blustealer | 4c6787b95635786816b6cfc6547d7581a0bb1ac83be74929b7cc2270c28bf32d

Analysis

max time kernel
144s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
08-05-2023 13:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2400-141-0x0000000000400000-0x0000000000654000-memory.exe
Size

2.3MB
MD5

5e4d44611a4d8d2430c8211acb694967
SHA1

f430285ee08c520afb744b6627437c63384f0f81
SHA256

4c6787b95635786816b6cfc6547d7581a0bb1ac83be74929b7cc2270c28bf32d
SHA512

1667be8948f54d0e515aba59b7f27a1597749cfcc82386dfc01450872b2ccf719246dcc8b9d9366ee3133cc8f33768bc195a78cad61483b515a7c323b3ef758a
SSDEEP

24576:YxgsRftD0C2nKGL0Djsf9nz4mloFQnpXUMPQDR6q79dA:YaSftDnGYDYf5zaCpXxPuR6E9dA

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 22 IoCs

pid	Process
4504	alg.exe
4916	DiagnosticsHub.StandardCollector.Service.exe
1624	fxssvc.exe
3380	elevation_service.exe
244	elevation_service.exe
4468	maintenanceservice.exe
1280	msdtc.exe
564	OSE.EXE
4744	PerceptionSimulationService.exe
1668	perfhost.exe
4644	locator.exe
4164	SensorDataService.exe
3456	snmptrap.exe
4424	spectrum.exe
1264	ssh-agent.exe
1308	TieringEngineService.exe
1424	AgentService.exe
3932	vds.exe
4856	vssvc.exe
4256	wbengine.exe
2540	WmiApSrv.exe
692	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\53045bef50d0d086.bin	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\vds.exe	2400-141-0x0000000000400000-0x0000000000654000-memory.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3432 set thread context of 1696	3432	2400-141-0x0000000000400000-0x0000000000654000-memory.exe	88

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{0BAA8BD4-90AF-4FCB-B1A3-821C23211F59}\chrome_installer.exe	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\rmiregistry.exe	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\orbd.exe	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\unpack200.exe	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jvisualvm.exe	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\kinit.exe	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\klist.exe	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java-rmi.exe	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ktab.exe	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\servertool.exe	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\xjc.exe	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\klist.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d86ae2fbc581d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000004c77ffcc581d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000001adc9fcc581d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004a895afbc581d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a677acfac581d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	60	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
3432	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
3432	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
3432	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
3432	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
3432	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
3432	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
3432	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
3432	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
3432	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
3432	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
3432	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
3432	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
3432	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
3432	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
3432	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
3432	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
3432	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
3432	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
3432	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
3432	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
3432	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
3432	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
3432	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
3432	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
3432	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
3432	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
3432	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
3432	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
3432	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
3432	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
3432	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
3432	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
3432	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
3432	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
3432	2400-141-0x0000000000400000-0x0000000000654000-memory.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3432	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
Token: SeAuditPrivilege	1624	fxssvc.exe
Token: SeRestorePrivilege	1308	TieringEngineService.exe
Token: SeManageVolumePrivilege	1308	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1424	AgentService.exe
Token: SeBackupPrivilege	4856	vssvc.exe
Token: SeRestorePrivilege	4856	vssvc.exe
Token: SeAuditPrivilege	4856	vssvc.exe
Token: SeBackupPrivilege	4256	wbengine.exe
Token: SeRestorePrivilege	4256	wbengine.exe
Token: SeSecurityPrivilege	4256	wbengine.exe
Token: 33	692	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	692	SearchIndexer.exe
Token: SeDebugPrivilege	3432	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
Token: SeDebugPrivilege	3432	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
Token: SeDebugPrivilege	3432	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
Token: SeDebugPrivilege	3432	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
Token: SeDebugPrivilege	3432	2400-141-0x0000000000400000-0x0000000000654000-memory.exe
Token: SeDebugPrivilege	4504	alg.exe
Token: SeDebugPrivilege	4504	alg.exe
Token: SeDebugPrivilege	4504	alg.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3432	2400-141-0x0000000000400000-0x0000000000654000-memory.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3432 wrote to memory of 1696	3432	2400-141-0x0000000000400000-0x0000000000654000-memory.exe	88
PID 3432 wrote to memory of 1696	3432	2400-141-0x0000000000400000-0x0000000000654000-memory.exe	88
PID 3432 wrote to memory of 1696	3432	2400-141-0x0000000000400000-0x0000000000654000-memory.exe	88
PID 3432 wrote to memory of 1696	3432	2400-141-0x0000000000400000-0x0000000000654000-memory.exe	88
PID 3432 wrote to memory of 1696	3432	2400-141-0x0000000000400000-0x0000000000654000-memory.exe	88
PID 692 wrote to memory of 2084	692	SearchIndexer.exe	113
PID 692 wrote to memory of 2084	692	SearchIndexer.exe	113
PID 692 wrote to memory of 2104	692	SearchIndexer.exe	114
PID 692 wrote to memory of 2104	692	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\2400-141-0x0000000000400000-0x0000000000654000-memory.exe
"C:\Users\Admin\AppData\Local\Temp\2400-141-0x0000000000400000-0x0000000000654000-memory.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3432
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  2⤵
  - Accesses Microsoft Outlook profiles
  - outlook_office_path
  - outlook_win_path
  PID:1696

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4504

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4916

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4804

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3380

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:244

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4468

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1280

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:564

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4744

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1668

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4644

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4164

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3456

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4424

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2148

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1308

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1424

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3932

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4856

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4256

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2540

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:692
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2084
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2104

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
a269c041c493139196cfa4c53f6e2e5a

SHA1
07ab07b8be2a38f251bfd8880e66078f18f2016b

SHA256
e334534d30532c08fd44f2f73490c466b38937b64f8acc43c24350e50182ee4f

SHA512
70a8d4d67699f0a375c4868d47064f6838e62ac09b6ed910e35f1b91abfbbdea93b5a19745ceeb5b2d3273664be2805b37b4aff196475d89a9e3e04567bd2dd7

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
c28a033ac6896f88659c78803a60f264

SHA1
1bfc134cab811f352190f43ec5fda8983f59b216

SHA256
15a0b3fb6f6d602eecfcd3126e7ba5553c30c7646b00f8a7f4fc6769f6aace01

SHA512
871331832914200b017e29262874f95c8368ba98d61b364c48ed29a0930ed8e284318bd2c6c5387fd53618f5e0b54f2cfa5dfee6870f6cbf8988814640d97949

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
c28a033ac6896f88659c78803a60f264

SHA1
1bfc134cab811f352190f43ec5fda8983f59b216

SHA256
15a0b3fb6f6d602eecfcd3126e7ba5553c30c7646b00f8a7f4fc6769f6aace01

SHA512
871331832914200b017e29262874f95c8368ba98d61b364c48ed29a0930ed8e284318bd2c6c5387fd53618f5e0b54f2cfa5dfee6870f6cbf8988814640d97949

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
bdd27d1a613f1cc8c72e11f7473c40d9

SHA1
54667961696243f1a95a8de09855ad0ad8fbf224

SHA256
7dc1d2cdd065f96c2a9739c3cbf44db2647ae0ff12156d3aed756f87a869e74c

SHA512
749725271738b7d6f153175668358aae252c9d435b8eb952f28ade82e707f50d36e7461957e66f7b103b3d9136779663bc4408c845fb1ed121d46de0e3469ceb

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.4MB

MD5
72978b9747c029d7f55d73ea90f56b54

SHA1
dd12ab4b2123526bd694e1f2500c9715fa601bc2

SHA256
8b36d68cd36ca746e552061ed4890d70a8d59a297547ba4aa379efae20f2e403

SHA512
ef9db8f3a705d58b073235f7f739df7b097fc3accd4497623a5f3e1d1eb0d81bee34d21b2163d9a90198aa0a7375a7c33e9171c6f00973a44b66a9c3ff957849

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
ab2113cabe16c3ab23ad8b6104b3f535

SHA1
2829bcf83a624cc80d0fdc7d5558f41e4ea22c9a

SHA256
67e4ca4f8259b5fb7fd7955d24a19f435479ba52288ae605b7a88378ea23e4d4

SHA512
a2f7f1854066f18a1f037ff66a33ad2ebda16c462bfd0a028d6135cce41e53144b31af67f65e073aede1ce6ee35cf2c589f30fb46d851ab276320159c0f9cad4

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
e381c77f83701075191abeb17613d094

SHA1
b20038a9a4e776f466a3077ba7ebb103aa6c80be

SHA256
b93c1ab52853b53b253b5877bdc893accbf49fae9b0393998605cba140744999

SHA512
2a47e3547bfe36b3085c071dda250a6e49d49bb7589b0261b8877fd2ae42c9ee5b7ce7f24c39427b8ab7c363f106729cddc2ed9774384a24ac881cf4acce7063

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
f23318f17ec8de1b0b7a3b5d3a9813b1

SHA1
5704d956ff1df6b9c13e2641d076c7bdbb4266d2

SHA256
684ec77a5480cd2e73dbe4cfa890453faebe2586524303675555769d7fc346d5

SHA512
85b08de3dec944d7ff27107dc9c360c89a7a33d35d725583dedfce7df094e2b2a989fd7566700189bdfbd9265e045ed13bc40594fc5d1318c9b47f1456590ae1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
1f257e0fc1233e477b67a613a9ea6da0

SHA1
82a4c6feab0414ad8c40215f785e3745052e7e20

SHA256
17c537bfc88a3a24d755bc51014955efd4238adc1e15ed03db03a7a505ccfd09

SHA512
0859a98ee370e08c160594992671d7ce7cadceed3f371f22a815e5bc7d04020945f698b2b0ef417d4a84d329c4b60b5eb516251323afa5850454c2e9055d17cf

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
2d91905cf5725e64518a7afbe8f99abf

SHA1
9b6c609f5d0b80c35b0ca863d553baabdea7ecd7

SHA256
bb2776f57eee946a19abde0975780b68399631966999dc28381870ad3138a87b

SHA512
81950a78c52dd096611d32db11d62acbe0b9f29b4eb72403601fd4552c1bb54bd6886bca8f1d4a410453699da86c349fe37ebdba39191657f73e82c12b530b43

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
3ddbfa84bb411362706a30be1512fe42

SHA1
8dbc7d54807f10c1e7f7b2b6e2579c95cacb948d

SHA256
033daa5260a82e37d2eb3215a01c0f6ea915d16a196d90d9542d6aa6eb39850f

SHA512
5f2940e196a16aae6bb889e6971e7c56782efaacaa6cc635fbc720a412cf75b0388d4920da47405a7d237f7a78a33d1a5249a6ed63af4d3d09a7fb185c8120e8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
3df57ef5a97158636744790f1e699fb0

SHA1
db027be670d546b167b0ec1f9bea5e2905904cb7

SHA256
14ab7a40e1bfa3c7d8d112b250019a367e06edb5fbf6e9840a33c217deaeec61

SHA512
95558e785b90d67f142843b3e8567abf80e447b957cd6df50fab18fc7a0e97645a3c9eb109f24925716dc3ddae0181bb20137727b6e6adbb576f0ba5fa6278cc

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
8a6132237395b95373722f9439a5bfe1

SHA1
860a2e819f316330afc1c2ad60b8af78a42bfc0e

SHA256
de5da440cc1922ca102a6172c1b04cefc72501ce358539d8788310f2bd7fcdbf

SHA512
164759fecde1bc9db0215dae385c8a927edd261fed32fac821b130fe65bde794de283d00c0169d8a0d495e99db06e490b33906550f7d37bc2cb953b39bb0f26a

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
47531af81fe116c4671cf1f2b6678c38

SHA1
6a031443a35d077c0356c73bae694723f5e49538

SHA256
e39ffce2639abfa87c2827fc18f6a1f63d00c2d9509c923025bb1bf8dd1ce458

SHA512
38f2c46e88285810d632823de7dc6aae292aff5b729e2757cd7e76204271296d478fde78395f30cb31d8f627749dde355a606546464a0f948b900c30da518c2a

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
c176f0e11e2135a80c3bf982267e65ab

SHA1
ce3477fd66543e1375970ec58b472102b2c09b82

SHA256
8675a76ea6a58d17390f06fb7e6726273a88701534b89e98cb5fe0807562c3ab

SHA512
21150d075dd94c77ba9dc8f863b321ade74a5d672b266e0f860cdd3f095d6730938acbcce203cc390aa495affeea0804edf7c7e23a9defb4a2098ffa7d2320c8

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
271af97c88880a6d96636b1724293b20

SHA1
93d30aee44de42942b4f11ef884ba6f598c0f88c

SHA256
f94440c43c26bf954796a9517f1b4e18c6c6c93514af06c1d1ca31f6440ef592

SHA512
342972df7d9a949bfbe354b49f56219782bec306e83741364666525d434fdb82585840e02ed0247325a2b72d2e7170180fa8d662e382213ddbe8d671dd96a78d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
ccec584d9659dcb64e34588ea6b383c9

SHA1
2f3421befcbc45e42d79c67b582bca04e2028e36

SHA256
5658add0f096827fb36c3150df5a17c502f75d655ce042433f034c420a3380cf

SHA512
9a1684c90b1f2c3e3638a323e328b34539fe25d812f7fb8f3749c1198048a3a177af7fc5fdc0a340a38d0eb0e8694a040a35a70d446cbd2155ad090a1c32e09c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
a25294b069be65b802ead1f63ba28de5

SHA1
d002cfe9aeb19bd24fcfd68fcdb27e428318d44b

SHA256
40ed2fb2a79a6ffa8d033878312ee590e77aab34b7f2df679b870b07f07336fa

SHA512
5ab5b59e52f60a9aa95071d5e185c9dbc1f40bcc94e48c6aa2f328ec25cd6c9ab2a121313472cb622b27140d549651c7d5cacfac61b0c1cd720985e67a941c9d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
d8c9085f11f400ff6dbaffdff6c5aebe

SHA1
1ce10ca0337600329a2e47dea2e8331429100391

SHA256
ff90d292906774d28c36c4cc5bc532ea23740fe1dabe40aed2121c955f5f77ce

SHA512
099c82b9e608f62f80c06358defd7c16d6dfa6697ca16b6a397951cba99cb2c2297acceff18c351d196b80c1967164b0dd1c75eb85de07d6646fb107c61fdf8f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
b36eba55e70e5a5863ea63853b98d906

SHA1
f60dc1fbf6d223596b1f20f3010b017ce26da77e

SHA256
9fe78a292c4aa25754cc7e35309336670130ea042c42794088b0d885a69dbf49

SHA512
f70977311bb2686c5ca39ed089384fff49435e6f466b3913b110501e042f71aea5d4b5116df79fef9779d182393151c8d420135da0a911257bfcc762ae287bb8

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
de9577192388d083d51f8172648e68e1

SHA1
a72effaa02dbdb7feefb84103481a9cb036a6e64

SHA256
ce712f2f5ab38d9b4e818f2d0b068c4de4dfc96eb103356648b7981263cb69e6

SHA512
619a85149337829591a3e03ad48919483daa9ee8b2614855ca1058136fdcf7c5577376098a8c30e2d11bc3c118f21a4b4d5e8910f2d77a2105fa318d60bbeb3f

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe

Filesize
1.2MB

MD5
0045eed0e9bd08dfa46ce3696a5e6386

SHA1
9c46fc4d40cd5d62aa68b5b958403b3b1cf1b41b

SHA256
a8901018abe9d3d965f68e260c02d1deb96e9cf62c1a907e7ecfb603e07b118d

SHA512
60be57999d82761f971eb63b1e3cf9522a3eb3c6dc92a612f40b0a6db31411edd14090424a8dd3ccfb3bbd31d7aac0c9bd2c746ab03fbedfa454ee75c0f9ebe2

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe

Filesize
1.2MB

MD5
e4ec14cc92a287b6b296de34601bddbd

SHA1
2ce9810c41c647d2054dd3ad1bf234f93f45530b

SHA256
1bcef4658f27a13ecd7f7efa92afd04c032fedc40dcc727b5f6577132ba32804

SHA512
693291c807b9d1ec455599ff6c95b4d9eef653d0df7fe2e7535b25153ce29e71bbb7dba1041792bad586608aa00f57e07a84cfc5ae5afe6d7be28dcbc41b4f71

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe

Filesize
1.2MB

MD5
6f699dade1547f585cbc7fc199dec9c0

SHA1
31cd94fcab85621cc892ac80aca628096da92c4a

SHA256
48f54230ac86c31bc6057e36fa713916ad30106f45b4e66fccc57c42017255ce

SHA512
f877700b5aa349ba19b6fb5a2f235c3696d5628ac3dd1111871cf015478e8e4ca8667fcc8c3152524139236521c8d9f85b48be72406061b53b53add336bc9fcc

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe

Filesize
1.3MB

MD5
35723c22744cbc93262198a373ac3518

SHA1
f1d6c90b4e4086ed8e23380d0ea7f8aa79385cc6

SHA256
6471b0f6db17638a6e4cae3a8a69024e96ef8a3b46ce767ce57d320a7fd39426

SHA512
0b281be24f41dd964750dbb14780423965c4c5aec00f50e35646f139d10f8e67076f7d5b89a9d8e2b60fae91f657a20aa78149bf7d9e3ec37090eeddaca3bffe

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe

Filesize
1.2MB

MD5
cb03aecbc1373fa9ba8cbeaad4df5bfe

SHA1
734607389774aaec83445b59d72a953d36cf18a3

SHA256
f92ba4df57f70a85d99b9bae2473b3041886f1963336dfc9fa43827c02a50872

SHA512
6b8fc03d5a7a721b5841a1bfa6444d4b3fbd92381f11068974302e39681ce07e104dfda87cc7f7c21a8bbbd04044433cebd61b23c08b7a325859bdc375e6cd36

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe

Filesize
1.2MB

MD5
2bbd78488e5159793d9ecbced9f32d86

SHA1
ba45efd3acbf3d1503f6b4aa104a084d55757c90

SHA256
a72a9b156c2d9917d08974d22d73e78fada8b01771c0e6d7a7c63024c16c50f5

SHA512
7542362edbe48697fd1b38e212ad2157413d6bc108e536ebf61303ffc9be0c11165fb89f54a85b3b6f0981bd85564c091e4dfcab18b40776235a2821f33364f5

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe

Filesize
1.2MB

MD5
8c549099d6e031920251c6b8a86c7a11

SHA1
206edc3c6c6dac0b2075b4b2f35804275c21b01f

SHA256
3bc9c7f860ea31e02f8610216a14ccffff1f03c79e4b97bdc4c511e3af57d818

SHA512
e8f636aa67881947b1ee063b8993a177f16d8cde1fb055fa35bde5a68947f5521c9c131317911d77e33d4331627355faaa9fbb5dd1be6d8fbdcb7be75d3e5bed

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\java.exe

Filesize
1.4MB

MD5
e7a251f165ddc9f7aa1badd596eabc93

SHA1
263de086dc429a6c78fe48e7f3cb325e660f0d2e

SHA256
0e079276206ea54f5edde2f8403441eea2539a6180a1d4836022c9d40ba31795

SHA512
423b801ff6ec4c3325bdb5a57fbfa63860c3858cf32b50dfbdc3e72c4b2ab973b425671a2019a594b0f5a302d5fd8a822299352399c0bfc3a73df4735bba253c

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe

Filesize
1.2MB

MD5
68e30d2f30f8dc715858a6b7241868a2

SHA1
5b35cdcd846296b99dfe2509473354ddba5285b0

SHA256
9b5ff8d7cdb45528486dcce7213748b669f683824687629ae18470dfc3d2d866

SHA512
7a0d5fde6d787341cc31d25b329fc66e936a11a71b6f64569ee328cd33eeee003949d0ad2aca93c3f86b67e5c1d11301e09ff0c5c7241bf57ebced68444fb0fe

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe

Filesize
1.2MB

MD5
cae6522e990ef275fd1e56f0b8718542

SHA1
7efc4cd6a90bc3fa7e08ce00cc2aff98e975513f

SHA256
0cede59cfe49c700506f56f08b07d3ac996a9269a2a82dc6d05bf762632d6455

SHA512
3f9697655f5ea9d621fe2fa75ff8229448b595d98209cd2e35c0ffd1873cefa0f5c27a2c9815e0c2cb41ad24b973e9766da8a31d2bd71def802564433a0ce712

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe

Filesize
1.3MB

MD5
7a90d67720535b46c6da8703f79e512f

SHA1
0a3f0e1cbb576a060153bb3402ba07a7582b14ff

SHA256
f7c989d0b118a62f1f9eac095535f681271958ae8811fc6829fd7d677f586058

SHA512
6fa97d5569c5213784e6c5e9459fe3db8d3a37d28572504b066a0fbcafa07608240bc33c94bd44fac52763585ae8b31dd476a86c7e858491dad5c51983333e20

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe

Filesize
1.2MB

MD5
d30d2179583e1255d803f11a33bb8411

SHA1
833601cfbf43c05277f247b59d68a6e09238803e

SHA256
6d13449e5a0e68f2c38b6d5a043a2f109cced28b887005e1da9514351647a9e3

SHA512
44197b2cb243aa6842124d7f8c64bd460cf9f74f77633416384499997b72006b62fbf2af7fccb996299043a0316cf982b6ce3004469ec2eaceff7156d2ff5b59

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe

Filesize
1.2MB

MD5
65e65f2bd5399c33e63cc801891fed9b

SHA1
76c29d9d481a8797cc22806fa565f60802110a48

SHA256
8533642cd8e9ca582302d60719855c9c125d251d2bddb6ad1ab2f95b0638e390

SHA512
e4e152d0c5f0d9492001aee0a33f50d15ab16e4b3a6d77ad6bb250199252477ba263ee9146acc343b7b2ca48bca0c00a5adbf2c97af9fcf038557d2be944280f

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe

Filesize
1.3MB

MD5
3ce010e610776d6fbfe02d70c0b3612f

SHA1
38f9da54a08103d88e763c2c20d27a7f3be30320

SHA256
d0f26695aa5358ca1dd1bed03bd99c689a4bee46abf7b33a80338ae942029441

SHA512
820dd8adfd4d804848f038164a675a2b7c18f966f7a039558c8799e46419acb5032d5c88e8c1f80d5a0176953ffa63ad5227f1bcbb45c9a61b0faa8a90634736

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe

Filesize
1.4MB

MD5
03caf85fa96168332afa2676ade9b37c

SHA1
7b581a4877f17eacfa79c9507dc2c1b68f7a31b3

SHA256
a77b39c38dc96b94fa91655fd7ef441270ccbf3650f23d78bb7308013e1b7511

SHA512
71c1ec22ca13e3d76d8d3b42f57595a6954da9cb4cc6f52271edc55cf62af1c08f25140c2a220110dea4153c8f32b935303eed25528595fc92a58ed1a22dd16c

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe

Filesize
1.5MB

MD5
e18622de5d01d397a80501ea84ec2f89

SHA1
4a6b08bb06b239d3048855802771a70e8b555356

SHA256
93c1a868ac77128105084ddd2db1957594037b4fb23a061c74505e0338695797

SHA512
1802052acc8dd48592bcd25be1d3082ae28cb1be9cd44a18aa004047eb5b93d7d1f03a801767ba3ffbe8ad2e62376742d9c40e075d340c0cfff3bb5777753539

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
27b3693f649c49d11ed65ff225295109

SHA1
0ed2d49b988032f6db745a82de28b6734debfba2

SHA256
07b04baa4949ea93de0a70c615eb6edc1cc4c324e9730457b03f80d014c72dbe

SHA512
231eae30294582cc04079c8772b0b3fc99a076d387cd8c20b3b6f9a74f6fc7eb1f3e9016dd1a39bba766c009519a2b33156fc5a08aec13ce7413a92c7b62b289

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
8c1f0d1cef064822700e0cb5b971d13a

SHA1
f2963bd409ad8707e038804f2fd9e4e3aed940cd

SHA256
05208cb049e7a920183d2069351d72400f90a8aba33a040ffd2d4c5940f8a9c1

SHA512
60e4b9387adf39adab3c687dd1d0543749f59fddc9e243086699547022c58ef912d3bc3f33f4939c26d2f359e5ee7cd015b9870fdeb8ee37f44e185697462a13

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
d0837486dec71bd8c1a7955a3bc23315

SHA1
af5c98cd5413623b732f993e6611f7ecf97ec5e6

SHA256
c1d43850e392124b3736c949b41de249c2aaea13940e81ed45d7859202a35ff4

SHA512
0029288fb197eb615bdb0e1cc115c7c2cb34458d1c748d43e52bee23278453956dc34b6e6f2b4e1fc8c8f845369b8dc347fb8d91512a0c1255c5c7a46f0416d4

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
d3760fe34385c0fa31104540494adc72

SHA1
1a7af6ca8d6ef462599331bb83e2a235b5fd836d

SHA256
59b90d43e54d19c3df58d711890217d193cfa1b55d61c228ace13ad81f7d56ac

SHA512
0b614f90da1f13899e878a80ce969d85a8dc2b260d230724107d518686135feaf78186a55edf6958b02ced1ea5ec7ed397eed68c97eed11898e843cfeacb35cb

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
caf120dbc91c86682c516350c37473e2

SHA1
b2612b1232e4759966b65dae26c78e690fb29b37

SHA256
1694eedbb6f8787912276e28ba0d3fb5780e0f0c43efa1df31aca2474f3e1bdf

SHA512
cd90dafb6920bc3f00bfa2f59b393c8166ffd6b5a14e757ceef28796a23f4e43b711df1173870a824c6a5bc1528f4035b0ceacc85fe3d750858a633332b90db0

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
a40d30b13a98204033582ae51c58421a

SHA1
d1e6a5b621b070b795bc7a7aedd63ced6e9f9304

SHA256
1c073ab72404b639ee3310687a34f39e3560a3f6975c0839e8d76acf3fbb598a

SHA512
592d98a0340fb4607d800494bd425a4aa60e6a5bcec61b0784f690361215d1fb07aa6020945bb0ba98d7f5b6bac1439ec1e022a5d48e31af351c937c4fe89de7

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
bae075fd4a88026b995f2d25f8e51365

SHA1
e9649476323eac7fffe77f686fcfaeef7e1175fb

SHA256
4ce3c35331665aa59bf6b31272a2d4448dd001d892e170a6d7eaa9fac411330d

SHA512
151f3d92e78b3541d15e31f4c5c2240250557ef3d92cf5002abd72bcfaa01e5e2eba55aa6903370a14370df2c55e043c3c092d8dd96bc98277887e4b9fc4f573

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
bae075fd4a88026b995f2d25f8e51365

SHA1
e9649476323eac7fffe77f686fcfaeef7e1175fb

SHA256
4ce3c35331665aa59bf6b31272a2d4448dd001d892e170a6d7eaa9fac411330d

SHA512
151f3d92e78b3541d15e31f4c5c2240250557ef3d92cf5002abd72bcfaa01e5e2eba55aa6903370a14370df2c55e043c3c092d8dd96bc98277887e4b9fc4f573

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
08de72e1531d1dcb6803ccc6999c0456

SHA1
e1418863a60d0c9cb2af91aedb342e528ce5649e

SHA256
609c8099e266c1831d70c4f061abf05eeaf0c74eb54788b541fcc6b175f2bea2

SHA512
78e4e0732bc83c9f4a4948c6f63fa2f2c878fa3943c911515bd56f8044b853242635c260815b5e141af35f76d3a41095dad86812b43b80fa28a4776eab54ba84

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
b74991ed0cdbef1bbf4812b15b175255

SHA1
9352a4109b0a70742d90ade2d5022b6e79ff1e52

SHA256
01d2dfda971a2aa67091f5ad4d789d00785c5965b06f960e7919845578000278

SHA512
192ba72652ac43e51a8de26c9de3fc5f572106fcaa5f04b924c4f1c0cb43003adc80f157a8193943f97d8e2e29be6f053b9e61e80c12ba4a214fe106cd708f77

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
9ea3dd19263f5a447ea6712d47be8bdc

SHA1
8d6cfd321085b17c0185d0338a35995fa95cfd57

SHA256
df48b46f7b40285c331d40066991a36d811cb2db98750f1fbd514843381fca6d

SHA512
3ef32553ce7180ff736e89c9c0bb6cb4fe3a136a5574cc898c7b8e53e9db33f2ce18641227f6b1c35c2c76f6f4badfc7dc8215075c24e5651861f78be6294a19

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
9ea3dd19263f5a447ea6712d47be8bdc

SHA1
8d6cfd321085b17c0185d0338a35995fa95cfd57

SHA256
df48b46f7b40285c331d40066991a36d811cb2db98750f1fbd514843381fca6d

SHA512
3ef32553ce7180ff736e89c9c0bb6cb4fe3a136a5574cc898c7b8e53e9db33f2ce18641227f6b1c35c2c76f6f4badfc7dc8215075c24e5651861f78be6294a19

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
5acd73d255f9b2d2c0e0e30b565c1040

SHA1
2c64f145801fcf84f6c63c19c0ea043b411ed672

SHA256
871b147683801ba341ba828922af1c0b35b855a6371c09d28a5de2837f72425b

SHA512
789a4872b83f2073622ff61879697bc02ce6b1d360f13caf52446864896f2a36388640c272dc3b6e2772289f5fbd7646a8f781ca4a9be4e314824269906ed0db

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
526eaa409523e6aaf36112abcf1a75d6

SHA1
b41f4dc12004b3703f97364b6925fdbdeb9090b2

SHA256
84162a6ec99e1ce1ed8bf03d9721739a7ab15825fad250c888740097e8b9dbc2

SHA512
940e2a8012e857074e3abc805565db4f2046699ba8a2d21faa9424f15a8e04cbac0ab354bb431a69d2f1fa49cb845d5c5218cb82eaf1e1127fe981213b96ec9c

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
9f74330b635fb8dce43ac79f8efbe5a4

SHA1
3b219215454602f3c0cd82342530769bbd950ce2

SHA256
c09abab7242b0f161b59d6acaa3c89b0b0b73780782a8fe6d5b349de0244c89b

SHA512
6d4c826d34a3af0289338921e1f317872c5c022e779551cf464d59d34e475ea28ac9df7ca1c7855f40fe8a47ef719dc4fcfc3acd149ae5a7f44ffbcecc1c8cbd

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
7d7b7d0736fdff6b73ca4278346f5e01

SHA1
0884cf98a7edff9620f2740131cc1dca3f073bde

SHA256
c8ef5fdf5a35f8cac1883ed079a6aaaac596f3428ce29d5bf5c371bc29ee5263

SHA512
d7239e6389ef873836e2c81f6a6346d31c13d87c1592bc9c37fd392c62f624107b32473548e4c63ccd55c29c4c1da20b927131f93642d3522b8c887b95a9b9d7

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
b8a6be167e4440b9e8be6fdd896869a7

SHA1
7efeef85e0d7b6a1edb51ab669a3ded792da8cec

SHA256
8aa6fdc11467fca87077d29b15558a988df81ed93d876591a558a5b7a5191f50

SHA512
9429d90b3bf24b694686bda6373eef0f360e14e085d80eaf00b74a78c04b8e1c679cd5bd43c64c5518cd8cf83c3cd501831c8550b5013f34f88aba0588723c0b

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
b8eaf68d91d7fea160d5fc2bb4a13cc9

SHA1
8c92ad644258b2dc64f246a71b6f87b53d260fbd

SHA256
5e89e5d437067b98d60975b73650f757081062e4701d8787d26ee9269397f980

SHA512
6945a22b7dd8b3b281b7e947408cac0b2492629bc41ed1b1ce7ef5cea8aa416039c6b7cc531564637af2c5608731e7a947d05b0cb2f4047a11ebe57d086a558b

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
044f1b40cbba9a93200d99359aa34f02

SHA1
329ffe856656aafb28fdb9ba3908cd57acdf4a8c

SHA256
8f7456383199f6eaf9f0320fd67e37497df180312abde0f3d21076e54fff76ba

SHA512
c0bb1a2b7673bb7887384685f5957f7e996429fe31ba6ff0384daa925673632d07220ac8dc778f11679346a1bbdfa5fba806781b4bb4d38c68bd980a347548f1

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
5f576d91d12449a525bf3cf6a30e5ffc

SHA1
fd043681c932534d0e0c179f7afe02eb601cf6fe

SHA256
e3f76050c01bcf722ebd6ae22011594e994f964d3c001b54f4a41132d41cd420

SHA512
834cb06fbda1493dc56cd055efa9e73d9aba724f3787eb4576aef913406ce3f09e7d642f632f22c9df8660cc07c58391e2a39c241f863aecc6d28267c46624a6

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
782877875087cafafcdcc09635e1f285

SHA1
70678fd75e1ffde05fa3ee1af862895d5e6660ba

SHA256
d880aef2f5bccbf1f64f903ea54dc447f4b7db476d08da387ba20763e14bc4a4

SHA512
70041cb1c44618895b1f5529c867d2292accdfeb3793e547cc2c07d3acdd924c944e97e56eeec36f2275df6734b2cf1f1d54d7c07c017e05ebbd3d4314776b4d

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
1.7MB

MD5
d0837486dec71bd8c1a7955a3bc23315

SHA1
af5c98cd5413623b732f993e6611f7ecf97ec5e6

SHA256
c1d43850e392124b3736c949b41de249c2aaea13940e81ed45d7859202a35ff4

SHA512
0029288fb197eb615bdb0e1cc115c7c2cb34458d1c748d43e52bee23278453956dc34b6e6f2b4e1fc8c8f845369b8dc347fb8d91512a0c1255c5c7a46f0416d4

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
82fa3512e1983b99443c0de8ae09a344

SHA1
ff4e71b213622834e5cdbdf2c82a398969fd8298

SHA256
d1abadeef45b42ca6cb6e3d40b509723cc4d0d5f44aa7fd9aa290bb7d6221b81

SHA512
66ec2392e572ddaca2d304348f29a0050c81d5bed94e3b5e6bccacd4f168dcab4cab38f5efb24b797b60bb0b1dcb39cbadca0175426c5a86f07f22805dfd377e

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
1bff16c697b4ce7ab98ff3209c3b3327

SHA1
fe1848e4c53ff3baf8726451a606a7de6811e5b1

SHA256
2485ee5682253e21c9c23843f7daef8e08a4d814a3db0c618269754fb9f07c45

SHA512
b518170cb6502d6bd46c0bd39955ff91d2c61c9adeff805eac61feb40a75f1d3109768666d4692d32c487f5827e4fdb76e91954d69b48fa32d9a5d9c68a96987

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
caf120dbc91c86682c516350c37473e2

SHA1
b2612b1232e4759966b65dae26c78e690fb29b37

SHA256
1694eedbb6f8787912276e28ba0d3fb5780e0f0c43efa1df31aca2474f3e1bdf

SHA512
cd90dafb6920bc3f00bfa2f59b393c8166ffd6b5a14e757ceef28796a23f4e43b711df1173870a824c6a5bc1528f4035b0ceacc85fe3d750858a633332b90db0

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
f8a0337f995e629901ed7dcfd131d3f5

SHA1
2feb2a7a2f6211e5a3c08f6a1a1fcba19b3302ea

SHA256
40d93b4749bab86949f91d8897a1144e677b1518aeffb9493bc694f8d248b681

SHA512
32e65f15cab4daf68c2d43b9d133e1687d4170e88031e327369da01bcb59713a74888ff1ea176acd85af147bca21e950cea0dd924bb48000f27ccbd03a946b3f

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
a5f0e1cde2512acf65600b520d0b1f7b

SHA1
2129eb9eb2a1035bcc25a05dffaffe996f0e9bfa

SHA256
33d580d49a9f406cbe43d41e3aad2d36a95c803322ac473835cb2e3f5258755c

SHA512
9fee23274122ead23d35ae642530d70b08bdc7e666eea8e5570299e1423fce8a67a185bc1596ca7ed70966365a48ffbb1815c6c6499043d6dd4591dd32d37eba

Download Submit
memory/244-215-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/244-194-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/244-200-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/244-524-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/564-262-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/692-610-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/692-402-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1264-342-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/1280-220-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/1280-230-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/1308-346-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/1424-352-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1424-348-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1624-185-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1624-181-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/1624-176-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/1624-170-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/1668-575-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/1668-266-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/1696-245-0x0000000005140000-0x00000000051DC000-memory.dmp

Filesize
624KB

Download
memory/1696-231-0x0000000005130000-0x0000000005140000-memory.dmp

Filesize
64KB

Download
memory/1696-202-0x0000000000790000-0x00000000007F6000-memory.dmp

Filesize
408KB

Download
memory/2104-631-0x0000018751730000-0x0000018751740000-memory.dmp

Filesize
64KB

Download
memory/2104-709-0x00000187525E0000-0x00000187525F0000-memory.dmp

Filesize
64KB

Download
memory/2104-695-0x00000187525E0000-0x00000187525F0000-memory.dmp

Filesize
64KB

Download
memory/2104-698-0x0000018751710000-0x0000018751711000-memory.dmp

Filesize
4KB

Download
memory/2104-699-0x0000018751730000-0x0000018751740000-memory.dmp

Filesize
64KB

Download
memory/2104-700-0x0000018751730000-0x0000018751740000-memory.dmp

Filesize
64KB

Download
memory/2104-703-0x00000187525E0000-0x00000187525F0000-memory.dmp

Filesize
64KB

Download
memory/2104-704-0x00000187525E0000-0x00000187525F0000-memory.dmp

Filesize
64KB

Download
memory/2104-705-0x00000187525E0000-0x00000187525F0000-memory.dmp

Filesize
64KB

Download
memory/2104-706-0x00000187525E0000-0x00000187525F0000-memory.dmp

Filesize
64KB

Download
memory/2104-707-0x00000187525E0000-0x00000187525F0000-memory.dmp

Filesize
64KB

Download
memory/2104-708-0x00000187525E0000-0x00000187525F0000-memory.dmp

Filesize
64KB

Download
memory/2104-710-0x00000187525E0000-0x00000187525F0000-memory.dmp

Filesize
64KB

Download
memory/2104-632-0x0000018751730000-0x0000018751740000-memory.dmp

Filesize
64KB

Download
memory/2104-711-0x00000187525E0000-0x00000187525F0000-memory.dmp

Filesize
64KB

Download
memory/2104-693-0x00000187525E0000-0x00000187525F0000-memory.dmp

Filesize
64KB

Download
memory/2104-692-0x00000187525E0000-0x00000187525F0000-memory.dmp

Filesize
64KB

Download
memory/2104-688-0x00000187525E0000-0x00000187525F0000-memory.dmp

Filesize
64KB

Download
memory/2104-694-0x00000187525E0000-0x00000187525F0000-memory.dmp

Filesize
64KB

Download
memory/2104-691-0x00000187525E0000-0x00000187525F0000-memory.dmp

Filesize
64KB

Download
memory/2104-630-0x0000018751710000-0x0000018751711000-memory.dmp

Filesize
4KB

Download
memory/2104-690-0x00000187525E0000-0x00000187525F0000-memory.dmp

Filesize
64KB

Download
memory/2104-689-0x00000187525E0000-0x00000187525F0000-memory.dmp

Filesize
64KB

Download
memory/2104-629-0x0000018751700000-0x0000018751710000-memory.dmp

Filesize
64KB

Download
memory/2540-609-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/2540-400-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/3380-487-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3380-180-0x0000000000E30000-0x0000000000E90000-memory.dmp

Filesize
384KB

Download
memory/3380-189-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3380-190-0x0000000000E30000-0x0000000000E90000-memory.dmp

Filesize
384KB

Download
memory/3432-133-0x0000000002500000-0x0000000002566000-memory.dmp

Filesize
408KB

Download
memory/3432-260-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/3432-138-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/3432-139-0x0000000002500000-0x0000000002566000-memory.dmp

Filesize
408KB

Download
memory/3456-314-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3932-374-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4164-284-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4164-579-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4256-398-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4424-594-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4424-317-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4468-211-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4468-214-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4468-205-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4468-218-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4504-152-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/4504-153-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4504-146-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4504-313-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/4644-283-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/4744-264-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/4856-375-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4856-608-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4916-167-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/4916-165-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/4916-159-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download