blustealer | 5f323f12b134d9f8718282eeb8d8423c9a6f123545cb8fb4ca3a38b6f8092af1

Analysis

max time kernel
151s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
08-05-2023 14:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Request for Quotation.exe
Size

1.4MB
MD5

6194f48fb37a6bb1ba0908abc6b1a537
SHA1

0e80a10e34ca8b23e568f871bdc0eef8f1fe63f2
SHA256

5f323f12b134d9f8718282eeb8d8423c9a6f123545cb8fb4ca3a38b6f8092af1
SHA512

7723660cb65c449ffd73ce457d3c7ce93a4d7703452c7d2f68608e4245420e26fc390a435f4cf3538931d6938568266043e3600e3fe943f531ad696990f7ef25
SSDEEP

24576:m9WFfD+P2kVORHUvU/C88Cx+DDs9hmt9EwONE+D3APRgbUTfNugzT:+U4C4Cx+DQU9EwqTAPRgbfYT

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 22 IoCs

pid	Process
1736	alg.exe
3960	DiagnosticsHub.StandardCollector.Service.exe
1664	fxssvc.exe
1696	elevation_service.exe
3772	elevation_service.exe
2260	maintenanceservice.exe
4288	msdtc.exe
1972	OSE.EXE
3992	PerceptionSimulationService.exe
3008	perfhost.exe
4340	locator.exe
4728	SensorDataService.exe
2152	snmptrap.exe
1508	spectrum.exe
1688	ssh-agent.exe
2788	TieringEngineService.exe
3316	AgentService.exe
5032	vds.exe
1248	vssvc.exe
3360	wbengine.exe
4460	WmiApSrv.exe
5044	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Request for Quotation.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	Request for Quotation.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\vssvc.exe	Request for Quotation.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	Request for Quotation.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	Request for Quotation.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	Request for Quotation.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	Request for Quotation.exe
File opened for modification	C:\Windows\system32\locator.exe	Request for Quotation.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	Request for Quotation.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\vds.exe	Request for Quotation.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	Request for Quotation.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\29e3e1a9a2815e1.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	Request for Quotation.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	Request for Quotation.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	Request for Quotation.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	Request for Quotation.exe
File opened for modification	C:\Windows\system32\spectrum.exe	Request for Quotation.exe
File opened for modification	C:\Windows\system32\wbengine.exe	Request for Quotation.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	Request for Quotation.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	Request for Quotation.exe
File opened for modification	C:\Windows\System32\msdtc.exe	Request for Quotation.exe
File opened for modification	C:\Windows\system32\msiexec.exe	Request for Quotation.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	Request for Quotation.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3832 set thread context of 4180	3832	Request for Quotation.exe	93
PID 4180 set thread context of 2732	4180	Request for Quotation.exe	99

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ktab.exe	Request for Quotation.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\native2ascii.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmid.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\klist.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\keytool.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\rmiregistry.exe	Request for Quotation.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Request for Quotation.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	Request for Quotation.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsimport.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\policytool.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmid.exe	Request for Quotation.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\klist.exe	Request for Quotation.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	Request for Quotation.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	Request for Quotation.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000022562c21ce81d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002d7ff520ce81d901	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000050950821ce81d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ae628325ce81d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d9ca7126ce81d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cb0aff20ce81d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f1e5ab25ce81d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	82	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
3832	Request for Quotation.exe
3832	Request for Quotation.exe
4180	Request for Quotation.exe
4180	Request for Quotation.exe
4180	Request for Quotation.exe
4180	Request for Quotation.exe
4180	Request for Quotation.exe
4180	Request for Quotation.exe
4180	Request for Quotation.exe
4180	Request for Quotation.exe
4180	Request for Quotation.exe
4180	Request for Quotation.exe
4180	Request for Quotation.exe
4180	Request for Quotation.exe
4180	Request for Quotation.exe
4180	Request for Quotation.exe
4180	Request for Quotation.exe
4180	Request for Quotation.exe
4180	Request for Quotation.exe
4180	Request for Quotation.exe
4180	Request for Quotation.exe
4180	Request for Quotation.exe
4180	Request for Quotation.exe
4180	Request for Quotation.exe
4180	Request for Quotation.exe
4180	Request for Quotation.exe
4180	Request for Quotation.exe
4180	Request for Quotation.exe
4180	Request for Quotation.exe
4180	Request for Quotation.exe
4180	Request for Quotation.exe
4180	Request for Quotation.exe
4180	Request for Quotation.exe
4180	Request for Quotation.exe
4180	Request for Quotation.exe
4180	Request for Quotation.exe
4180	Request for Quotation.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeDebugPrivilege	3832	Request for Quotation.exe
Token: SeTakeOwnershipPrivilege	4180	Request for Quotation.exe
Token: SeAuditPrivilege	1664	fxssvc.exe
Token: SeRestorePrivilege	2788	TieringEngineService.exe
Token: SeManageVolumePrivilege	2788	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3316	AgentService.exe
Token: SeBackupPrivilege	1248	vssvc.exe
Token: SeRestorePrivilege	1248	vssvc.exe
Token: SeAuditPrivilege	1248	vssvc.exe
Token: SeBackupPrivilege	3360	wbengine.exe
Token: SeRestorePrivilege	3360	wbengine.exe
Token: SeSecurityPrivilege	3360	wbengine.exe
Token: 33	5044	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeDebugPrivilege	4180	Request for Quotation.exe
Token: SeDebugPrivilege	4180	Request for Quotation.exe
Token: SeDebugPrivilege	4180	Request for Quotation.exe
Token: SeDebugPrivilege	4180	Request for Quotation.exe
Token: SeDebugPrivilege	4180	Request for Quotation.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4180	Request for Quotation.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3832 wrote to memory of 916	3832	Request for Quotation.exe	92
PID 3832 wrote to memory of 916	3832	Request for Quotation.exe	92
PID 3832 wrote to memory of 916	3832	Request for Quotation.exe	92
PID 3832 wrote to memory of 4180	3832	Request for Quotation.exe	93
PID 3832 wrote to memory of 4180	3832	Request for Quotation.exe	93
PID 3832 wrote to memory of 4180	3832	Request for Quotation.exe	93
PID 3832 wrote to memory of 4180	3832	Request for Quotation.exe	93
PID 3832 wrote to memory of 4180	3832	Request for Quotation.exe	93
PID 3832 wrote to memory of 4180	3832	Request for Quotation.exe	93
PID 3832 wrote to memory of 4180	3832	Request for Quotation.exe	93
PID 3832 wrote to memory of 4180	3832	Request for Quotation.exe	93
PID 4180 wrote to memory of 2732	4180	Request for Quotation.exe	99
PID 4180 wrote to memory of 2732	4180	Request for Quotation.exe	99
PID 4180 wrote to memory of 2732	4180	Request for Quotation.exe	99
PID 4180 wrote to memory of 2732	4180	Request for Quotation.exe	99
PID 4180 wrote to memory of 2732	4180	Request for Quotation.exe	99
PID 5044 wrote to memory of 100	5044	SearchIndexer.exe	121
PID 5044 wrote to memory of 100	5044	SearchIndexer.exe	121
PID 5044 wrote to memory of 5108	5044	SearchIndexer.exe	122
PID 5044 wrote to memory of 5108	5044	SearchIndexer.exe	122

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3832
- C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe
  "C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe"
  2⤵
  PID:916
- C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe
  "C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4180
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:2732

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:1736

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3960

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4112

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1664

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1696

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3772

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2260

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4288

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1972

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3992

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3008

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4340

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4728

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2152

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1508

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4004

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1688

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2788

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3316

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5032

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1248

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3360

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4460

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5044
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:100
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5108

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
15b28ac8a18f63549b5adc0b6030fde1

SHA1
8a43c85eef730a335eaece76614eb43472bbf2c0

SHA256
feb67068736cce1c01547ce5881cb93128551309898f97529094d201025cd0cf

SHA512
fff24e078884577914609a4f4139cc6b72dd3710cc842571a6572bee31553774af8c5c54d35aeb3973fa2c41c3b74febc450fedd6c81239c967de935aac76d81

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
4f368d4cb5d51d8f83550108444e999a

SHA1
fc59098bba1594702d469cb3da4c3451c7097a7d

SHA256
0f0eba12513d95527377b27a7929c937cf5ab37cb6ca25c7c11e8dcb4f3b4f53

SHA512
bad61460a86434fab9ed22fc5ef27f15f576ec006b77bcf4cb586a2ba9b94b9bb1dc1aeb633f9bbee9f601f1dfa805d018da1da20d87fa076ffd28768fe3156f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
4f368d4cb5d51d8f83550108444e999a

SHA1
fc59098bba1594702d469cb3da4c3451c7097a7d

SHA256
0f0eba12513d95527377b27a7929c937cf5ab37cb6ca25c7c11e8dcb4f3b4f53

SHA512
bad61460a86434fab9ed22fc5ef27f15f576ec006b77bcf4cb586a2ba9b94b9bb1dc1aeb633f9bbee9f601f1dfa805d018da1da20d87fa076ffd28768fe3156f

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
837022b863bac39f1f4f3c2ed36715ac

SHA1
75df62d2de64bd7dc56b0d24b56be46d7a43cc36

SHA256
14d92bdfcc453cf9741cd44090a95d1c1e392650cfd4e658d949b8133d3834df

SHA512
357fa99216c9011dbd25c2bd9d99591173aa38a310925a84e350c4e9d1775f25f097611d7c72498acca4303b3b81c4ae970619b81f3708d717909718fb9b721e

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.4MB

MD5
b316148716543e5774380b88f4337bb7

SHA1
c4bdd64bcb95bb46bbf51952a8d1259c3bbc02d1

SHA256
2debe616198753f44544de7148a889916adf767b497a7b2f7def29f822e3f109

SHA512
9bf0d121200fa751f1f4d0572a74be8e56c42eaebdf8321d0308db02b9128c0df49d3782caf74a9bc51be97c1b00d61dea451f2e9ff00e714bdfd53a5a866e02

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
eab385e1fe7cfadb904f4b2a04a95248

SHA1
48cc93012014aac8c5ede4be3e232badd796a4b9

SHA256
ba3c006d467f1f61fccd832cf20bccdcfc45b26b0b37cba7e7ad6e9a8c7bc31f

SHA512
a358d52a81a69cfdabf87f92f8a9920acb9b99166e31ee3c7db8efc050519136044e0fd03b60ade8e186be5c99ff7aac66077d09e0edeb5849927551f8e653c9

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
bb6636adfd99cc39c13f06f712f1e52b

SHA1
7768af51ae899a58e6872058bb3de34fa682d5da

SHA256
2c07f9ba0e724ccf724d2580002c4112b3401d82b1f1ab65ba7a50ff0fda8e95

SHA512
ec1c372c9570c0e63a6c2d4d6d40c2956321466fa4de60b27a98b59aee30879fab1f2f9d2e55cc8c7460c05197f2a83be4fc9fe7b64f44c4f3436b815d0a25d6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
7bad8afef8410019359d00f27beb3c41

SHA1
e20c0450fdd98fb00035fe74bc717f1f94c2a31c

SHA256
5374d6f3a1dce734ea15f5a939855167c27459a30f6b46bcae9f6ff8919a541a

SHA512
cc7e13c230570e193751aac461cf436cbd4915ef4fdb6e42e18ed25ee3b19144705363b45967969cf7e64ded0cc3e6aabd4798536f674741245a41a6233ac5aa

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
9d0e307d54bb440daaeda3a3ccde55f6

SHA1
b46797526123af2d9acab670eb01949391eb47c5

SHA256
46e546455a232f1520770694c822a0e6a2a78e5ae0e371a3ba98703460e4f533

SHA512
3abfcb492b9f99bd1fc829a74327534e3ecb498e07648d5fe8cc55da3899cb892e83bb43be1cdaf3d9cf86848b170554d24fd1d3ec590a02c35791b417c931c0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
daa40e4854cc2786b6c009dc97b82b36

SHA1
0c642a69f8c073275576ea4b42b7494bc2c0c50c

SHA256
64abce9b746a635cb4434ef5c548556e85fec8f81918f55cab54e8ffd8e41764

SHA512
f21e1543aea07f3e7d8da558300316fde0525aa35b26958a5f664159326b967529faa1e09092600ddf1ced4902b9924b15136776b2832f12ead15128d453d856

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
709538b7426c9c5607d4817ae49385fd

SHA1
ea2fa07311529b95e661e9f23e979907fdfc6f30

SHA256
1bf4f14f67aa934c83a2fe099d699a8e8db69f3a4e935b1958a0c1a04d1f26bf

SHA512
516e2423431d48632356a761ab69d4b1a7435544283754982fd69a098406c093df58f5a3ec34b255b07118a1cd81bcaad2bd25faa880aff68a166c906fe13706

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
d2a051bc14e2654b9427cd15543f5094

SHA1
43f72f215b85402943859c79ce1d33a6d3d63e04

SHA256
5accb96a412a173c56d3a453c79352a32ce3d7f60e8fbb2acece5e559335b138

SHA512
7536ca0baab7c0927673dc11af371b842a03b719195bff5482a5a4238933894958e51e8598c23e061733a5494acaea4411e6bf31c2a9763fdde1999f11ae7954

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
04fe3c3956c8599672e02d55b914df50

SHA1
5fa8376fb4768679c51d12e8898cef0df14b4a39

SHA256
bb88d06f0ba7f44577c07370d4a1636b6961622a46c9c1ff20bfa85441768400

SHA512
b5acb21294e1f884e79b7d9a0b84ad9cee19728c7160fad37f8557014a4a59c96484a2f5c8e98afc25cb53d7fbaa28b2534610794ff6936acfafa100aa7b02aa

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
f47598ab20daea766de5ceda7d84f220

SHA1
91a2368d7d8f28d327ba652bab5b806e711812e2

SHA256
1eb67f0c727dbd0b8af0dac018241a4403e8b829b7bc64756318811a3f09edb7

SHA512
4b0243712bde84924d1616d8e5aa9a20d1bcd50058c166ab9fa98cec189c7e117b038c1d9efb1ff3c147ec6cea1a22789119274211a98bcaaf4c69d4c3583640

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
01dc773b65f7dbdd5495ca067d7eedbf

SHA1
5251e8f7ad168df8cd83e81043a83230b24ce044

SHA256
01453174a7cf91fbb3e5c7acec43878d0ae86e25858f27f4737e12d3934300f8

SHA512
e2786f98365132dbbb8aa3e36997d053aa629266ad938db19c51f6c4a03b4a76b0927ab3769657926b0994eeb45734c7469dccad4a3d8fbe288e2ae31f6bfd7a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
a182955538d254d584be4661fa74e42a

SHA1
8c79c620cc001f4e82715aacaaeeb2a6211f0be6

SHA256
6c01bafdeec232116cc654900f43a3147eec98dce168cda74bdeb520ea86c6bf

SHA512
d8182cdbc15f70560a5dfcd982dd435324286267b343b43459f36618ac2df7e89cdfad2909bbd6270093273ec670eac79996050a804eef316f82ff4c3b0b48c6

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
ca8854ebb6c5247846e94c34abf6f7c4

SHA1
24561e12a8fb9b0546d2ed43916958e2df10076e

SHA256
78eb64bcee0b52c579b853ff73cfd9d93f99cb2d00b80280e8c07fd579ad4a0c

SHA512
74b505c0b83ee4eb454d3c6640113572930a79a4a130396eeb5077e7e5ea2d59e7dd4a4f5a100680f5893ffa0239657effe527cb49f6d503f53dcb25593cfbaa

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
d2ec5193296b6e658604feaa386fa463

SHA1
907973795d2cb5f41c9a935ccfabfe6a783b85f7

SHA256
eb9003111fbf4c83efb85cbb3a6ac76844ae0890d3ab75d02dd3290bc611a7b0

SHA512
e3c15737b2d37ecf5743007cab1508a63f861050e7816d72de7b51f685ff37ab7f5cf694151508035c03bca67aa40937ce889aa51e02ca911da119ebb4be3400

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
534c2948e804136ebcbb44308a4a31a4

SHA1
400ec11d016e1d7a5c04d855221331d2f9babb80

SHA256
cbaf32c74ea53312e44acd8483860d455dd7eaadbfbc40a86ac75e24882bd758

SHA512
8671c2235b409fca80805e43897558eba6d06a73bb649da7200b15aeda039ebc08c36b3ac8ce81e4dc938da07593526a599e47386c1a24ee86fb017f131be37b

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
7897c88f26ef31079192085cfba1854b

SHA1
57c1c4ed5566487bf80e80e0bf5b517c558f3c75

SHA256
68aa48628a9138589f08c3b089c3df9ae1fe1fcbbc0ad65e468cb62bae815c53

SHA512
b2dd453f9357a1be6c664584d133a127e72913fab920bbffa30c6d7f1f60d3947b63f826eaf6d751dc0160364d7fc2ddfd009ce4d15885273f556b6036a75ba3

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
8618c77c938b10f23bfaf26afd7d518c

SHA1
03dfbccbabf98517e662c8defe7ec00372968933

SHA256
6fc55938638e484060035b280f4ea89dab4831f21847f0343e8cd77ba3c83c0b

SHA512
2313241410efeb60bc7046b3f5516566d580e85b542bfa5b0595f7b67fbd0a1517c84f01322ea198d2a3058f1b4e24029922c8f60a292d67d8eee6f5a071a038

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe

Filesize
1.2MB

MD5
dd8fb4e4dd120c57e336fc697f5dfa07

SHA1
e5d0930fe8c3296e307bbaa35e7332587b9b5f28

SHA256
4dc6b004fa5d1ccd8aeb93e5475e4d4fab0bad7f12a60262115c267ccd330569

SHA512
281baf04ad4d09c3fc75e01f79d6ec96026f286408659b8c73996563630fa35894ca81f472c7dded058c0206b0d356a98c9c2f0afc2d1b9aed7f0d9fa89a55f4

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe

Filesize
1.2MB

MD5
c8654b20619dfc59f3112b1745d18668

SHA1
8696d6b7cc2dd78b2477ad5cb14fc575e12f33b4

SHA256
13081cb9c0916bcf1489bf88da950639b45e46f62be1b63a919ac834df2b1b9d

SHA512
12d8fa157e7c39f522481ca245e2e995a66cc1b6f0bb660891d6d22daf1fad85c76492a3266fd4b977a9744f745af80c7e922973474c8357d4d43c6f7a0e1fdb

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe

Filesize
1.2MB

MD5
0747ccb8d6221e10c9e2d0c83c9554c3

SHA1
6a4962e5ad654605b2af78615464186a79c29fb6

SHA256
f86f8443c3448ddb7c982b23b9d533985f497cd56812376711c0a5232baa1c21

SHA512
959868dc59cbd5ae2a33d7a7ba657b11d021b2f9aea216fbefc95f641fa445fd351e3cd6ff4d5d2152d33855584e45924fb86b1e1e7179e6d83e2c56c19c1b3a

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe

Filesize
1.3MB

MD5
8e570c4594a2745fd02e6f7d299fe70b

SHA1
13923a51065b01c18f5b6e1cf6511c0ec7fc5c63

SHA256
73b0854d202aed4d5bf011bd7c437df25d3e4a0d4373815520bf9b19c0104f24

SHA512
eb3789fb822fd411b9cf20ccc6fce4f7cd6768a140eb6a7cda0bd8567019bd4bd63abe2e50103124efcb6ff56feb9f9c1bc8a719e969760ff230ee7d2e2aa064

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe

Filesize
1.2MB

MD5
abda05832e1680a7526fd3f7c860c8a8

SHA1
0dfbee09bbfa6f3cfb8b6590c393bf15891c59ee

SHA256
13b9df1b6bf28bd3ca7705e545db764c36cc8d439a89a24e250213037e081704

SHA512
668d4b4a86b29b7a5fbbb5f4a3004fbdad230bdfe25cc58adbdcdd41cf810a3bf3335c5d5ae04d1119659856048e8037ee5ae640b4192edc97b7dbb959ca8c16

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe

Filesize
1.2MB

MD5
4ff2c3e72c63db3f6861478dd314802e

SHA1
cd534d8bd7f165ce29bcd3594165287d069d578a

SHA256
2d63add410ee49f933b38ca17d6fe92cfe324b4a56df94128a01eedec6a1fade

SHA512
849e7a84caf07d5c8cd076f5001a4d786caab005ee9cfdbd7517d04073cb24fac9a77fed1ab060c41c7bb3440d1998ab80f532b0ff1b3f84a55b2676d139a027

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe

Filesize
1.2MB

MD5
fa56506bda14ae5b7ef9e18f2509dc09

SHA1
ac11f4c932ecf2790ee52ce8128beeeeab717e9d

SHA256
6ec7cafd6e24028ea8f584ecceac5e7fe80d56a2f7d8269a766d82617d9a86a6

SHA512
57c83c01facbe90dda4ffd02727e88b6f3b7c517d92da0dae24d6b8957417ffee6e52ff64f3c627922453f62cd88a17685ccd33520b607a38604eea89f5e646a

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\java.exe

Filesize
1.4MB

MD5
d07c73299dda0e191065ebc2a015fe77

SHA1
e80ec65c0c9223e3999c2b2983b822126f09d3bd

SHA256
8a4d68b08ede9a7d2fad6c487169457a3def536954f1b5cf217318169bb5e93d

SHA512
59c82b5713917e1ca3d8913021923cb14d17740d4e47a04dd156c8a033692b8db96d8c9b7b0b0081213a1e147fcec5f06882d5f1189dbdec32f44162c20f1d89

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe

Filesize
1.2MB

MD5
70ff34908f526abfe033702fd3ca5616

SHA1
aeb049640ae3a6878a94acb155dd6fb47abaee04

SHA256
09048b4891c5f043dcce7edd3e8ca14bda0380b581d05df9c962d39e8fa5629a

SHA512
4cbbffd16b05278f0d756f5302c5bc0c2e41bbc09816de72e175105c79bf3f95e8281490b2baaad3955039d4b235a45f283d8eb44246fcd061ee7854172c183f

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe

Filesize
1.2MB

MD5
6d6f771b6078302cb6979f864699d8a9

SHA1
a5efee5b83e672a0a8826502a913b7ff4d5f1295

SHA256
04fc9fa2eca8a8210cf4fbe8b49a0692db09672c1dad2f3a15b687bdfa5ee8eb

SHA512
35c41d61b6e612404fde19512f2035ea71204349d805fedf8cfd36d9aab46d62a9636ae8679aac4ed1eb2085446dd5ee3fd4f075a07022663df8332384555e1e

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe

Filesize
1.3MB

MD5
7432a5cdec3ef82e5475673a9cf0cf51

SHA1
49d86ef7266cf4a88043e9f05b91f1b7369fb569

SHA256
e8a8f381b8599bc74b283ae278680c521e44755b32c6cb3a300ab25cc6a2165f

SHA512
5c6d87d1a8b8e8770e22a0072b7d7b695fa756aa52dd3054af1c9cd52ca410b8c00f39d77dd8dc8b24c64f952295e70ab7f48e9528f78c1856a256c20fdf7354

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe

Filesize
1.2MB

MD5
155d7edfb0d89ca184f200563a2b02a7

SHA1
984ed7b0c2087b139e87685ea8ca109a16db0346

SHA256
7492c535fe8dbb5e5bbec8b2131dbb458793b0f90c5cff6ecf366b48fd7e54c9

SHA512
e79810cf3765b38e5ddbb7b6c145ac700caaeac34d22414b66caa6713758c1925fb7fb02642e095e0e891d3e0694ff30be38eadfe7e504f1156cab8afc3dfc14

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe

Filesize
1.2MB

MD5
cbed8de95573af8b18a52271b6fbfad2

SHA1
2afbba300f37742935b67be23e304da4b57927ef

SHA256
4199147ed67b7fbf6fa0413c1a835dd5a896cd0f9b26e749b76b6b932c81ad48

SHA512
ee706db39b4dced65be8b6a36327140a1153b7a3d1bb4d1f42fca715d6dc87731db172f9bbb7e01177a1e42572d0d4bb3fe75288efc2ef48933bd4f8653f95c5

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe

Filesize
1.3MB

MD5
eae8b409cdc60bc5bbc7611bae456bba

SHA1
d2b08a76360b9f4d19dee958bbc6eca8923420b6

SHA256
703222b9682e91e66d73d81835b9acac2794d9628569cde62b379f1ebea349a4

SHA512
02c758af23a7a7c621f25b8bcc43f850e7005f701b5e424cae097a156dc48e1674088bfc8380d34c1bf7eeed3788ac1d046579e492078b424f1889a7a1ef55e1

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe

Filesize
1.4MB

MD5
d38998e7ebdcb49f5c94a3600200503c

SHA1
6ee6faddafd5f5db307f49cd64a5d86b06113353

SHA256
51f86148afff2bcbdd9cf8e7f72fee478fb70677281f765268add42bc947e58f

SHA512
a4c1397cc7e4f63b858a8a3c3b23a50c79bf3f2c1e43e1896a79d87f28254ea3b805f0633baad4e89e05ac4b3c4e096e6a5252fdee05a7a9788315b11e5e56c0

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe

Filesize
1.5MB

MD5
7b4bee549c86b7f0c22c816c7c478cb4

SHA1
05637f331773e473f00a7a5cf75f737a64e2eb6d

SHA256
50d348fbc0d6af0ba7cb23ba416c390ddfc1dd8619435ab69bdd20c18af0c337

SHA512
bd29abead4e5a9bf797dc8e5ea543833310ca9a148c973c29df9a95b09907598bdc40464e8dc5190bc6a677906570f692e07eebddb560e5f57dddbe9dee09133

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
92d29a3fa4b6816916685d6a9631f64a

SHA1
fb315723927fedb25d25e81299c1dd023e921298

SHA256
bf13a9d3e0ba239bb4d4d2ad12ec416dfbdcd49a648b54de2aeef39ac8872cd1

SHA512
24cf46459877168fef9868c7d01e6fe06211ddd5a6d42ba11d93e6b759b90d3b36d360b6878e85a74fb6d14c186a0284b895a068d02592005cbc3d8bf2bf1036

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
0a6c42cb1378ce90347ea3d09531ee7c

SHA1
7c2c84d96b161cd7062e0b7ffd87f0f186cfdbad

SHA256
702a7cd255bd75c156115c15b0cb16adb1dbd220abc29c1e855480b44217fb47

SHA512
4e4f8e20f811abce9e728167487f0c895831d80fe97cbe0c262a75e0e9899c996b1672f89ab4e0ebf7a14298fa5912e4676270455f7b09792917db85dce0c909

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
b7aede337cc29f079cba1ca91eb315f4

SHA1
568543c2e6372e6b4aa21f0abb98ddef8c43d34d

SHA256
115d3a70ba9717b8a789220fecc232c96854a93e1b5ca339289017ad362f2774

SHA512
5c59e7ee8ab7bbf3261423bd50173a6c904b41d6bb5bd601d0afe7bf536411be7a33f65ab3a45a84f024dc6d0920908587e79029eb2749145c8906dead2d21ec

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
4fea61c23ddc92d7382efb7e15e90374

SHA1
ff1977398e4f5546d13f63299404e67b88762e47

SHA256
a7b529ec450e99d2355dae4ce7779f365c963ecde46666f0a276f144b9b7b97d

SHA512
4ce53b9c7b83d5486664f80169244df841ae6f5334825640ea90f1b22817656b76bcb7c18cfa97b5497fe55db0f306ca9ce193bf4ca0553be5b2bfb0825ea68f

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
7acaa6f610eab99b55dbd31eeeeef0f9

SHA1
95747ddcf8409f26107fe674a07db024e3a80368

SHA256
c8747042f385c75c88267325607eeb871e5089f72b9d53d47c68706c9e1fe218

SHA512
f4acaa1c0f971eabdf1c17178b13ef10d007e23543ac8ca57e2bdcfce96c82aece8019a236b0b70d94b8988c0ac9712c818e28392348ee80e111c46eae80f3f7

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
85fd3c45ab7fbf276e25a91709ae2fb8

SHA1
d209b4220db50c37680d0c4747b89af757b92704

SHA256
db4720f8b56b9ec3ccbfa58b64f0d3ff0522678fd25dc87e86ee7393f4cc823e

SHA512
e3b59b29004ae1d548da5d3daf2f03ce0eb09e88e4c116aa05ca7836363f3c4f174628b1f74b0f5c44230a3a665be92e1a229b3c5fce36b82157fd99686f8053

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
bd9bc7f909ea7fb19c24f2dd831eed3c

SHA1
e02d0c58e6d26be41934385ff81ae9ea4f4e6d0c

SHA256
cb51ca7b5873cf489eaff6c2b814cff5bd5cd82bde7ab0a5f39226de154f84aa

SHA512
809baabfcf97ac493cd919c640df000f44317419808bee652602848cbd0245a1c8a5dea97c6d876c81c74a77cfb0cb9509458bdd405fb770169a95a73a712ac3

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
bd9bc7f909ea7fb19c24f2dd831eed3c

SHA1
e02d0c58e6d26be41934385ff81ae9ea4f4e6d0c

SHA256
cb51ca7b5873cf489eaff6c2b814cff5bd5cd82bde7ab0a5f39226de154f84aa

SHA512
809baabfcf97ac493cd919c640df000f44317419808bee652602848cbd0245a1c8a5dea97c6d876c81c74a77cfb0cb9509458bdd405fb770169a95a73a712ac3

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
0c99de58a6dc06cf14b17b77c6fdf229

SHA1
c0d0fd2953a89ed1702d5fe5d09ce74bcc140de7

SHA256
2bfce0c66f44cb7d4ba583a3f9a05db1c09109e254111f2632660d15e9c5ba45

SHA512
54a3343ee388251aad2bc3256bf5ef544c8a0dc56fa564c6c1cdecd4da92161cad40acf756a7b858c15f5edfe4872ccc80471c26086ace14311e5e8716ff3701

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
b740a6d60928934458f7f55a9655e358

SHA1
a3195d0980576bb2274c31c7f067befbf2da64c3

SHA256
68868d6f2378975bf9af9139701c7635e8061aaf15659ff736f0ca418bb48676

SHA512
ac386ae9665c70db20b6ab025f3acc649bab96a13d006939961767f0657e17c75988cc5c036a7dfa3a1d38535993cf9d27378940e75534c00a5d39581d741a11

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
9badd32dcc0fbafda57fe4c7d0cd56b1

SHA1
919419cb4111e6dc01e1e883c7fb31b5297c9677

SHA256
e31451a2046c2a8bcf2158f530cf5259cf330e1a4aab0470abaf499151b0e962

SHA512
63cd9c2f1e82f92b30039911249033da2e4b3868179a00666e26f5524ad1f28fbf90ebe1884d43620be60d6a86b623dd1db29f03de0c99f949499a13fdc6c1b1

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
9badd32dcc0fbafda57fe4c7d0cd56b1

SHA1
919419cb4111e6dc01e1e883c7fb31b5297c9677

SHA256
e31451a2046c2a8bcf2158f530cf5259cf330e1a4aab0470abaf499151b0e962

SHA512
63cd9c2f1e82f92b30039911249033da2e4b3868179a00666e26f5524ad1f28fbf90ebe1884d43620be60d6a86b623dd1db29f03de0c99f949499a13fdc6c1b1

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
7ad742a588c59b8e37b441ffdf709471

SHA1
72c5da10c781845872ee6b6a94519f196a214c4f

SHA256
51207f207aaadb6edc924aae773203c5d973f2495db6054419ba6dc47b29672a

SHA512
a995ba278f35421ac22906f5ec25e7941dfaa2e268275fba4c845ea1c1c530cd4862d82806dbf1a5a89e62390513307acf66945d049a76f07e82a389b18f1e4b

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
e8a01c980780e3efc16fde4cb59a8ba5

SHA1
0c3a6e9f4c734bb06d19bea4e8fc261338c3f1df

SHA256
283ad54ca6852e15a9307136acf3c164ec62427dc60541a8ab1b2b9a311a6ab0

SHA512
d912c02472130614d2797177a4503c3bb4fbfecb13378b7b5e5393932ba33ad1da0c675891f3ae5153a4451e60ba82245e8e5c3264b4ba88edbc1a2d3ad89b89

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
6b74179b3c6b6e474e8484b2c9b75c41

SHA1
55e225cd7aad90be31019d9a841cea06050a288a

SHA256
49b030d04f428b1c6eb0cac897a475e0164b77063c8cea612a45ba4cfab04d6c

SHA512
a8b606abe42fe3e9316aa77dbb755fa270b9367d3fc15a4a32b1091d4f3bfe2b998c8a46a147fa5664123dd83dc959de50bb8621de74171ea6df7aef91e8bedd

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
47f872ddd13f2434276fb95e916281fe

SHA1
7147b8ae5bc6ef65c083698b613cf71ba5ab0c83

SHA256
908d6640d5eed10637b5d79bd0ed8d926a8be20feb5400ecca9edbe539242a4f

SHA512
e236630970ba19ecff75bead77e0535d5f00859fed50b1d59df4459af39762e90c797a48071c005def615d3edeb5d4bf2a8d853976fedc27ae4aff0556a67ca2

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
e8ffceca67ec34f90a7ca702a8f7a6e7

SHA1
b51a41af87fe2c62deae141047d15ec8a5f5f6f7

SHA256
13fe4843139f57ac605fc8d195bd00784e282cc44ae5f4698f275cef942ce153

SHA512
3d05e558b96578f5b37c56460383035f5b7abc6b236536a771cbb2c193d6032375d2192217d34bb1b362df603262f0698ae83dff93ef9c0a1890df6b751358fc

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
b9efff689ed7c9fc605d54f30678bd5f

SHA1
c0fb00d65918945065f416623909dabf1370085c

SHA256
f1461bd70f1edb21386033225f4ccce1f22602c9632b19ab09ddfa750e0a340e

SHA512
6eea114f8520ce797082b102f09a72fd0f89fd6f2dc65760032e943f60018f6b53b689533cb44ff793f5d4fb96c6b2bf02fb71d250500fea4a1c967c607b918f

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
1cbd4dbd62f8cad6e12d13410b64c61c

SHA1
9c0327b4d8031b5c0879e705f4eedd8785db62f2

SHA256
b155b769381a91b91352dda5b696454f386e13a6b0164f7f134213611a5bd93b

SHA512
f22ef9049076fbe194ee0231635f8bd4f7c0976eaa7743e5706756ccc226b0ce2128fc3676b9c538c26dae258e1d891467850716d449adc2f2505eccb836d59b

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
fe6ae8981fa9115d575345e9e3d94a10

SHA1
d1bf627cb1ed6176c10b508a307413b82ffde1d9

SHA256
2bff4abe38255678c4325ae2adfca9eed20480a0c07ac592ec1ebff32debe723

SHA512
5040c4f72bea81e4551535fdf564eb449455f979bc13a9d827bca19c2f66441887b4a6370df5d617b881a7bfd0397d32a67b57c02e12770c46d984989177b50d

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
b657aaf13569bdd54cce90027b6a8dcb

SHA1
964aec4dd590b2478b8631da98b1f4423dc522a5

SHA256
2034ff17944fddd6fd34ca144c36facc37492a8d7de80b6ebfb5f7601e893c15

SHA512
6e8cc801ab167650eebb3847ade6b4b82979e0db6b429cb13d9bfc58e4f9e0f39d361ab7cca91083df438f9d7ab2047bd5f2540056875d55d8bc23c82d736df2

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
1.7MB

MD5
b7aede337cc29f079cba1ca91eb315f4

SHA1
568543c2e6372e6b4aa21f0abb98ddef8c43d34d

SHA256
115d3a70ba9717b8a789220fecc232c96854a93e1b5ca339289017ad362f2774

SHA512
5c59e7ee8ab7bbf3261423bd50173a6c904b41d6bb5bd601d0afe7bf536411be7a33f65ab3a45a84f024dc6d0920908587e79029eb2749145c8906dead2d21ec

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
c0d0977d06095063f8244c70df3eabc1

SHA1
fad959061dfc1aeed231a7f8a0e512af6b0c725f

SHA256
e2ead4fcd28617e5a34bcfd452e665937269a1bd117c21d465cb1cdffe804b94

SHA512
30d54f436bd01aff2f540c880b60f84181158af8f42646acd1d4b5edec253b75a1454a4ace2583feadfa15c8124d08b6400fca953d7c680390d70b762556fb0d

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
d5f0ef90a937ad01132abc3740ce471e

SHA1
b0313d8ff4a5df21c855e5ffabe588c2bedf7789

SHA256
d70fbe5fd6ec3a89f43e6f7d7684c5df1cc583722d04cdc5fcf6f4964eeca3af

SHA512
e25a1ad0f814835825622b1a290378788bcf16b9a4518965c1a18bffe583e65650a57b01e4b6bf4e99b9e16911f6eb7bf8bd7f08605a0ac0a427febc22d2f1a7

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
7acaa6f610eab99b55dbd31eeeeef0f9

SHA1
95747ddcf8409f26107fe674a07db024e3a80368

SHA256
c8747042f385c75c88267325607eeb871e5089f72b9d53d47c68706c9e1fe218

SHA512
f4acaa1c0f971eabdf1c17178b13ef10d007e23543ac8ca57e2bdcfce96c82aece8019a236b0b70d94b8988c0ac9712c818e28392348ee80e111c46eae80f3f7

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
d5ea5474770af0cfcbdd184e31552102

SHA1
c75caa43a57626ea67c37f4d49c09e2835656ced

SHA256
298fdcbd7727f0da8eccfb83d5029e4c9ace76249246d838ab8c0fcdf6a85501

SHA512
28fcabccbdd78453b089d3f1dc79332db3d7ea0f0db30a0725f48947c4d5f89c0b91ef9b4160163bee893a28e192e04cfecb85131e3b0401387717a3076d8e8a

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
934b0182ac4574fd957d3e0e625919df

SHA1
9e5ddd3b871ff5397a1c3f47185e567d83d3da9c

SHA256
bf07dc60b8722ab5f4532d5ae11b2292461a83a1ea400989852d7c7a634d418e

SHA512
f432b71b424347880a8624d8915ca5a0c8f01947b29c4c4d29829a3be10c3e0ce730fb1e839839c4a33bbb3ca1a9534063ff8f5f882d36771fa1561b8231a347

Download Submit
memory/1248-397-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1508-344-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1664-191-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/1664-188-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/1664-185-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1664-195-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1664-180-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/1688-345-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/1696-194-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/1696-530-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1696-215-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1696-201-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/1736-458-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/1736-156-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1736-163-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1736-165-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/1972-269-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/2152-313-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2260-220-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/2260-226-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/2260-229-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/2260-232-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2732-478-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/2732-216-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/2732-203-0x0000000000F00000-0x0000000000F66000-memory.dmp

Filesize
408KB

Download
memory/2788-605-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/2788-347-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/3008-290-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/3316-360-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3360-399-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3772-212-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3772-528-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3772-213-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/3772-206-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/3832-139-0x0000000007A60000-0x0000000007AFC000-memory.dmp

Filesize
624KB

Download
memory/3832-137-0x0000000005960000-0x000000000596A000-memory.dmp

Filesize
40KB

Download
memory/3832-138-0x0000000005C20000-0x0000000005C30000-memory.dmp

Filesize
64KB

Download
memory/3832-136-0x0000000005C20000-0x0000000005C30000-memory.dmp

Filesize
64KB

Download
memory/3832-135-0x00000000059D0000-0x0000000005A62000-memory.dmp

Filesize
584KB

Download
memory/3832-133-0x0000000000E60000-0x0000000000FC6000-memory.dmp

Filesize
1.4MB

Download
memory/3832-134-0x0000000005F80000-0x0000000006524000-memory.dmp

Filesize
5.6MB

Download
memory/3960-170-0x0000000000490000-0x00000000004F0000-memory.dmp

Filesize
384KB

Download
memory/3960-176-0x0000000000490000-0x00000000004F0000-memory.dmp

Filesize
384KB

Download
memory/3960-183-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/3992-271-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/4180-162-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4180-149-0x0000000003050000-0x00000000030B6000-memory.dmp

Filesize
408KB

Download
memory/4180-455-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4180-140-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4180-143-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4180-144-0x0000000003050000-0x00000000030B6000-memory.dmp

Filesize
408KB

Download
memory/4288-553-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/4288-237-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/4288-234-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/4340-292-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/4460-401-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/4460-619-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/4728-294-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4728-580-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5032-371-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5044-460-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5044-621-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5108-666-0x0000025A2D610000-0x0000025A2D62A000-memory.dmp

Filesize
104KB

Download
memory/5108-713-0x0000025A2D610000-0x0000025A2D62A000-memory.dmp

Filesize
104KB

Download
memory/5108-640-0x0000025A2D600000-0x0000025A2D610000-memory.dmp

Filesize
64KB

Download
memory/5108-717-0x0000025A2D610000-0x0000025A2D62A000-memory.dmp

Filesize
104KB

Download
memory/5108-641-0x0000025A2D600000-0x0000025A2D601000-memory.dmp

Filesize
4KB

Download
memory/5108-716-0x0000025A2D610000-0x0000025A2D62A000-memory.dmp

Filesize
104KB

Download
memory/5108-715-0x0000025A2D610000-0x0000025A2D62A000-memory.dmp

Filesize
104KB

Download
memory/5108-714-0x0000025A2D610000-0x0000025A2D62A000-memory.dmp

Filesize
104KB

Download
memory/5108-665-0x0000025A2D610000-0x0000025A2D62A000-memory.dmp

Filesize
104KB

Download
memory/5108-704-0x0000025A2D610000-0x0000025A2D62A000-memory.dmp

Filesize
104KB

Download
memory/5108-703-0x0000025A2D610000-0x0000025A2D62A000-memory.dmp

Filesize
104KB

Download
memory/5108-639-0x0000025A2D5E0000-0x0000025A2D5F0000-memory.dmp

Filesize
64KB

Download
memory/5108-667-0x0000025A2D610000-0x0000025A2D62A000-memory.dmp

Filesize
104KB

Download
memory/5108-700-0x0000025A2D610000-0x0000025A2D62A000-memory.dmp

Filesize
104KB

Download
memory/5108-701-0x0000025A2D610000-0x0000025A2D62A000-memory.dmp

Filesize
104KB

Download
memory/5108-702-0x0000025A2D610000-0x0000025A2D62A000-memory.dmp

Filesize
104KB

Download
memory/5108-712-0x0000025A2D610000-0x0000025A2D62A000-memory.dmp

Filesize
104KB

Download
memory/5108-711-0x0000025A2D610000-0x0000025A2D62A000-memory.dmp

Filesize
104KB

Download
memory/5108-710-0x0000025A2D610000-0x0000025A2D62A000-memory.dmp

Filesize
104KB

Download
memory/5108-709-0x0000025A2D610000-0x0000025A2D62A000-memory.dmp

Filesize
104KB

Download
memory/5108-708-0x0000025A2D610000-0x0000025A2D62A000-memory.dmp

Filesize
104KB

Download
memory/5108-707-0x0000025A2D600000-0x0000025A2D610000-memory.dmp

Filesize
64KB

Download