4756	maintenanceservice.exe
4672	msdtc.exe
4312	OSE.EXE
1516	PerceptionSimulationService.exe
3700	locator.exe
3028	snmptrap.exe
364	spectrum.exe
4580	ssh-agent.exe
4016	TieringEngineService.exe
3804	AgentService.exe
524	vds.exe
3068	vssvc.exe
4204	wbengine.exe
1800	WmiApSrv.exe
3960	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Windows\system32\wbengine.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\vssvc.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e176c430c9ce9937.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Windows\system32\msiexec.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Windows\System32\alg.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Windows\system32\locator.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Windows\System32\vds.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Windows\system32\AgentService.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2360 set thread context of 3724	2360	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe	89
PID 3724 set thread context of 3608	3724	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe	95

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmid.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\tnameserv.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\policytool.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\klist.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\tnameserv.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jjs.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaws.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\kinit.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 36 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008d561005377ed901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000af4ee905377ed901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f55a7806377ed901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008dcc4405377ed901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000061d44f06377ed901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000643b4f04377ed901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	105	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
3724	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
3724	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
3724	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
3724	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
3724	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
3724	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
3724	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
3724	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
3724	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
3724	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
3724	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
3724	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
3724	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
3724	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
3724	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
3724	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
3724	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
3724	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
3724	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
3724	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
3724	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
3724	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
3724	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
3724	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
3724	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
3724	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
3724	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
3724	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
3724	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
3724	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
3724	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
3724	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
3724	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
3724	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
3724	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3724	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
Token: SeAuditPrivilege	2568	fxssvc.exe
Token: SeRestorePrivilege	4016	TieringEngineService.exe
Token: SeManageVolumePrivilege	4016	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3804	AgentService.exe
Token: SeBackupPrivilege	3068	vssvc.exe
Token: SeRestorePrivilege	3068	vssvc.exe
Token: SeAuditPrivilege	3068	vssvc.exe
Token: SeBackupPrivilege	4204	wbengine.exe
Token: SeRestorePrivilege	4204	wbengine.exe
Token: SeSecurityPrivilege	4204	wbengine.exe
Token: 33	3960	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3960	SearchIndexer.exe
Token: SeDebugPrivilege	3724	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
Token: SeDebugPrivilege	3724	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
Token: SeDebugPrivilege	3724	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
Token: SeDebugPrivilege	3724	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
Token: SeDebugPrivilege	3724	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3724	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 3724	2360	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe	89
PID 2360 wrote to memory of 3724	2360	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe	89
PID 2360 wrote to memory of 3724	2360	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe	89
PID 2360 wrote to memory of 3724	2360	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe	89
PID 2360 wrote to memory of 3724	2360	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe	89
PID 2360 wrote to memory of 3724	2360	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe	89
PID 2360 wrote to memory of 3724	2360	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe	89
PID 2360 wrote to memory of 3724	2360	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe	89
PID 3724 wrote to memory of 3608	3724	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe	95
PID 3724 wrote to memory of 3608	3724	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe	95
PID 3724 wrote to memory of 3608	3724	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe	95
PID 3724 wrote to memory of 3608	3724	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe	95
PID 3724 wrote to memory of 3608	3724	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe	95
PID 3960 wrote to memory of 3644	3960	SearchIndexer.exe	117
PID 3960 wrote to memory of 3644	3960	SearchIndexer.exe	117
PID 3960 wrote to memory of 4484	3960	SearchIndexer.exe	118
PID 3960 wrote to memory of 4484	3960	SearchIndexer.exe	118

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
"C:\Users\Admin\AppData\Local\Temp\427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Users\Admin\AppData\Local\Temp\427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
  "C:\Users\Admin\AppData\Local\Temp\427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3724
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:3608

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:3408

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4488

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1152

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2568

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4944

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5012

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4756

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4672

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4312

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1516

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
PID:1572

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3700

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
PID:4144

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3028

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:364

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4264

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4016

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3804

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:524

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3068

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4204

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1800

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3960
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3644
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 920 924 932 8192 928 904
  2⤵
  - Modifies data under HKEY_USERS
  PID:4484

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
22f09cf650faeb322ba8e4fd3320a183

SHA1
7f3558b9bbab8f83b21ff837ab1449c3c802c5c0

SHA256
7bf327b35bff038db85fa57e2af949bbf344ff4352bdf5b8bc409c5aee2dcd91

SHA512
68e097d0734a1436e28192921612b1ebc3ea09746e2330480808818d04094e45635b520126a251d7a4ae9264f718cab6074cc3608b00c131612e8638e1836f03

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
e6af56f0bfb221e5cfd2f02e880bcadd

SHA1
c02a4e68fbbe60fed271b832e027a44c0c98d79e

SHA256
e4aac9e1d86b9e799ff91e102c47fea8199343b0f9a69c05ea0cb99d20d873b0

SHA512
92c0d14c2605070fdb74cfe31f3283aa6a3fdeb61546caff7a3caa59791a2352b56d2aab5b5054101fc8cf6b079149970b0cff5e3313267ec39d200ece3bb49a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
e6af56f0bfb221e5cfd2f02e880bcadd

SHA1
c02a4e68fbbe60fed271b832e027a44c0c98d79e

SHA256
e4aac9e1d86b9e799ff91e102c47fea8199343b0f9a69c05ea0cb99d20d873b0

SHA512
92c0d14c2605070fdb74cfe31f3283aa6a3fdeb61546caff7a3caa59791a2352b56d2aab5b5054101fc8cf6b079149970b0cff5e3313267ec39d200ece3bb49a

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
6bbb2342e60586cd67cc19e8fccae25c

SHA1
67e47e5a65bf4043789515da2c43f186768e3bcd

SHA256
eca96cd076324e9f5f29b1f96a16597806f0960616a54c9da7969d220115b097

SHA512
c2899e0cae7cdb5550837525cff21fffc562377695ae7f0e836b03a83c61bd174df40b293eae845be4add60a666067012489bb60e23a01a86fff87fb5115afda

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.4MB

MD5
c216471932a6b5d4075e8931038da017

SHA1
84d6d2f89aaf00213036267f990f8cc5cc33aac2

SHA256
566d8d169b71992f5f37a9a48a1913546d6b7b6c4eba92189fba9470d6e580e4

SHA512
99c01115dbcedfcd6ed744fbd5e78da1ab9ff1abb1bab4b7c03fceb70adac2ca54be41a98cb81dceded4b4b53cd412ba52203ab4925fc12217bad044058ab831

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
9962fb858c74f8f05563254c60e366fa

SHA1
56ae07df8dfb2b9ca4dd953d401e71e05f2a8bff

SHA256
37838a2c701bc91a0280b0a0f64a876288117ae5ad7a35839bdd1efd7d80ccf6

SHA512
e927766bc86e9c93cc37f471604c505b44210d2ee3a88d708f87350c0491256969442d0973fe07795e8f01ed973f9247dc3ccd98987a1a48b83756b6b6e8fbb9

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
1a3451fcaa45cc5b4c8b251a9af73d0b

SHA1
eec2deaf14b47d7e4fc1489ac2993e087e3b1cb9

SHA256
dd23068aa79e0f0c3d04d7e30b9d277efa1ad04b9d5e8803fbddef1960075d6f

SHA512
750d521ba479ed2f00477200c6c5fb56b62754f4ffe4ad92fbed2c2f43ccd8f2f5247674a03943657a8a05286a57695bdb840b3efb6751ab96a528a1af83a59c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
205d7dacf292e3258e2f0758139021e9

SHA1
13f72d8e819de143af60fa248f4f8af671df8725

SHA256
26b96c272bfae44bc6871a6eb0c80c573c4c3896be33dd6e0cd0db7d35b48921

SHA512
831a9e7bc266c445f92676a4cc1d1d9437d778faf62e828d887dcdfc9ce1fd69928c1b629a58468d26cfe055aa8eeedf99255f74e1e7a6a5f42aed0a00609868

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
90d4d53ce7416242e0c737cf7fff9ce7

SHA1
c907caa0ff528f7bc5f1bb9e8e223a5d49c86420

SHA256
276a4ddd054fd1f923c285f161f72544a3d90ba11924882f53c7eb9b62285b14

SHA512
777221fcce8aaba6292656266fba0d2b1b6eb0d9add36a9da3311d26ed68e04ee0b5934001d0436ff6aa9d11e66f93200281e2d1f07f870256658935bb9e6899

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
d6d32aa15ae38bbe32dcc888c60949a4

SHA1
70d594410cd37a80bb90b3021222e0e1557b0138

SHA256
ffdb978ada93f22fef44aa7d93aff851492b16794ec1fff6f299ca6e212c14dd

SHA512
fabd6bf997c76729bc18c1d6a9dea4a12ead6c2da9982884b0481b592409dd93cf5f63873d9e248036d59dba450a9f31c6845b8adf1153aaec19f4fd865a51d9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
6a5a1bd51a02bdb5fc47b7ffdd5e884c

SHA1
99c53c194f7effd97c8778390b409805058f8eba

SHA256
329dcf0344f4212f3bdd9bc396e1fefec41775c318b6c61c7abd71d79c38d72c

SHA512
ddff07d5f39e8460d464050101a5dd4897c76685319af924788326c179273426c9d464d41cce85b6d6b1cf7f7ecfb1b265d29190401cca0512ffacce8635100c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
74a25fb329cc9739a964bbcbeec645bb

SHA1
29e46ce365604046a4e4ef1b00ba7c88e118fdfa

SHA256
f526a4c6385d6d7156977a7db6773babc8c0bf7a9a8edbbec38b034e2153bc22

SHA512
e87340fe242fd5738ec82a0eef75352241d11badf6fe1d675f31b21af9f7b866f133220f2a00f8e0048399900f939aba1d25b85fe4d2abea72e29b153572452e

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
a9808a7c2242a22a31d3f22854d6cc88

SHA1
c05de3dbaef8c1bdffa4307d15afdd18509cede3

SHA256
7de465ef83b7eb1fcfee522b4b6c1ad3a7afe4ace91f160040904368cfc5c6a1

SHA512
c1be8fdb3cdb537a800f697b77008197beeb8890347ddaab609fa6be9c30bd77c2dd58c645f15662aa54073f0976a94c043e3bea1b8974cf6d1fec7225db5bcb

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
359b2a993c498e4280494104093055e7

SHA1
1350f18be1be7ebdcae58a3223c55e20bcef857e

SHA256
8a83e12e2055ed629bd17a5e811075d97e917dcc463c49da5e0926aaa24724c8

SHA512
f29f13225d3067bcbc3f0b2d7d14b0de4d6a5316d41aeec60cb9da1ec2cfc396ae3ecd140f90e7ab3b8aa4721378b0437495b14eb86c422282f5692a9eaebdca

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
cf3237924868728745728bdedfadb3cf

SHA1
789a2020780fdb9abcee6449fb85c157773e3d61

SHA256
ae563fa5934b877466b6e254ed296cc775f5cd23983830df624087ef28523322

SHA512
f5ded274b547be2b579ddd1bb1cbcbc894199c4097ba20eba55ade8dba90fd9b8227de5666f1d1512f72a4f615a9e2b91b8c30529897322af38ca511a4eea26a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
e3af8fe8f484b164e06f27b77bc2b45e

SHA1
22c177bb6556555f582df53b80e1904af013ba05

SHA256
825a406728d6f1a54ebee78a922f417d26e12cbc0e6a24ebc9a87f2120736a8f

SHA512
031a73a782f55248930dabc787c03d1350d568b460372b18a14d5ed17aa728f5f84dd5be6dbd9dcd51c027d3afcb9a003cf8248a071e3fc7c175bb60af8c938b

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
38c33189f11a34d96436c9429d662367

SHA1
c154fb8d4ffba4508f4505bba40ac64727ee803a

SHA256
a308a81e5b99269f1b57eef7fff6eafee29a46d8629d14372132d8e90ad4a8cd

SHA512
2c46f08843928d9a9b4664dea712d03ca7988ff82cd6dae0be469735edb5af7b9c59c55bf5ea2030c2a6a63f05019c8e0663eb3dddbc03ad8f4142793fb74dbe

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
e73e45d17c5384faf75ffa071aa072c4

SHA1
4f6b3541b657142ffec504bca9fec53445066dc2

SHA256
24107698c827f2c5758df17618dd87d08eab870beed7393dc84d5e461e95dcbe

SHA512
0592f456e96d77843c3b86a7f5b20c09d516f8af476449c96cdc25bcaccb3494e2c05cb9296a9556f2d11ede785038a51ad0dd2faae163d2d8753320795c1b6d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
d46aa7c1157c87decc1fda5a80357c30

SHA1
8c6ed84e3931f3524dbf312efbae5699e8e68af0

SHA256
2b25647f3807cd58e2127d97560a0fff24b07008d86a74a0372d924b0cd088f0

SHA512
e57e87b3b7719d04d75f771bd362594d3fd59b49c13b59a4cc8aa0f2f28b33094d385a1cdb772798a5f0cc6e93b2256cf292ec62ec3b399f74b0e878f9451c3b

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
0ad9b6cbb5a29a3bb17efb00f8b53841

SHA1
cc394d08ff74b9bdf7f132e3488ddb806289c0e6

SHA256
855ecae2a87181787ffc9854476cd252b441e136e035625c513e62004b7ceb7a

SHA512
04f95a2203ab0d82030b5da90dbd99a45606a07f190bb8e54c1c622f4c0406a4c41981b1f910e5a439f3e6887f4e3aeb43e1ec2089381b042b04ccf273eb1bd5

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
0a70bb20e60d0ed617830ca5799a3059

SHA1
0783d4719c4a824f3c810df7fc1e773e46986bfb

SHA256
9c884922b44796e604c2a6ce9e5fc25e477614b453676311b46cae3f5459b06a

SHA512
928e57f4f8d13d2e537417f6d32d51f5ba524d40e1f66f57a9eb26087e36b891116e249ab92eec727fafbe40e8f9c0194006166626d5eed965fc2b2f64baf617

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe

Filesize
1.2MB

MD5
f3f2dbceaa8ff29f6b5c07cd314e1c63

SHA1
4758d557262b135ab158acbf64b3089dce6d30bc

SHA256
9b71cc887b330d3e925e8cfb649e344d3fc437a8a4f5dc3b66d218a4de1ee759

SHA512
46f942070f3058825aefffa83cab8eeda4ec4f3f6b0a4800db40a5ddfe091e4720182295cfdb62b2dbc4a03dc9079dacecb67c2e08aef8cc5f4b770f869a3fa9

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe

Filesize
1.2MB

MD5
3ab5ccdf398b0a8c403b4fb9b7b41257

SHA1
b9344dcbdbf0d78b98ec8b61cb59123e8eac890f

SHA256
2555ae10c96d8fc58a61ff9ce917c3aec5c298efcd3421c16fe346840e31eee0

SHA512
5876b0c03f64e062a15a3519cf6cdc9565811a5c17268dd204204d6c4894050281973c8c2dd5ca897fc31a1c7f17b68a91b086e043637c2d3832e7c6481404e2

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe

Filesize
1.2MB

MD5
3b40120324d050b3923faf3bcce68451

SHA1
566c029e590a72f72bb93daa727bbd40a7670319

SHA256
c10e0da98ddb9eb25877a33dee9f19484407585e8346dde3c12a94111d9ba3fe

SHA512
79f67f8ca879b2f61cede0458a1a8ce56f4517359167798fc50f3e42087eed4373cf52cf035efd4bd85ee9ec84cec207757bd47ae2c235c2755d4c06cd0fce83

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe

Filesize
1.3MB

MD5
50f883ef1639fe7a49e210a981646e91

SHA1
21895f5faa44d3199b1fe2443932af67b441223c

SHA256
c3c824e4fea2656c82fd71cae72b5fd6bc1d3a0a401c5d1e71cb132d3c063f55

SHA512
1e09eb0745f0149782026e79b34d0d6aa4a52bb82826ca11b06937d44b42c2d6d41e33b4208b1381e3ee4d9874a1573dc40a7f221a75d5bab5746e5abcbce053

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe

Filesize
1.2MB

MD5
c4fe32dbf43f98cfafcf8f3f4768f02b

SHA1
120c4549bbc7a741d74a7cbb8e2bc883d615be77

SHA256
b4a78d3ff934ab2ecac348d571c5d5d390707032e01555af059a8cff9009ef9a

SHA512
fc1d6d9f7553e2b463198cadb19c2ea39360d592d1729fdb064d31bf0522565be0d7f9f57e6c963838142882767c6f0dac8b0cee285b21519c91426f25fd5d20

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe

Filesize
1.2MB

MD5
40b8eeac00571b58dc11902e8967f50a

SHA1
a7f3878f8b4b041931596fcbd4d4e76798e441ac

SHA256
7c1e990fda7b4d374b5d89447e25ce6c3244d9004145d475e7a6bb22697cbe37

SHA512
daa936d56386bf05cb8eef02f34b8c3005ea8fefeedbd1b86856185335aeb0250e40113268485c55eda2fa93c0d505e05a6d27591ad93a5e53ee08b937045d59

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe

Filesize
1.2MB

MD5
7838933125f78edd3833dd17e1bae776

SHA1
e69ccb1d07eab5edaadc8570e5879157c9493c0a

SHA256
5d7d36d68ca2dc198c0a9ee0700a8ac58a7c47ccfd45d8238e64873d1cc8cadb

SHA512
5b984682a563d46594271000548da0202b79d91f554d507b00f2afd6bc450f1b5c3811f5c46886bf938717b48542fd936e5264edbed8699e0d18bee44b7a5708

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\java.exe

Filesize
1.4MB

MD5
bbf5f3595ff69de12cdd1bc0f9f3e09f

SHA1
2d80b7d3d37d45d2b99f4cc7f3f16a84e24efe3f

SHA256
4f0bd185ae6adfa0195bfaab65e4191bf0a20ac017995450412644424d411cab

SHA512
9b6ddbcdaaf9af57b1141875987a418891b3868688ccfafa4805d9e7939b868b230f353c1bbd4400c9c6f152fab805f53bca056e74a2aca784db1df595c67281

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe

Filesize
1.2MB

MD5
a04c438a9544d6ebce91d0670b8f550d

SHA1
a2b2e814ffdd745f09ff814eea4a8b48f0967f50

SHA256
360b102ca09b8ccd7b34cce7e9fe4e03eda2a49c3263390ed240299c95a99092

SHA512
2b3aa679b4ce4dc15e283c02b6fe28adb35d5dc6864cf77c43bcaf4773a8539a42df8c10a5b2c35ea9ec8ed1534b07e4346fefce26481342c41f987b1af8f9b3

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe

Filesize
1.2MB

MD5
ca0adf168ca52fc5ade32057a9a9d15f

SHA1
ea74552be66f3e62ee8a531fc73fae75edfd383b

SHA256
bb08d2f3b09c274df17f2e5af486d78bf981c0f921f36d144295c3d360ba08d5

SHA512
9ab8460d2dcf30f0f602782bf3ce571721f006d3b444610993a4f92054f449a8bc74fbd3c343906d3f57f0a8db6d659a255433bc36ff483d73cd571070879c3a

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe

Filesize
1.3MB

MD5
d18b159a072b75db19e99663c57f8525

SHA1
5868a1f6a005334f22d1955f2e6198f3e12deaf8

SHA256
a0d72d011cb2e5e8a89c0a76ffb78930028be873a44f19d7f44c5e1075b8d7a8

SHA512
a8537a03057a884721ed85492f79c5d03e27948b19a75329eea31fa2493f3fd38d40a33495549d718edf2732476a2882a76b156ed080ef9b4f8809be7e95f7b8

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe

Filesize
1.2MB

MD5
545b54bb8bb62b249c42e666a4b94e47

SHA1
e2159d5b4c84c519a5ea3f789479cb9cfc8cae02

SHA256
7b0193972ea762e43612695bf826e244abcaa0ba1bf7a96df4147bc5e96643f1

SHA512
ec46ffb9c692ba1f58d18301df4129015c0b4439d546bbb0499fdb79ab38f45343b933a368e61f92718326ad6ade9831bf42f2d9b17c5a561adb0b4dbcb5b564

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe

Filesize
1.2MB

MD5
f4658945e3cf3430d16fbb09d5a5096c

SHA1
cff67f03fc9007a2c678258caac75551bcb3e83a

SHA256
b7a1bdeff69bebd56d203f65903d358e8bbfcd878733e46b45c8a05bab9b55ea

SHA512
c64f8346c3fb9d718ac2eab03a534a6654c1c14b8a17c3cdfb54b73d50f4089f9f0602c80c81026bed4fa0138ace70ed95b0fd2714b15eaa2f38b67d5377c428

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe

Filesize
1.3MB

MD5
140d078e88c9965c44f8b6f61763f9e4

SHA1
2cb678647241453bf947c015a6c05b9a70d4eb85

SHA256
fdfb1763ed43ee6a70219bf61e335f398441102148e0e05f454a8ceb42f9ef8f

SHA512
6841417290195d99ab07debd1ec86130288a61259fd1650387627910f317bbba2a2989258b1caa719cc1ee246c58ee35500a14a2439680d618ffbb7add385e75

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe

Filesize
1.4MB

MD5
b0d6109cd6f5f7731919685eb0ed6f29

SHA1
f3f3bcfcad503d86f50c7e365e91c036fc0bba3a

SHA256
a41cdf3b255cbd6fd3be73f09468adfb4c9c39adbcf37d5bbeeb57f639237f87

SHA512
b7f1746f43290cedd134625a1e8dad53ae9a9bc2d53bf57cf6945fc492992af5f7757297f06f65017a5aeb75838eeb53f813e22699d0fb6accce6637ddbaf0da

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe

Filesize
1.5MB

MD5
87325003b1610f7bcad11ac8b9f0932f

SHA1
f7c20c809bfe2301a62a91610ae3c3fe4629559e

SHA256
183c94d0f308e365b6b9a838d9c92955d8cd9b3d077addcdacccc7cc5156d46e

SHA512
677615c4e451d81338926412527275a31ab3ff883fcf423a2fcee16a1c3cbf4701d9b46fd135141a82ba9bd70478c69da61d77920e21e5aed0b1184fbdda3aaa

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe

Filesize
1.2MB

MD5
76541eb23598d4396e9d6dfefaa77f6c

SHA1
a7a9b79daeac7fb7d968709c3342bca8ff2a9a05

SHA256
1a5a638ec16e8bd700ada1f8f36c2cad638570cd2cf6187981dae48114f8ba86

SHA512
13a1b39c516f6be9570e1457ba15a0d598183a052ba3733f4430361af401d368ff14540e8e8b473870fea46bc4ac9b172be205a3e9c1515397da06ba6e39e003

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe

Filesize
1.2MB

MD5
ff3513826fa3230960575bcebcb2d95f

SHA1
675c0f694d33b779bed9f8366fd75b97c97ddde0

SHA256
6fed7df825076243f2b4773b2e647c68d20f33ded3c1c7ae5eb774237f41dd74

SHA512
3229c58cc8139a50400122f08b81f945575fb41d7351cfab1059267aa22a8f8e85d776a0a12eb135097376307855dad0ede7312529436460b8984d39c5f7501a

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe

Filesize
1.2MB

MD5
c0d3d0fb1f4e8e4f40eae3367b77c3be

SHA1
881edb384a0e5136b930b8518d1f5b2496c74e8f

SHA256
023697d955d6e249e09006d09211faf8098446110961c325ab777478ee2ebac8

SHA512
64b249c7a9cd9ac28d49aed5d8c319e062a9d76e89c54c21772d34c90385ae3a1c62c18144bb8c97329f9891224bae485fd9d0fb697c188d53611b8fc5c88d70

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
27c5b677a99cdff76866b5214cd0be9e

SHA1
02676a00bf554b1ff80ad64eae158c86ff23cff1

SHA256
8da6c2444d16e33f7e7f22813ce5dd9d78e7182e9ac8592634c51a2ed0c9c3f4

SHA512
983a8c4ff7f6fd17953b902c82a77bc6ec525aad081c5125ec1fce90ade6d02a97ecde45c12a5d49bf2d2feed187f8177215a03ade5943b1bed0428efa8a0b31

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
407a5ff59ab251f1f4827b65b908494c

SHA1
10e9cc872c173475ed76e5f35fcce1640a2a9e9c

SHA256
56cff878bdb3c4f9c34fb2fe16202fbae0eb81ba33f60082fc72e4ac6c229d33

SHA512
d1c35ac667c737ad83efd501d4d8aeb05cb4a20222c489327a1b43d744d96e96240a5525d14f6903a879606862f449286d9b3718d11c6244434502430f518d0e

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
a12a2fa42073ef56df1b5cf6b46db9a9

SHA1
6d5f18cf674509fade57e1108c86dfa3f851477f

SHA256
7bf023742a5f1d00556bb69a4699279b966f62cce12d54a660effd370474498c

SHA512
5b7e59d1ab12705f1db4ff42cd4fa678c05f90f168a3f7cb4cdfe16ca25d82d6002a639fa50504ef088599640978c3af3c452221daf5a0f193fd7e0373e2164a

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
8d3c5717a56c5f04dbb158e23e1299f5

SHA1
99d557eb09d8a84188286653ba49f91e50201f2c

SHA256
d7adc6de48f207687a3e87634890d5f19034a6006184c9635251d4ce4d8ddea4

SHA512
684bb764486b4c942f1d4e0aa8a9e358c51e98c08551cf67071203c4b620f602699f5b355d0a812844856fded075ff508d7441e6c008376fe1025aab0a562841

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
ad9bf3d5cfab1cebcd8f3c32fb095c1a

SHA1
e8c4560ca8b9bf9e70f92b16ce90ae1bb3a19fc1

SHA256
e34098065e2826641fc3ea13af3751e9bce1b0e25eff494d0017ad4d6d10996a

SHA512
ef2b2b923b7e2c8871fa03870d5aa9506aa534d7df152513f13ad8c08a42107f3f2789612bf3ec54bf6c3fc997e13c764f7dd1f1c79708bf8628a951cd59b06b

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
c715f1b4339cadb98b294aa662db2b4b

SHA1
bb9082c21d80f14d914eb4d61c04f8b97af4fe8c

SHA256
6fe75be6d82f17169e1d3199610e07a813947099b56bfc6f3ad1545bd6671dbf

SHA512
77d7b73a63d322b701a9a8e577899931981277e9ee1927a8087cbaa1e5af603025612abecd654ea255786a4fa2376aa5d0fb311545c3f56ea10fde87878143d3

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
c715f1b4339cadb98b294aa662db2b4b

SHA1
bb9082c21d80f14d914eb4d61c04f8b97af4fe8c

SHA256
6fe75be6d82f17169e1d3199610e07a813947099b56bfc6f3ad1545bd6671dbf

SHA512
77d7b73a63d322b701a9a8e577899931981277e9ee1927a8087cbaa1e5af603025612abecd654ea255786a4fa2376aa5d0fb311545c3f56ea10fde87878143d3

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
d6243be07d9b7bf13d6aa61650b0f8a2

SHA1
518375a2f74b1abca8e46c390fe3b9a355d6c288

SHA256
9a75bbaf6b44514e80198946467c76c703635408343b6c7be3da20c0184e3489

SHA512
6eda65e42824ae062d0089096ce0d36cc5792790cea7801641a4477eea233e4f6c0704d45462b75bc1ad6eb3758de254ee288ca4929a56a43cb302ef9a097dba

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
6d9d12d1395a0b7cbb5c04c992f4e037

SHA1
76cd3b339710926eb6661297379abaa83f1eec8f

SHA256
afaea2da6eccb0c307c5711b07ff6608c251ab03f8d3cf3ff9fe6be88e071f4c

SHA512
0e1802d2ed4973c9e5d96f34f5c28f4b82d33cdfc2009721aed8c2daa0a7876995729fd8718efe3a08100a26a8c3f01b34fc7c40c5d5537081f79271f5207992

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
7ff182b06320caf4480818fa41975a21

SHA1
2e7e11eb5d562afd2fb482e2d5149b9a66119e16

SHA256
4fa5cf363c18ee6d0a9fed656fb2ede7d9e111f7927c23aba7a52dd7b420691f

SHA512
85338cce44fdf87685240132e5be93944ad63129065883895edbfc036afc58fab38fd4daafbd02236bbec9f954db816a1d787101f9b4f5b460a505987ee6a69f

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
614f272d717402838b8343f7cfb14008

SHA1
3abee5bca6f8a37337b7894c03bfe728e361921d

SHA256
e8fe4c0008e6aa4ff561d0fba2883279fb705e7fd63838ec9f5ba52d54c119e8

SHA512
0b64400a4c10a7913aeb41259cd6ba8353782a081a1418535782ebce4741e2fcfb1f88c17bde720c7b0a699b530cab3159e74857a6a25a3bb7455b77702abf2a

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
d83481464d8240f60b33eef0c6c3236a

SHA1
6f9dd4cce0b0d83be23fc57e4710f57768da3550

SHA256
320c16c9c545dcd597ae566b17eff80cf479f157678b61aa931fb112a8e439c5

SHA512
97a0bae28c275c3e154963ec4bd1eab2318d999087e48da17262d19ceb2dc2123cb4418dabc0cfd9615e43aa5028c68320cf5af44d332eb59a96614fb6424dbd

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
2484cfe88a13e6f16b98da08f8085e80

SHA1
d4dfb30527d68f54688ca9bac4cc8b7a782d37df

SHA256
f42faa0cc6e19e97b1555d72087bb72611f0d3ab893d05e4ede574f5d58617f2

SHA512
5c1b10eecf46756368af84396c79d19dd0de5abacf12ab5a0d21d1d51794ebff544b1e9efaff10e08b501eec75f7d39cad5816ae3b411d03b39981cc8705ca79

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
430156bba348c77b45f839fabdf338f2

SHA1
4deff6a348a6fea8b187037e3a47c6de257bbb21

SHA256
0f2a1386b37218142bf1f2847f5dee0ac4921f1fd1b9c5b75f8bfab90c77f236

SHA512
9e76beb7a56b94eeb3f71f3b704e3e2ddeb91d616c76b5cf5ab63fbe0faa420a6712df0d633578dae7af268c27671b31bd1e2b0a1a6c4e61bb871ddde3c8b9a0

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
0729cfa89752ade0c2326b39ea53858d

SHA1
8dbaad4e6cb4f03d612a5eee89dcf7065892242e

SHA256
55ba1b1e75216bc077e5c28b63afa398f4111ac8f9e8d08f5d5fce7238c897d2

SHA512
14160e4bf68c01591cac33905cb80de0278526129c27b06266fc6d1c690c944cd208e797ec5c22b03b15cb05f54e8d804bd548e310911e1c36b8859c5011ac86

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
0fd85ccf88f8d126c5bc0dfa2612a8d2

SHA1
31868e3810117b8876704c5505d1735d38afce36

SHA256
2cbb64bd4cee0cd491c1669d9ef3e6f9b6c7c9a935dd29faa087ea9227ca0806

SHA512
66383144a10f86cbc353c50d06915dea029e73e641f4b565b3acff7ae49a69a61f3ead608b427c5d8b7b96b50f481e8502b57045b94be4c60e8bdb06ebcdd48d

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
45a816798f54e9ab03fc08733c9f7b8f

SHA1
15811228fe5db2e72f495256cfe81ad501a504de

SHA256
1651cd938194a31d7f4929eeab3296e4fb8cb029be17753ae97fd6a97c1b858c

SHA512
9bc91cf68657ce1d88c47b7b8f064ff80cf1395b20d29810d4ad33bd569bf2129ac80fdd9ac266fa2d6f7edc79871843f88bb01bf49a11ab4f39c33755496ca8

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
c613ce4c943ea398d8c7eca6c1769764

SHA1
2d3d95e15e5b706f91f963a2f3bba992a8dab753

SHA256
32734d1be92594570753b50b8fba1ac0c68d9191b33389f4fcf2f00d8ec12e34

SHA512
6445c761cb0f6b9c0d2b74ef343502cf401e518838734a05526d3f5e91ec2bba09b22062e16598bdb6e8be6434f829c27b598f6b4f5819b733552edb4416443c

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
1.7MB

MD5
407a5ff59ab251f1f4827b65b908494c

SHA1
10e9cc872c173475ed76e5f35fcce1640a2a9e9c

SHA256
56cff878bdb3c4f9c34fb2fe16202fbae0eb81ba33f60082fc72e4ac6c229d33

SHA512
d1c35ac667c737ad83efd501d4d8aeb05cb4a20222c489327a1b43d744d96e96240a5525d14f6903a879606862f449286d9b3718d11c6244434502430f518d0e

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
6bfd32929a9d32d1e77645a8cdb4e84b

SHA1
eaf06cddaeea49495a8d5fb8c33f9845a1e2b835

SHA256
c41493aea90ce6acbae4867f9f99d42167d9e13b60dbe0b6335b6f0e15dce3e9

SHA512
d632fa2401b3478d91de95b5c1e8cb67dc46506bbd6b00c70a0aca00bce5ceaf40cd69f1dd0a3439a434e961fd198deb0b6b449feae855b599a6a3b63c67ecef

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
0bba62c45537fa74e137efb081bed4e2

SHA1
666e20657dc40e5b8fc752f6ef7c06460034ad6d

SHA256
50cb0b21b7f9beb60dc0c80c583189136fa3dd5034e1be25c65af0c10923be60

SHA512
80c243f04e8135de68e3d96ea223004d10521d8979afd585cf76ec252d3d4525cb5462a4327abf3a8239e39e0b6cff5802f37c2ffa3a240083a3ea4ea0aa3cd7

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
8d3c5717a56c5f04dbb158e23e1299f5

SHA1
99d557eb09d8a84188286653ba49f91e50201f2c

SHA256
d7adc6de48f207687a3e87634890d5f19034a6006184c9635251d4ce4d8ddea4

SHA512
684bb764486b4c942f1d4e0aa8a9e358c51e98c08551cf67071203c4b620f602699f5b355d0a812844856fded075ff508d7441e6c008376fe1025aab0a562841

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
0168baaea4eaa97b2a258931a5b3cd13

SHA1
d63b3c7b607bd57c9d3c685f27829526961e7672

SHA256
6c030642e9ffd95abe4d047af4ce3c50e53e3a301074fcdb8a2e89f2533258c1

SHA512
c34fc1a634c14f7701ecee1b144c3ce932f40f91774c91022962183ce85de9d65b7aaaa199b6aca5ae1123cbdd00f89b818efd0a24b67af24a2377f5d176df23

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
73604a2d0e759f8b40377309c5c592cb

SHA1
bb568f2407b42f91685bbb7d037c55ace4a7f922

SHA256
2a5ba2856cf2cec0fda3211912c4324cc879d8402e279c3af33d541a26fab058

SHA512
b7da83574a0658b845d6c2f50c50c2db40cacdcac73a327183874e8d9d0cd988cd5186abf34d77075bde8bc1d4963cc70bca47e996649bab0e1deb510980448b

Download Submit
memory/364-314-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/364-605-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/524-362-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1516-271-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1572-273-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/1800-609-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/1800-393-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/2360-136-0x0000000005840000-0x0000000005850000-memory.dmp

Filesize
64KB

Download
memory/2360-137-0x0000000005590000-0x000000000559A000-memory.dmp

Filesize
40KB

Download
memory/2360-138-0x0000000005840000-0x0000000005850000-memory.dmp

Filesize
64KB

Download
memory/2360-139-0x0000000007BC0000-0x0000000007C5C000-memory.dmp

Filesize
624KB

Download
memory/2360-133-0x0000000000A60000-0x0000000000BCC000-memory.dmp

Filesize
1.4MB

Download
memory/2360-135-0x00000000055E0000-0x0000000005672000-memory.dmp

Filesize
584KB

Download
memory/2360-134-0x0000000005B90000-0x0000000006134000-memory.dmp

Filesize
5.6MB

Download
memory/2568-202-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/2568-188-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/2568-180-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/2568-186-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2568-204-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3028-602-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3028-299-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3068-364-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3068-608-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3408-414-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3408-165-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3408-162-0x00000000004A0000-0x0000000000500000-memory.dmp

Filesize
384KB

Download
memory/3408-156-0x00000000004A0000-0x0000000000500000-memory.dmp

Filesize
384KB

Download
memory/3608-197-0x00000000009C0000-0x0000000000A26000-memory.dmp

Filesize
408KB

Download
memory/3700-295-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/3724-149-0x00000000013E0000-0x0000000001446000-memory.dmp

Filesize
408KB

Download
memory/3724-140-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/3724-143-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/3724-411-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/3724-144-0x00000000013E0000-0x0000000001446000-memory.dmp

Filesize
408KB

Download
memory/3724-163-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/3804-347-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3804-344-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3960-417-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3960-616-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4016-343-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/4144-297-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4204-391-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4312-268-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/4484-702-0x0000029ECF1A0000-0x0000029ECF1B0000-memory.dmp

Filesize
64KB

Download
memory/4484-658-0x0000029ECF1C0000-0x0000029ECF1D0000-memory.dmp

Filesize
64KB

Download
memory/4484-705-0x0000029ECF1C0000-0x0000029ECF1D0000-memory.dmp

Filesize
64KB

Download
memory/4484-701-0x0000029ECF190000-0x0000029ECF1A0000-memory.dmp

Filesize
64KB

Download
memory/4484-698-0x0000029ECF1C0000-0x0000029ECF1D0000-memory.dmp

Filesize
64KB

Download
memory/4484-697-0x0000029ECF1C0000-0x0000029ECF1D0000-memory.dmp

Filesize
64KB

Download
memory/4484-695-0x0000029ECF1C0000-0x0000029ECF1D0000-memory.dmp

Filesize
64KB

Download
memory/4484-696-0x0000029ECF1C0000-0x0000029ECF1D0000-memory.dmp

Filesize
64KB

Download
memory/4484-694-0x0000029ECF1C0000-0x0000029ECF1D0000-memory.dmp

Filesize
64KB

Download
memory/4484-693-0x0000029ECF1C0000-0x0000029ECF1D0000-memory.dmp

Filesize
64KB

Download
memory/4484-660-0x0000029ECF1C0000-0x0000029ECF1D0000-memory.dmp

Filesize
64KB

Download
memory/4484-703-0x0000029ECF1C0000-0x0000029ECF1D0000-memory.dmp

Filesize
64KB

Download
memory/4484-659-0x0000029ECF1C0000-0x0000029ECF1D0000-memory.dmp

Filesize
64KB

Download
memory/4484-657-0x0000029ECF1C0000-0x0000029ECF1D0000-memory.dmp

Filesize
64KB

Download
memory/4484-640-0x0000029ECF1A0000-0x0000029ECF1B0000-memory.dmp

Filesize
64KB

Download
memory/4484-639-0x0000029ECF190000-0x0000029ECF1A0000-memory.dmp

Filesize
64KB

Download
memory/4484-706-0x0000029ECF1C0000-0x0000029ECF1D0000-memory.dmp

Filesize
64KB

Download
memory/4484-710-0x0000029ECF1C0000-0x0000029ECF1D0000-memory.dmp

Filesize
64KB

Download
memory/4484-709-0x0000029ECF1C0000-0x0000029ECF1D0000-memory.dmp

Filesize
64KB

Download
memory/4484-711-0x0000029ECF1C0000-0x0000029ECF1D0000-memory.dmp

Filesize
64KB

Download
memory/4484-704-0x0000029ECF1C0000-0x0000029ECF1D0000-memory.dmp

Filesize
64KB

Download
memory/4488-184-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/4488-176-0x0000000000490000-0x00000000004F0000-memory.dmp

Filesize
384KB

Download
memory/4488-170-0x0000000000490000-0x00000000004F0000-memory.dmp

Filesize
384KB

Download
memory/4580-606-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/4580-317-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/4672-234-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4672-233-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/4672-569-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/4756-231-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4756-228-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4756-225-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4756-219-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4944-214-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4944-199-0x00000000004D0000-0x0000000000530000-memory.dmp

Filesize
384KB

Download
memory/4944-192-0x00000000004D0000-0x0000000000530000-memory.dmp

Filesize
384KB

Download
memory/4944-538-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/5012-212-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5012-206-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/5012-537-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5012-215-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download