blustealer | 5f323f12b134d9f8718282eeb8d8423c9a6f123545cb8fb4ca3a38b6f8092af1

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
08-05-2023 14:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Request for Quotation.exe
Size

1.4MB
MD5

6194f48fb37a6bb1ba0908abc6b1a537
SHA1

0e80a10e34ca8b23e568f871bdc0eef8f1fe63f2
SHA256

5f323f12b134d9f8718282eeb8d8423c9a6f123545cb8fb4ca3a38b6f8092af1
SHA512

7723660cb65c449ffd73ce457d3c7ce93a4d7703452c7d2f68608e4245420e26fc390a435f4cf3538931d6938568266043e3600e3fe943f531ad696990f7ef25
SSDEEP

24576:m9WFfD+P2kVORHUvU/C88Cx+DDs9hmt9EwONE+D3APRgbUTfNugzT:+U4C4Cx+DQU9EwqTAPRgbfYT

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 22 IoCs

pid	Process
2692	alg.exe
4108	DiagnosticsHub.StandardCollector.Service.exe
3184	fxssvc.exe
3032	elevation_service.exe
4628	elevation_service.exe
4760	maintenanceservice.exe
3288	msdtc.exe
4936	OSE.EXE
392	PerceptionSimulationService.exe
1016	perfhost.exe
3272	locator.exe
4224	SensorDataService.exe
2552	snmptrap.exe
3296	spectrum.exe
556	ssh-agent.exe
4072	TieringEngineService.exe
3996	AgentService.exe
2568	vds.exe
4820	vssvc.exe
5012	wbengine.exe
5004	WmiApSrv.exe
2056	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	Request for Quotation.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	Request for Quotation.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	Request for Quotation.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	Request for Quotation.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	Request for Quotation.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	Request for Quotation.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	Request for Quotation.exe
File opened for modification	C:\Windows\system32\wbengine.exe	Request for Quotation.exe
File opened for modification	C:\Windows\system32\spectrum.exe	Request for Quotation.exe
File opened for modification	C:\Windows\system32\AgentService.exe	Request for Quotation.exe
File opened for modification	C:\Windows\system32\dllhost.exe	Request for Quotation.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Request for Quotation.exe
File opened for modification	C:\Windows\System32\msdtc.exe	Request for Quotation.exe
File opened for modification	C:\Windows\system32\vssvc.exe	Request for Quotation.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	Request for Quotation.exe
File opened for modification	C:\Windows\system32\msiexec.exe	Request for Quotation.exe
File opened for modification	C:\Windows\System32\vds.exe	Request for Quotation.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b93a24a6c9ce9937.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	Request for Quotation.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	Request for Quotation.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	Request for Quotation.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	Request for Quotation.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	Request for Quotation.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4320 set thread context of 1728	4320	Request for Quotation.exe	92
PID 1728 set thread context of 1980	1728	Request for Quotation.exe	99

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\tnameserv.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\servertool.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\pack200.exe	Request for Quotation.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe	Request for Quotation.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\klist.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\pack200.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jjs.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\orbd.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	Request for Quotation.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmiregistry.exe	Request for Quotation.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Request for Quotation.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jp2launcher.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\kinit.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\pack200.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	Request for Quotation.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003370051dce81d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cda57c1dce81d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009bf80e1dce81d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cb37be21ce81d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000122e7822ce81d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000533d311cce81d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fcf71f22ce81d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000070c5591cce81d901	SearchProtocolHost.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	107	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
4320	Request for Quotation.exe
4320	Request for Quotation.exe
1728	Request for Quotation.exe
1728	Request for Quotation.exe
1728	Request for Quotation.exe
1728	Request for Quotation.exe
1728	Request for Quotation.exe
1728	Request for Quotation.exe
1728	Request for Quotation.exe
1728	Request for Quotation.exe
1728	Request for Quotation.exe
1728	Request for Quotation.exe
1728	Request for Quotation.exe
1728	Request for Quotation.exe
1728	Request for Quotation.exe
1728	Request for Quotation.exe
1728	Request for Quotation.exe
1728	Request for Quotation.exe
1728	Request for Quotation.exe
1728	Request for Quotation.exe
1728	Request for Quotation.exe
1728	Request for Quotation.exe
1728	Request for Quotation.exe
1728	Request for Quotation.exe
1728	Request for Quotation.exe
1728	Request for Quotation.exe
1728	Request for Quotation.exe
1728	Request for Quotation.exe
1728	Request for Quotation.exe
1728	Request for Quotation.exe
1728	Request for Quotation.exe
1728	Request for Quotation.exe
1728	Request for Quotation.exe
1728	Request for Quotation.exe
1728	Request for Quotation.exe
1728	Request for Quotation.exe
1728	Request for Quotation.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeDebugPrivilege	4320	Request for Quotation.exe
Token: SeTakeOwnershipPrivilege	1728	Request for Quotation.exe
Token: SeAuditPrivilege	3184	fxssvc.exe
Token: SeRestorePrivilege	4072	TieringEngineService.exe
Token: SeManageVolumePrivilege	4072	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3996	AgentService.exe
Token: SeBackupPrivilege	4820	vssvc.exe
Token: SeRestorePrivilege	4820	vssvc.exe
Token: SeAuditPrivilege	4820	vssvc.exe
Token: SeBackupPrivilege	5012	wbengine.exe
Token: SeRestorePrivilege	5012	wbengine.exe
Token: SeSecurityPrivilege	5012	wbengine.exe
Token: 33	2056	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2056	SearchIndexer.exe
Token: SeDebugPrivilege	1728	Request for Quotation.exe
Token: SeDebugPrivilege	1728	Request for Quotation.exe
Token: SeDebugPrivilege	1728	Request for Quotation.exe
Token: SeDebugPrivilege	1728	Request for Quotation.exe
Token: SeDebugPrivilege	1728	Request for Quotation.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1728	Request for Quotation.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4320 wrote to memory of 4032	4320	Request for Quotation.exe	91
PID 4320 wrote to memory of 4032	4320	Request for Quotation.exe	91
PID 4320 wrote to memory of 4032	4320	Request for Quotation.exe	91
PID 4320 wrote to memory of 1728	4320	Request for Quotation.exe	92
PID 4320 wrote to memory of 1728	4320	Request for Quotation.exe	92
PID 4320 wrote to memory of 1728	4320	Request for Quotation.exe	92
PID 4320 wrote to memory of 1728	4320	Request for Quotation.exe	92
PID 4320 wrote to memory of 1728	4320	Request for Quotation.exe	92
PID 4320 wrote to memory of 1728	4320	Request for Quotation.exe	92
PID 4320 wrote to memory of 1728	4320	Request for Quotation.exe	92
PID 4320 wrote to memory of 1728	4320	Request for Quotation.exe	92
PID 1728 wrote to memory of 1980	1728	Request for Quotation.exe	99
PID 1728 wrote to memory of 1980	1728	Request for Quotation.exe	99
PID 1728 wrote to memory of 1980	1728	Request for Quotation.exe	99
PID 1728 wrote to memory of 1980	1728	Request for Quotation.exe	99
PID 1728 wrote to memory of 1980	1728	Request for Quotation.exe	99
PID 2056 wrote to memory of 3600	2056	SearchIndexer.exe	120
PID 2056 wrote to memory of 3600	2056	SearchIndexer.exe	120
PID 2056 wrote to memory of 3640	2056	SearchIndexer.exe	121
PID 2056 wrote to memory of 3640	2056	SearchIndexer.exe	121

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4320
- C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe
  "C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe"
  2⤵
  PID:4032
- C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe
  "C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:1980

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:2692

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4108

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:792

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3184

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3032

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4628

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4760

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3288

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4936

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:392

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1016

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3272

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4224

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2552

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3296

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:556

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:324

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4072

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3996

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2568

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4820

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5012

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5004

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3600
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
75e47a93a3b78a6c128b843b787273f9

SHA1
888e743b99e1d8ff6381941e310de438ca556700

SHA256
0db302666d6faf8e5fc5a4aba5f4784a3cc75d53664fb318659ba17fedd9faca

SHA512
fbaba604a76a897c3a7b121bc6ae7d8112b99e4d5680b0537fd52a4dbfac24d03bec5acfdafcb8b8227fcc828f1fcfa3942765475f85dab4a376a237800b75ac

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
9c88e0339a08b4f5126923075a6044b4

SHA1
340821c92467c5346d654de4a156930834ad0aa5

SHA256
5adeb1ea0d8117c1f0a87f247faa3f6140f3d8b8fa9b9adfeaa7a0272e6f0822

SHA512
90023de096c4e87ad34133ff67fd7383e88a8d3732ed17bb38089fe6d4db80a10c107f713aa7f1afcaec855cf2e610e228c17bd3be7e5a85f598b91aeb810919

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
9c88e0339a08b4f5126923075a6044b4

SHA1
340821c92467c5346d654de4a156930834ad0aa5

SHA256
5adeb1ea0d8117c1f0a87f247faa3f6140f3d8b8fa9b9adfeaa7a0272e6f0822

SHA512
90023de096c4e87ad34133ff67fd7383e88a8d3732ed17bb38089fe6d4db80a10c107f713aa7f1afcaec855cf2e610e228c17bd3be7e5a85f598b91aeb810919

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
139fcab351fb69d5170ceacdfb93acef

SHA1
4f4649a0b72cb02d4d4a37269f5649411c0c456e

SHA256
ad62f9df5ae921f10e7680748879baaeee284225bf1f3270db26ce360a6638f3

SHA512
ac3db5b61e42e3cd739627078b618712f82f1472849d332648b9577bfbaa38ec2251e217079dcd8e77508712e766b8abdbce5c7913a48494fc6182cb0132dac4

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.4MB

MD5
dbb5ab09f96da443c3f0b89cb506eacd

SHA1
f6531938edd2ab4c4592a256660af55e306c70aa

SHA256
904bd2f1dacbbced0d30ab61f2d54a477e4470fa25343d09cd83c5a1c9e06671

SHA512
2bd1f1c3222055c6e92b4c095bf293c5bc8b2f1633f101e313d1b480154fa5849c05929f2f50b6e20de7baa587e93e8add62c435d39e0ab2c469433b2243a93f

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
d1089c7046829403e8a90306e8ec681a

SHA1
5fde7e298752401649345b53fe3fe626cfa87378

SHA256
42464569fedb6a44c5f16e407d42d20527c975a79b68767344d907a8a3826bc1

SHA512
35ef36533f2ea8bcf1c19f666428bd5cdab339485e72446194f97dfe20c12cdda663c6118024e5590dffc96f277cc8e18719c2c4abb9d522d5772dbc81486cd5

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
192ae35759c64802cf25580cc692a5ec

SHA1
23607e3d9e03e5528e51c3beedce2e0db2fb80b4

SHA256
577c33b37b3806694d12e1e920e83c30d1cf2f1277619eb8f45d5b2960d66ded

SHA512
6058c3e9d1f2f01cf8a38a58a0db8dd458e1eeccd6b9b3b72b150299061b10431cf424a581d6937bf2f4e3a8b5d2a4455df4e49f252b26f829420af4bae67748

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
5bb7c59d860367b4d60a7dd27b96e648

SHA1
84b35e477c19d2ea942b9c494aff63f4f074b111

SHA256
d68f8a36a806ef235cefc1c378680a2f85e2d6cc864741148865ea20b9262b21

SHA512
c5f8a6d518b47b2704ac75faa5459518c258a3a633567a5f92741e7f81f8b36eb64569ca4dc02d0213dbc3b7548309f723a92913444660f3d06d968aa49b9669

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
c42aad19be9cec94ac6ff75dbbeb7f97

SHA1
83d934e3fae87d9995ac4d95dbbd80872e66fcab

SHA256
30b3314e89f3bec408f25cb9f5a5af2e08a1d4ea36bce55fde846a8db6e56fc5

SHA512
046d2d56d47583aa6d8f9890a822862d0203a11b45248d0241fd9dee3cf83f1949eb71427469f274f80da9dcb9092ea43b6f6424292b05a29928b9a4f5f7c96e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
ba63f294586c30ba9d9bcc97c28be59a

SHA1
3ac1b054edb9f7c38972d899ad483dd010c28ff9

SHA256
2cd4109e4e9985275e6ae592b4cd8af67708adf0c050cb76fdc19127eb77bf61

SHA512
34cdbdd55eef88ee30c6b4db645ff424f48e6651469abd9ae1044e0ad7b957fc5bcdc27457d04688b8c9da6fe5db085d7b1dc6e887936263e7ceb5648d5b72ee

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
ade66fba7472f938d031494a6e3a8af4

SHA1
73fe4c765cb7dcd3f5fdba3b8acf3bfc9b1e412a

SHA256
7de955314a223741c714e9f934b8ad5b70b7182fd199162af497297209e2d730

SHA512
6a48633a45f2bbba3ae309f841be690508244fb620b275145d04bd60178e275b59372f9214c52fcd654d32abf5f23f2ffb777b3f671bb163bf7e5c2ab1fe0430

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
d4a490ca4df41692ecb095ca8c107df9

SHA1
caead158008b15defc4dc8aad7560fe3641a7f66

SHA256
bd3bf86282c570b434f241d062ba21743d5e6045106c8c9cdf973baa48e82bf4

SHA512
6487bfae4131b6c8c576b0187fcda2b6e7a306069705ba2e8d285e58b91a3a8065b4ef9bd17543c364e7b0787f34e34a7672341c7860b94a11e46eba28ddb923

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
bee8ba5c8a8e91fe5b4f91e546052a77

SHA1
ace85dd86bc1071dfb21fcbaf7b71e02d2278b03

SHA256
83d76ed3da0f6dbb51d6e260eda30ff5469d2b1cb1f396823b39a9950fff4c74

SHA512
67456a7bb7121045499a722dc66c44189f715e26666984c0427d9e7d6f8b61c1ab7f1310101307670daf327205ad2ba93dd223378a4a1f6f1d83ade33136ad54

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
b1232eb02c1c4792a356d8843f9279cb

SHA1
226b7a7096eb50427b3d63390af8e1ea6f5ed246

SHA256
338bc5280fa0c3e04664c9b29e7c8798c5868a8e68eaecaa32d2045a4a44db35

SHA512
5f1ce8e0105e08ee385c747f3996f638d9b091e145f7c7120fdb9a5a8d36176812094b3d77547c4cd2a1e139b05beb23383f7b45807fac143724181df3d608f1

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
910b7f5899a744d6de93f782fe0121f0

SHA1
301dfe1b1aa438712c0be453ba2e731808659b61

SHA256
de1e6d6e7e2dbc1674fedbe593a6fce61c55e511ff7343ae330595bd5ee7a03b

SHA512
e9943786ae0bd8536f684979c7cf807db425d91e3d36a206e218e43882dbd238111049001a492f2d1a0668294efd32e873414479a80b894f12f2a70ac855de84

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
459943c7dfe6b88abc71c2f8efe2999a

SHA1
6015c517b8dc46d59c09b4954f52b877dc13467d

SHA256
38a366fe1954a849c50a26de68a81ad30c34ea03c98ebc5dbd05f72b7eb9d1b0

SHA512
beaa4cdc7ac73296bb9578917c71950b8f4590c690f02e78da2dbf5bfdb2ae570fdd4831772708cda8727f3b9e20d261943d15a620b62e175d2c2a7b770ac776

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
6bd2098e2acb88481e7ffbd769892149

SHA1
4895439b7650f3e90fe46925db31a3b25531dc55

SHA256
46ccd60f747f562eeb2d573ae3f0a57a9eb9545ffbc421c7b4ab2d5ca79082e1

SHA512
9b2a2ab6448e538c40452e1de55d3a9bfbb2d8f5c8f5efdde7c445021bcb33322a67a2538ac738bd216ffcd63f29dd15ecd56d4a95f06110fe09422dd8c0adff

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
e7662e6dab35b1b8ff952d0951f7d2d7

SHA1
4d289435fcbccf63e5ce8af7a2f8399b098ebdc5

SHA256
07939c1a507738a51316255efc533b93e4d9a4a2acd2f86aff70bdaa8bad298c

SHA512
03c629f02f7058a8fc0e404252b5166ee387bf5611b8458f1d7e3d5097c2d2382cb7d7d43ad6f14a6fa01c92d7b90a4e7bad74219c836a4549744ca84971511a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
268218317b056c8d13e8cf6f0f12bb95

SHA1
f680007ae398312369b82c62e0046dff91ec9a0e

SHA256
790b18a5c3c94c80dfcde728ec3e2633e7346ab996013276fd5e5789778a9dc7

SHA512
c6cc93449686f4ba969ac05b6e2e2a2ca6f569c2523aed09beea0bdf3497df14bbfb22bc29c3fcc531997732c0646a4aae2ee0bad6071909db1018cbb78239f5

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
d662f096f676092a162ec8a2240fd202

SHA1
e6467adcfae82224b04bb572e1ed36eedc242e44

SHA256
136920941e251653fef65868fb8cc40fdf640d3b08428762fdb84648c9aa25b6

SHA512
00c8315aa0ff66525e621479717fefb1c872ee48d76303612b2a02bbd832cce90f13f41eb926478345761b2453cfdfe93b1f88ddbe5f1af7d517a326a180fded

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
8561b04a29522b169bc59f6bfae317fd

SHA1
55487ba6457b9d8369dd7738f5c0c9b93382af28

SHA256
1e57d79ce843418e49d72478c9721bb74d0c9e6a644520364df4aeadfbfcada0

SHA512
ff7fc90622eb321c3a6fee575ec16a49f04721197733160106c42a14b68bedfc34f0036ef0f9f63fae996c3aea3e28ac8f912c224954ab12f75a244eff1739ab

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe

Filesize
1.2MB

MD5
e26ac846810c34a8714c4739686a2e5b

SHA1
1af9a6aef5023e0ef432eaa8965720ad91f008ad

SHA256
76b838c6a31c6288948838a2c94017451ab1ce98cd8c152b8793e8b10a02f967

SHA512
4cf823268ee91649088f78d5f891111931736d5cb41feac06613c6f949c0811328910b49c225dc81875a62fae7475c7298b69fa3712a30a32cbf13811b6c3637

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe

Filesize
1.2MB

MD5
dc5b560cdcdfeeff864f709096a4dde0

SHA1
ed6eab901592508884677fbda58d728893a418ce

SHA256
2f1f70d6023854efdffc467084026aa45434c770a21afc23c26aeecf98425cc8

SHA512
b24dbb759daf6eb8a5fc7e0389171f97161a89992e7e797923f3a824dd284941203279d68edcf86086246e33075014c83894f389092890406d856403429a97b0

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe

Filesize
1.2MB

MD5
55cc928df205420e5036084018374afa

SHA1
8260eca49efb1498a8616576e2023267ee778af8

SHA256
082235ef34d4f632a1f9e82a1767d2a77eae7a212f9f10068a6411741a765499

SHA512
23e6f940319ea33585b1a7b6f1a44db3c89d3cf72c27c8dedb7910419895f2f19f0c89b85149b131570544f8a53074236be2dd2e5d631bbe468fa76386da8cec

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe

Filesize
1.3MB

MD5
ab291b7393f04806de05027479d483e6

SHA1
9307279519ef1856272a3a504af4b21cf73b199f

SHA256
bcc345c7c4120f19af2bd07cce60b53431a56f2ba9ee320424191be137f3dc0e

SHA512
7b7fb947f397ac10073696ea6bb5ab62b0e27c02ac84cccd84b193124c90e40e05790f7efbf816d2406e88897b51019810930e29ac3c3fa938f4faa07a45e377

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe

Filesize
1.2MB

MD5
357cbbf8b923260cc1641902e909ae09

SHA1
122f4ea1935120de14289cd5b6f38e6ba0361c41

SHA256
ab264b9753960a940d0bdcbce1a1e20d0c40f6fa327262974e5ab55173c96c30

SHA512
c214b95dbe544a88401a618607db5190c76318e3dfb1161eb2fa186990c6065240ec5595c428ba141ab089068cae0f78baf62de8292b41a081a74f255be9cae8

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe

Filesize
1.2MB

MD5
3480286d794e6808f8c30011609bc555

SHA1
9fbc7547ed3074ada08589922e62ba5b84f516f6

SHA256
085982fa4a6453280383081683fe55fe7053ab74b06cecb8500aa205096d4684

SHA512
927514d33815815779b571c4e0e5dcb116c1b81fd08d98e453da6050029d7449fc07a5988225e766addfc00e363a1aafb60c664273fb48c60c4dd852135bacb8

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe

Filesize
1.2MB

MD5
3a21e21f2ccc6d487636a01c66ee2983

SHA1
b71a3e79fbbd68d57fb122283265f7a0a91fb9e1

SHA256
a63e7040161e72fe14ed54ad0db8a289c1160ddba495f57059f95f87b99b6e68

SHA512
2ba65407ae2b868c8667c26e5a1106b7f5a3da568b63634c8379fd7c5043b880b2698f7beebfb1e1546ce6156a5f6f2e02930726ad9085f5f9adfb3a5b6f4408

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\java.exe

Filesize
1.4MB

MD5
8ad93ca92d3f23a67a7350dec8683c70

SHA1
edd52b9aa455b77774c4ca8afac3e4da46a42d72

SHA256
e556fabc1ecbe8b44749c2d6192221a8b6a12ee9dee15f2c11602ee8bcb62b90

SHA512
446dbf21da969b99249d41421fa6786c97e50d3bde7a0f2135d359c5c8d41083e38a0000364cf13e81a5628e39740c51507f9a0f5f54844e68796739b2408385

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe

Filesize
1.2MB

MD5
06b3c5a268ed6e90c492adbbc63e4124

SHA1
932963ce777611b2a2d32ead155a8a168ae6ebfe

SHA256
b534ba812aeec9a367ec41c81d132d58833c1afff97fa1e3240ea19d91536ddb

SHA512
7b415d67de13550baca2923abcc29ff1d574bd54b1847fb50f4bf75dafaf70a03fb5aaceb5d0628492cd850c2ec4babfc3322ccabb2c0a170ffc18b12d4eee13

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe

Filesize
1.2MB

MD5
e20e31337b1d70f77e77c5adfde31f4e

SHA1
db8a73c84cc23948883259af1220fd076a489469

SHA256
b715c1a40211a7021dd9f2ab9a8ee569028430b08c4feccbb71769199ecda9a8

SHA512
03e5e1e38058a84076bd0aad18956426f3735d7974b3b5740ef8903f9b35fa239c440b7c747a3c1094716c2e9c9cba682b41b90038ff76090e9d6f6342840453

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe

Filesize
1.3MB

MD5
8415e0568ab80434a44f2562da68f29b

SHA1
ba8f94046ecfdd95dcb29d256fa4b86ae6b1e1cf

SHA256
be6b0893f3bcee2bf589797d26f120731fab51765e42f890e0786c29fd987681

SHA512
9bc55e5078cf3ba9c61451dbc15703cb66c797d4318491b007932f4d58ce15cae1dc71c3dfc8f4e46d3814a11c5c718fa50c6701352457f9975430f3982d295f

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe

Filesize
1.2MB

MD5
0e9d6a5918415fabcafef454fcaa92fa

SHA1
89876fadc11c2b620411873b42ee8d7ae8381626

SHA256
a0046c9d574826e212065f0c2523bd7f7fe487c7c53ce07c623cd910e50298ab

SHA512
1859423363eb05743ecf2c59cae89f930f99e5552861230e76f4af2f5f5f16533bfb8e479e240f4b64136b2be80813a21bcb6ecd3491f059c3340381b083c06e

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe

Filesize
1.2MB

MD5
cdd9594b2e6cce4aa85a1db5da6aa4ef

SHA1
d1b781d58ec2110307606d841529864cd4eda017

SHA256
aacc765c945f12466966df392cb15cfa4e23a6bcabd7b148cb66a37c3d5cf191

SHA512
6bccb27e2de30c835d8a3862b47fb5f1e6ec01ce20746b7970ac36139a5b8b5d1b762104388a1a23c9e7a4cce6c233222d211f36296496da8a30bed56a458f36

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe

Filesize
1.3MB

MD5
2df60d95e0c5987a28e1755e380e5345

SHA1
ff27136009ef175edf5298232a220ae03eec1685

SHA256
9fb8d1a0c5c78be7beaeb8ab1667df47befa3a5713b650d092a0cbbebccec53b

SHA512
cbdbc50ec6437e0fb0d935e4b70dfb3d3fd875904eb131dab764b372191094657880fb0358a3beba3bee7d03c3c5a72f3f01f2d295c26355ba05d0ee4f33f807

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe

Filesize
1.4MB

MD5
b785f4c4b2e8b0cb242d758daf5b925d

SHA1
184ce27325497e3fc8ee97c961baff3eba6457a5

SHA256
54f8fdda076a6068d8a922b938a6a0806b581578bd63b387d375ffdc3f875e8a

SHA512
57ee5bac7cec3ff326fd45045386e52e875a6c6b37863a1b75d8cc234c886594e52c759f43b8a5fb60ab69ef736932046b1a3e46f1becefbd2256cf730f65107

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe

Filesize
1.5MB

MD5
f8c0d88d9062e5eeeb4f2504af6f0aa7

SHA1
eb88f3eae8d037abcdcd7d0fe79b1035e2b75208

SHA256
f17e96e8632a154969b6a4b092ebbb759e71987c1fd209f02de99fb0841163b8

SHA512
b632be29cfa69607447c7126420e0730a9ecb0125b9d37d5646692f6b86478c32f77fbd4c475e0eacd7e0e98aa4b4480fdd52c3eef66f05bc96799bd66b9a59c

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
47c049d1d6f0cf1b019f424d813bae89

SHA1
4d694f6ff1d976d5b3559054efb8091e847c84f8

SHA256
093f7c5891aa2ac6b5b42156f86dcee9ebc5243cfd648cea81d02f7f03444960

SHA512
03068aeffede82c2c64e477c0fe27b76932615e9f3ea0ac7b1661f56b8f85fc82321941255631420d053fcfbf7d88060fef202fa3204d0d1c76d30bf10ba9186

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
35319f32bfc89315072588a145712d26

SHA1
aac84cb2d1ed9f861f122c8f31dd948c3598ce13

SHA256
ab3e4705955023bc5cf4e279652b1a7a0ac5726b314c87e536033e9a5519e36f

SHA512
e9346245a80f144dd70c42f63c671a89839c9bed340723459a4bc8763d0fcc3287862dda005d2e534335a2a147af12cb88055b8d85474eca3ec6925804f6cfa5

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
d6132a2945a35ab14111184512dce809

SHA1
6ac006411d4bca275079fb099a2e838c315ceed3

SHA256
006c5e3254eb84779009612140cb582fff2a5a0a913cb5680b6defc3dae1e3e3

SHA512
1d385e397caa2805502f7fba7e4223c474d2149d1d9e1ce6ba44fb1c52a4edf33d7464ebea93fb70a3823efb4b60893e27883a429753a3de33107508be9f4dbe

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
9131e96f60a57e1104323305008d084d

SHA1
1602f53feb1587f8c228edc72547ac3c4f492fde

SHA256
ba031a48601bb3e287c1c2abd9cbaba4f2fda4563fb8bfa34ac2a138baa4d669

SHA512
5e9d26375c6c9c0d87f824f0f83fe029a9471432e61486b0c7e566c03cb3aeaa4549ec85392c19a2f07cb7be10800dd0b609e2e6f3d3d8dea08f2f8218cea317

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
60ffdad4f3569dfdcaaf156dd8346fee

SHA1
10d099e23bd66677fd685e63b1a481da5007f8cf

SHA256
fd3efeeb4a3820ee392d4d0b75abaa9aba823acf8b1894b351406d49b0f2bc27

SHA512
96cfff82be74142bc262166e55994c3b1c2073963f007259379d9a914871cca46f72bf998ed3c6a71dbde67ebc137a7a616fc09e9efe210e43d452a089814150

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
78550bca64f0967b937ca369ca142284

SHA1
8280053c567b1815a8442121d46aa075d9c6f0a6

SHA256
acc12c4ec828071bd0eb80e2d7730534b637df9f598983c4d349f90c80a9100a

SHA512
0aad45de75045d6323e9d3810e0edde7025d62de312f7b95973bc4cd8a3edfdb46e102ebb7dbc7b853af5cc1bdec228febfbc1799595cf9ffca64168eba23340

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
11f5ab4c62f583b252fe02ed58e526ef

SHA1
fdeab1fbdafcc013621570c674d3621573428999

SHA256
ff1e5e4daaefcb025b504e1a7eefec6ade8ff861b1bb5eeaa80c72d859015344

SHA512
cb71dde1d9a74ba49e7a4d5bb6bb6ddeb7edf68e03f6adde18cba654b5e07e310fc9885b804ffffe1189aae5b053fbad1934f606472bc85f3e75f03467426932

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
11f5ab4c62f583b252fe02ed58e526ef

SHA1
fdeab1fbdafcc013621570c674d3621573428999

SHA256
ff1e5e4daaefcb025b504e1a7eefec6ade8ff861b1bb5eeaa80c72d859015344

SHA512
cb71dde1d9a74ba49e7a4d5bb6bb6ddeb7edf68e03f6adde18cba654b5e07e310fc9885b804ffffe1189aae5b053fbad1934f606472bc85f3e75f03467426932

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
9e3ae6aa3035cba0c20771f0489e55d7

SHA1
b07609e50f601b6a56b60cd8cf55cf305e5ff5e1

SHA256
a34e1208884d1e780fddd0bbaa25a36a1eab1dd55709ecaddd62d233de99dc90

SHA512
34cc983ec24e73ce8ca6b10022e5c2240e24ef4ec410444af2f769ae8bb42640c0755a219187fb25f9e9f6626750fb1b261c08564762b97589990764888e9884

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
2d62b4fc8439068dd271524042defaa4

SHA1
703546c3b17e7881e8f7950dca2a9ebd92a2c398

SHA256
9b5b84111575110980b4bbf24840d4d114f135ab3304300421b12ba219acfaec

SHA512
44cf62161b0d1930488cfe1ba21006a8c5092e07e91edfb53c057d5581bb65066e9323e75b4159c3710c0e0d5c52791a59123ac1166c401efdbaa7ce8bc567fc

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
20b2b9f042f04afcd294fd2215903bb1

SHA1
787dd10f8a04948425b8e27b8e6010fba591288d

SHA256
9da0fb098ec83226207de6d47611f6a64c27980f5414f2dbe81515b8136ee0b2

SHA512
75c652b8bbffdb90d257029a5e1cd0fcd7b79d4f0f750f107ca38ed02d0009a7dcfa5806f35ad5e8ed8652e84e3b6ecb54b7083e93ddf871c436ba1970c4407f

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
20b2b9f042f04afcd294fd2215903bb1

SHA1
787dd10f8a04948425b8e27b8e6010fba591288d

SHA256
9da0fb098ec83226207de6d47611f6a64c27980f5414f2dbe81515b8136ee0b2

SHA512
75c652b8bbffdb90d257029a5e1cd0fcd7b79d4f0f750f107ca38ed02d0009a7dcfa5806f35ad5e8ed8652e84e3b6ecb54b7083e93ddf871c436ba1970c4407f

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
e87b28492c3748a46849a51d8a269001

SHA1
d70f07f9cb2731c9120c3fbbde3fe78f5b05a98d

SHA256
35099afcd1c4950f9899137143940978e088e606c56952a21fdc35f0fa284bec

SHA512
b56065079577fcaaf8066cc7e4383272268ddbde6b0d85e9cb8ef2a5b04495ff34ae69daa2e18e515d37a9ed4007b2d5a0a96f49fe799b94878bd2721bcebbc5

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
a98fd2c5c6022a90b80037bdbeaa5146

SHA1
e0bf8832177e5ba19e1caae70c73b2f093ebd94c

SHA256
78fc4a542341e18074ebbbcba7a7e142c6daf5bd916af4045f8a154e878f2382

SHA512
251147d0ecb6294d9b7469f53492a7b458ed068e5c6c865d38f11a92295058f95fe1add41d58df16b8f3ab865a53ca2edc10370f1e7332150dd9f1500824917f

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
56badbef41f1034bb0571a4a0dd701a5

SHA1
6336aae4c4ae2dcd86b7cb622db5fc9b0eb95aa5

SHA256
a52c1774bc2176d4df85fa6f55b952838e39458563fd5faffa244650ae359093

SHA512
c1a7209706803a75f7ba78c20cda2ae6813dad1f73311b53e5bdb2c0de3b3ef7c8a559d197ea02506c0e80c65ee72d2629cab880b4f5883bfc2a1a1abd77fe0b

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
9e5093a17fa13993748af0db234eb5d5

SHA1
e30993838feecacc6bbd289462f3af49935bca5c

SHA256
a5c60468efb8aaf7de6ace03ca6776f38bc4974409d0c2948bd7908ca6d6410a

SHA512
2d96b3515cbc85f11c48a4a8dfe4183629409c96f8b95a3d2d67f36508944e45dbb240274786e72ac8f5e4450b3e3f6f85d5e671940dc908ddd65b34598a3675

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
9e05fbe846c771776350ebc8e8def8c8

SHA1
3867bc8f43fd87e542c5fcaea5b32e04e2d6e60d

SHA256
c89afbfec845893c7ef22622e69f8bf41419124f83cd95ef0a5a6732b517e3c9

SHA512
ee833b22b73ecdbbfde09e2b9e1cdc6e3dd7238d93252fe6ec481c409931e9569478a1e114938a34bc7f9c8702834e096e2b5fd8e604b1cf6746f60b7b739cc5

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
f1c31cf80441500165a4a3d63d7a7902

SHA1
d7dd76906fa63520d734258f5418594d8840e116

SHA256
48cb9628794e69cf03d97f6735307d1bafcd9728dca6222c3302331b95722f1f

SHA512
de374e99d15fa55570b02137e6bf3b5c6e08b99a398a5d12c8903dab58bb47be3c6655eeaab37053b1906a5458f8bdc9f50ea2e565f00e1d6b71a3f439c522e6

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
dd4d6ac8609c50d619aa87c85dda8204

SHA1
43731ea740f93277ec35bdee60732f97ba77ee0a

SHA256
8bfb540c20f3d47ddfb68abc6c8401ea6ac6ab3e9949b43ed6a3965a5f717fa0

SHA512
d443cf7eab5d91be931f193f92ff56dc74c696e460b61af3985d721ae80d0f8d7b8b958833ea5b4a9c619b11252309b2c69698425486be67f9e8827c30e47d18

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
cf491981f15f632de82d3ba08ea18fe0

SHA1
59f16b96be26a6a6161d9c1c56d98509d340bb1e

SHA256
8cd2e62b145bbac6e216886fdf9761e3000c757a0ec71ec40dfbe33035f6f1f3

SHA512
9beddf48b93bbdf2207e4ff29f19cdef17256ef8011d2e201a944d6dbcce517f98d012e1f6fe081b80f8de1b557af8ef8a52b7b0f56e91685eb7d772a5b6d4dc

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
c8f230de72f3eb4b7d3dd7b31574ecba

SHA1
ec56f654dc8b244144c66f5347100f7fd9e65d82

SHA256
f154df702e25dea71f8ff992f7b3577b6bf339bf4cf69ccb70ec1d39d8aa4c44

SHA512
d97d7e6e7a4beb9438978b443b5d982800392b71415c083f38489ab12527177c626786fa6061edbd96b11bac192a899bdd3aef0aae21e2d099e63a9f7daa4aa5

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
1.7MB

MD5
d6132a2945a35ab14111184512dce809

SHA1
6ac006411d4bca275079fb099a2e838c315ceed3

SHA256
006c5e3254eb84779009612140cb582fff2a5a0a913cb5680b6defc3dae1e3e3

SHA512
1d385e397caa2805502f7fba7e4223c474d2149d1d9e1ce6ba44fb1c52a4edf33d7464ebea93fb70a3823efb4b60893e27883a429753a3de33107508be9f4dbe

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
a9270f0a39b3a322ae11ea67bfb9b4d0

SHA1
b14a67cac48c68d3c62b674b2af88b828792f3e7

SHA256
d139f554e7c776c35ffd23ba6f9f5279e268d30d6cbedeadd315ead15682ed83

SHA512
a2b43d88ee0ea5935a24698ee91c54691ee3cc2849dac30dae0b88a1a3cbdedb370f24e886e44ef2dbde2754fc3c9def93cda17521ab322511fed4e1efa4f4b8

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
8dd9054600959437a32bd3f683659948

SHA1
dfd331dabfc86f83561f1757050fb5a83278125c

SHA256
ad9be140386818f5275fb3b7794bc94df8189ae8ba708ba8fec28da31e0ae048

SHA512
52d3971998fa4e51449b5d02c56296cdec30353585bcb68947ba6b76bf8b4dad9bb4ae99a690a64a09402cde5a263387c53696635627c41128907dba55e98eeb

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
60ffdad4f3569dfdcaaf156dd8346fee

SHA1
10d099e23bd66677fd685e63b1a481da5007f8cf

SHA256
fd3efeeb4a3820ee392d4d0b75abaa9aba823acf8b1894b351406d49b0f2bc27

SHA512
96cfff82be74142bc262166e55994c3b1c2073963f007259379d9a914871cca46f72bf998ed3c6a71dbde67ebc137a7a616fc09e9efe210e43d452a089814150

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
52c4d31b5aae3be568cb11f31376ffc7

SHA1
cea4286bd4f959db295e86d7a890be8dfdcfa3ee

SHA256
7a35959f4f05f2ff69ff3819cd01ea68936b8b0eadd805abacc87d71b0e6a57f

SHA512
c0b417e7c39a18e70664481ec732e18291a6a78b14fe01eabdc8d577c14593803c97651c5122152208619083d2ff01105195df5e1503ed845dfe1962b61f4f0d

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
52f4baacd35bc0d4e9fbe68de66e59b2

SHA1
0ccff11095892e5b47d09696d75792b68b298c88

SHA256
a85716b52d9a6224852799de6dcc11e26c84bbdb0e75cfce2a90333d45515e68

SHA512
13104813b0fdde02f7c8b65a1ae5e88802f6861f7155091bc27c55dc0af2ef8393a07458465fee91be3ff465ad076a5606613a9b67a36d98443888f5a9cb44db

Download Submit
memory/392-586-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/392-260-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/556-352-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/1016-287-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/1728-150-0x0000000002E30000-0x0000000002E96000-memory.dmp

Filesize
408KB

Download
memory/1728-143-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1728-140-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1728-144-0x0000000002E30000-0x0000000002E96000-memory.dmp

Filesize
408KB

Download
memory/1728-145-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1728-470-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1980-204-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2056-415-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2056-663-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2552-320-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2568-380-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2692-157-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2692-163-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2692-172-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3032-198-0x00000000004D0000-0x0000000000530000-memory.dmp

Filesize
384KB

Download
memory/3032-191-0x00000000004D0000-0x0000000000530000-memory.dmp

Filesize
384KB

Download
memory/3032-201-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3032-534-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3184-187-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/3184-199-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/3184-181-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/3184-197-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3272-288-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/3288-233-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/3288-562-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/3288-232-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/3296-606-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3296-321-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3640-753-0x0000022D4A3A0000-0x0000022D4A3B0000-memory.dmp

Filesize
64KB

Download
memory/3640-754-0x0000022D4A3A0000-0x0000022D4A3B0000-memory.dmp

Filesize
64KB

Download
memory/3640-756-0x0000022D4A3A0000-0x0000022D4A3B0000-memory.dmp

Filesize
64KB

Download
memory/3640-758-0x0000022D4A3A0000-0x0000022D4A3B0000-memory.dmp

Filesize
64KB

Download
memory/3640-759-0x0000022D4A3A0000-0x0000022D4A3B0000-memory.dmp

Filesize
64KB

Download
memory/3640-760-0x0000022D4A3A0000-0x0000022D4A3B0000-memory.dmp

Filesize
64KB

Download
memory/3640-761-0x0000022D49CA0000-0x0000022D49CBA000-memory.dmp

Filesize
104KB

Download
memory/3640-762-0x0000022D49CA0000-0x0000022D49CBA000-memory.dmp

Filesize
104KB

Download
memory/3640-763-0x0000022D49CA0000-0x0000022D49CBA000-memory.dmp

Filesize
104KB

Download
memory/3640-764-0x0000022D49CA0000-0x0000022D49CBA000-memory.dmp

Filesize
104KB

Download
memory/3640-768-0x0000022D4A3A0000-0x0000022D4A3B0000-memory.dmp

Filesize
64KB

Download
memory/3640-628-0x0000022D49CA0000-0x0000022D49CB0000-memory.dmp

Filesize
64KB

Download
memory/3640-626-0x0000022D49C80000-0x0000022D49C90000-memory.dmp

Filesize
64KB

Download
memory/3640-656-0x0000022D49CA0000-0x0000022D49CBA000-memory.dmp

Filesize
104KB

Download
memory/3640-657-0x0000022D49CA0000-0x0000022D49CBA000-memory.dmp

Filesize
104KB

Download
memory/3640-755-0x0000022D4A3A0000-0x0000022D4A3B0000-memory.dmp

Filesize
64KB

Download
memory/3640-658-0x0000022D49CA0000-0x0000022D49CBA000-memory.dmp

Filesize
104KB

Download
memory/3640-757-0x0000022D4A3A0000-0x0000022D4A3B0000-memory.dmp

Filesize
64KB

Download
memory/3640-659-0x0000022D49CA0000-0x0000022D49CBA000-memory.dmp

Filesize
104KB

Download
memory/3640-627-0x0000022D49C90000-0x0000022D49CA0000-memory.dmp

Filesize
64KB

Download
memory/3640-688-0x0000022D4A3A0000-0x0000022D4A3B0000-memory.dmp

Filesize
64KB

Download
memory/3640-687-0x0000022D4A3A0000-0x0000022D4A3B0000-memory.dmp

Filesize
64KB

Download
memory/3996-359-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3996-356-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4072-354-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/4108-169-0x0000000000490000-0x00000000004F0000-memory.dmp

Filesize
384KB

Download
memory/4108-177-0x0000000000490000-0x00000000004F0000-memory.dmp

Filesize
384KB

Download
memory/4108-174-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/4108-488-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/4224-590-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4224-319-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4320-139-0x0000000007800000-0x000000000789C000-memory.dmp

Filesize
624KB

Download
memory/4320-138-0x0000000005C70000-0x0000000005C80000-memory.dmp

Filesize
64KB

Download
memory/4320-137-0x0000000005C20000-0x0000000005C2A000-memory.dmp

Filesize
40KB

Download
memory/4320-136-0x0000000005C70000-0x0000000005C80000-memory.dmp

Filesize
64KB

Download
memory/4320-135-0x0000000005A90000-0x0000000005B22000-memory.dmp

Filesize
584KB

Download
memory/4320-134-0x0000000005F60000-0x0000000006504000-memory.dmp

Filesize
5.6MB

Download
memory/4320-133-0x0000000000F70000-0x00000000010D6000-memory.dmp

Filesize
1.4MB

Download
memory/4628-231-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4628-560-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4628-206-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/4628-212-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/4760-217-0x0000000002210000-0x0000000002270000-memory.dmp

Filesize
384KB

Download
memory/4760-223-0x0000000002210000-0x0000000002270000-memory.dmp

Filesize
384KB

Download
memory/4760-226-0x0000000002210000-0x0000000002270000-memory.dmp

Filesize
384KB

Download
memory/4760-229-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4820-655-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4820-381-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4936-258-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/5004-662-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/5004-414-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/5012-412-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download