blustealer | 2c96adb4c6b8c3dd82890cc40049dbe67a141ccbf07155ad68ff8188853fd790

Analysis

max time kernel
145s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
15-05-2023 17:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Order-688930021178.exe
Size

1.4MB
MD5

bd064f5b67dcb30de45b19e11d424f53
SHA1

cfe03d52e6af08c9ad2d7c7f3b7afbd4d7e5794d
SHA256

9d603074042f5d594bc2710ed1545ce7648f35ea0ad789ed1ffbfa2d294faf55
SHA512

20a2b6c6bcddaa77f5a5b7dee4d1a6bc14eeae093cdd5b20cdf2567606f3253d48cf60463f6aa380bf43d541733cbb06543fd21ce271821311057e250c886cb8
SSDEEP

24576:+JDy73Le60VNu1ZtGYNitrP7DVvIiK7vog0soXrmiSyqDG2whTfrO:+U7q60VNu1ZtZ4tr7DVGog0sovnq2zO

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 22 IoCs

pid	Process
3732	alg.exe
1124	DiagnosticsHub.StandardCollector.Service.exe
1300	fxssvc.exe
4812	elevation_service.exe
2920	elevation_service.exe
1836	maintenanceservice.exe
4752	msdtc.exe
2884	OSE.EXE
4080	PerceptionSimulationService.exe
3352	perfhost.exe
3052	locator.exe
2300	SensorDataService.exe
4108	snmptrap.exe
4984	spectrum.exe
456	ssh-agent.exe
4876	TieringEngineService.exe
4248	AgentService.exe
1224	vds.exe
4504	vssvc.exe
3424	wbengine.exe
3956	WmiApSrv.exe
1744	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	Order-688930021178.exe
File opened for modification	C:\Windows\system32\dllhost.exe	Order-688930021178.exe
File opened for modification	C:\Windows\system32\locator.exe	Order-688930021178.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\24645a93c94b1c77.bin	alg.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	Order-688930021178.exe
File opened for modification	C:\Windows\System32\msdtc.exe	Order-688930021178.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	Order-688930021178.exe
File opened for modification	C:\Windows\system32\spectrum.exe	Order-688930021178.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	Order-688930021178.exe
File opened for modification	C:\Windows\System32\alg.exe	Order-688930021178.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	Order-688930021178.exe
File opened for modification	C:\Windows\system32\wbengine.exe	Order-688930021178.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	Order-688930021178.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	Order-688930021178.exe
File opened for modification	C:\Windows\system32\vssvc.exe	Order-688930021178.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Order-688930021178.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	Order-688930021178.exe
File opened for modification	C:\Windows\System32\vds.exe	Order-688930021178.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	Order-688930021178.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	Order-688930021178.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	Order-688930021178.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	Order-688930021178.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	Order-688930021178.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4528 set thread context of 1652	4528	Order-688930021178.exe	91
PID 1652 set thread context of 3204	1652	Order-688930021178.exe	97

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jrunscript.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	Order-688930021178.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe	Order-688930021178.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Order-688930021178.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsimport.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java-rmi.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\keytool.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	Order-688930021178.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Order-688930021178.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\xjc.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jjs.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\servertool.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaw.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ktab.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jjs.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\policytool.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javacpl.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe	Order-688930021178.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Order-688930021178.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\klist.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ssvagent.exe	Order-688930021178.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	Order-688930021178.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	Order-688930021178.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\tnameserv.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	Order-688930021178.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	Order-688930021178.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000a692e866087d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000aae64b856087d901	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000447c22866087d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c97e03866087d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a5bded886087d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000085e0e6856087d901	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009b1920866087d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	84	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
1652	Order-688930021178.exe
1652	Order-688930021178.exe
1652	Order-688930021178.exe
1652	Order-688930021178.exe
1652	Order-688930021178.exe
1652	Order-688930021178.exe
1652	Order-688930021178.exe
1652	Order-688930021178.exe
1652	Order-688930021178.exe
1652	Order-688930021178.exe
1652	Order-688930021178.exe
1652	Order-688930021178.exe
1652	Order-688930021178.exe
1652	Order-688930021178.exe
1652	Order-688930021178.exe
1652	Order-688930021178.exe
1652	Order-688930021178.exe
1652	Order-688930021178.exe
1652	Order-688930021178.exe
1652	Order-688930021178.exe
1652	Order-688930021178.exe
1652	Order-688930021178.exe
1652	Order-688930021178.exe
1652	Order-688930021178.exe
1652	Order-688930021178.exe
1652	Order-688930021178.exe
1652	Order-688930021178.exe
1652	Order-688930021178.exe
1652	Order-688930021178.exe
1652	Order-688930021178.exe
1652	Order-688930021178.exe
1652	Order-688930021178.exe
1652	Order-688930021178.exe
1652	Order-688930021178.exe
1652	Order-688930021178.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
680	Process not Found
680	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1652	Order-688930021178.exe
Token: SeAuditPrivilege	1300	fxssvc.exe
Token: SeRestorePrivilege	4876	TieringEngineService.exe
Token: SeManageVolumePrivilege	4876	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4248	AgentService.exe
Token: SeBackupPrivilege	4504	vssvc.exe
Token: SeRestorePrivilege	4504	vssvc.exe
Token: SeAuditPrivilege	4504	vssvc.exe
Token: SeBackupPrivilege	3424	wbengine.exe
Token: SeRestorePrivilege	3424	wbengine.exe
Token: SeSecurityPrivilege	3424	wbengine.exe
Token: 33	1744	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1744	SearchIndexer.exe
Token: SeDebugPrivilege	1652	Order-688930021178.exe
Token: SeDebugPrivilege	1652	Order-688930021178.exe
Token: SeDebugPrivilege	1652	Order-688930021178.exe
Token: SeDebugPrivilege	1652	Order-688930021178.exe
Token: SeDebugPrivilege	1652	Order-688930021178.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1652	Order-688930021178.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4528 wrote to memory of 1652	4528	Order-688930021178.exe	91
PID 4528 wrote to memory of 1652	4528	Order-688930021178.exe	91
PID 4528 wrote to memory of 1652	4528	Order-688930021178.exe	91
PID 4528 wrote to memory of 1652	4528	Order-688930021178.exe	91
PID 4528 wrote to memory of 1652	4528	Order-688930021178.exe	91
PID 4528 wrote to memory of 1652	4528	Order-688930021178.exe	91
PID 4528 wrote to memory of 1652	4528	Order-688930021178.exe	91
PID 4528 wrote to memory of 1652	4528	Order-688930021178.exe	91
PID 1652 wrote to memory of 3204	1652	Order-688930021178.exe	97
PID 1652 wrote to memory of 3204	1652	Order-688930021178.exe	97
PID 1652 wrote to memory of 3204	1652	Order-688930021178.exe	97
PID 1652 wrote to memory of 3204	1652	Order-688930021178.exe	97
PID 1652 wrote to memory of 3204	1652	Order-688930021178.exe	97
PID 1744 wrote to memory of 3104	1744	SearchIndexer.exe	119
PID 1744 wrote to memory of 3104	1744	SearchIndexer.exe	119
PID 1744 wrote to memory of 4784	1744	SearchIndexer.exe	120
PID 1744 wrote to memory of 4784	1744	SearchIndexer.exe	120

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\Order-688930021178.exe
"C:\Users\Admin\AppData\Local\Temp\Order-688930021178.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4528
- C:\Users\Admin\AppData\Local\Temp\Order-688930021178.exe
  "C:\Users\Admin\AppData\Local\Temp\Order-688930021178.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:3204

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:3732

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1124

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4776

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1300

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4812

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2920

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1836

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4752

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2884

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4080

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3352

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3052

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2300

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4108

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4984

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4452

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4876

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4248

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1224

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4504

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3424

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3956

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3104
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4784

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
ad7f3f6dda8b8dcb63c615db6feef60e

SHA1
3f002a75ae4d1e1bb1cf6ad260157cfb42855fad

SHA256
7d894d6af7cfff07ab1b4ad0a3fffc068b12f6b7f826448a505ce01b8e255a1e

SHA512
68ed905dfc0992179bd492d4985007d0a6ae2f868e3e70f97cb634708ee1a151ec3fb74b1a71e75cc4cf9b3e3bad75bf7dadae2da8cc6c5119ae2d3831e33c8d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
140fca5d9caf7117db0ee66e5b05dcfc

SHA1
f0d1d84e43d634b6df9eacecb9b0a434166cad31

SHA256
fce8b438439e00ba1f3cffcd6bae29efd99d6816c33e20a7112ec97b9ea43e58

SHA512
4cc1f6a9ba6c2b83b2e139ce100d52f2351f7ecf5b10c65d724bca356bb509a1979d8f3307be670cafd7c181c0beebee158a10db640422a1ebb508a3f33045b2

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
140fca5d9caf7117db0ee66e5b05dcfc

SHA1
f0d1d84e43d634b6df9eacecb9b0a434166cad31

SHA256
fce8b438439e00ba1f3cffcd6bae29efd99d6816c33e20a7112ec97b9ea43e58

SHA512
4cc1f6a9ba6c2b83b2e139ce100d52f2351f7ecf5b10c65d724bca356bb509a1979d8f3307be670cafd7c181c0beebee158a10db640422a1ebb508a3f33045b2

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
a560c226bb00af1b76d9e60c329cae94

SHA1
8aab8bb13065a5b846f7f82e34f9280767df13db

SHA256
b7e03cde966dcafddefa05cfcd8a89b9a5730c68a154616c9a6eb640814e9823

SHA512
fd8c82da7fb4a9487a95d8a243e6f009d3c886bf4659a2501c48e619b077554acf0f59eed0acaef1d24eb9a214e3dda50b8c26d678baeb5760ec92218853b1ae

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.4MB

MD5
016974502d8612b7c024cff6b5a38481

SHA1
02a2d4e7247eeb6b0ca83a18c60416b3ba9136e8

SHA256
ce3d6da67fb54eebbd34c55ae6b3af64dcab7e98a8570cebbcac798ae1f6a565

SHA512
619e0b01c35173c520cb0614ee65a6ccaf839e6ef88188ef853b8f7fc231fb675eabd1e9926236892f03f9a6313dcd2d570bf0531c5f5a7aa88ae9579939b414

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
d3b38f982316d05d34ff2aa8b8656721

SHA1
358ac52ba0ab354a9466884cd0e8b78817343e95

SHA256
7873d460c757fef6d6d2599768db34061b8e5bde7f3b38458f343fec5f0c64ad

SHA512
a82b1e6487383f4cce1834bc0d1c89ec514d437fcfc1f67ad44ac6f138ebb1e56536e64d179160e674bc3a6459a023f236ca81f7a4e645bf24beac3c16dc4b18

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
e5ce73b1019efbe1553ea9ab066231b7

SHA1
be080573e130f193a3f8a043fd4d01429b1bf328

SHA256
4520e3aee6a6116b5d33588a176de973b1f3281960300a248aa8ddd0c7d53d32

SHA512
48913e251e8512f1d9ee2b739f8151f1de7a48bf550b0f4db6af7aed9f122e57947675f1fd833133de5eaf2149c1377b56a7caf972be4b133e00ea0b45993c3f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
dd46295afcb64ca62e069db5e4945d34

SHA1
2633b7af10ae21080f380a34d21f0f52fe7fc1a2

SHA256
697a49017418349be973da8f13863e8ddb7a4d2f7fc2b63b29be0456f1b6b249

SHA512
7276b57deafa8f41c54e38f2e2629140c32ce937a13a66afa4cd9a2fd5e74dca7223aff931b46fd13bda24215e6ad2ffdf71f0a4ee8ace5480c0637c011305e5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
fa16ec1e50646661f8cee5e7009c7b6b

SHA1
0b98fd45e5b33f20ed0bed013a472e706a7c1c40

SHA256
e43e1d379768a88c6d4e86049263780de34e2ef4450e7671da85a7e7fcd890d0

SHA512
e57725289bb99b6c5b106e68f5e268867fed7ce1393e94bc9c19bd5819abd50e33a9a3ad01393597771ee2f8bf49835e823320c4cb66c96af06c6084caae42cb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
175e0da80fbbf88b085eb429d2c22c96

SHA1
f70c5d28d62c16b70c1a10d207c4289ca794f7bc

SHA256
0239db79f44c1e92ce93d84548cb0e615fc59ad60c23f7b149fec2f03daae6ab

SHA512
855c062fe6c0cc82a990254cef146b70b6590ac530024e26e2ec10d25f63e40f78842fd0acb57cae44020c2bb1763007eefe00fc94f28153faaae6e3aa3755d8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
12.4MB

MD5
03831f8f228ecd65a5986f04692d83e8

SHA1
1cbd2a80c382d0a8084a3202b592bafc4ad2a2d2

SHA256
0cd24d09515b3ee84dd5a2bd9a65da38eddd6eafca0760e0e04a82aea7f41209

SHA512
8554af1c9b667afd3f0da0cadcaf28429e62d4ecad1ec6ad1c11b69f8de69a9bbe9176d88e42061a618a82a18185cb05bf446790606e0966e5fb233f1366398a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
0e1b76b2c417c8bfeda95721db8dfcfd

SHA1
37e487bbe0cdb94e2d58a1dee22c86087d073641

SHA256
4ab179e2bae40e948197e476943de55afbfc90af0963081b7edef9f59ff63382

SHA512
e8b867cf0b3c3d0bd63d0146e32b5185e3787d4fba9c6401efca1288095f95cbf6660958565cb4b9f706626a5d02ab43526dde634945fa8996a4ceadb57ee36d

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
90be5368cc5cb7e3f0acbdefb42c6ae8

SHA1
b809bb4b335c535d14a4322c51394119522ad67c

SHA256
c73e7ba5a2b5b35a522408963da623c80e5c1174c64c9533691950078006294a

SHA512
cce96ed2cda6a5295085833104377b90d323dbf2880a73ef6b24d9d641bb9a59e57ab5d4e516cd5963de5559b4dd7d712da5024549f296906d32a26d0dd215ed

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
b9d490aca40359ff1f3cc97404e49cc7

SHA1
b9cc9ed03cdf86cbc26e24f994986236317ade61

SHA256
48276db3a4a98a3db12f272b1b2330ede1022ea926c676f43f687e42cc8ccd26

SHA512
ffac69442e74700efd637314eba5479ec65b94de33d64180abdcce0470784702d22522f62beace1cbb890b050643ffcf8913ff0464fef19aefe69443e6f00c57

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
44d35c57fff4ebaa150e8d1e8d2fd966

SHA1
ca8fabf2d79298e026da93efc5d27fe313c2a4de

SHA256
6b13449e2dd6aaf7a1a1a4a0de1c210252e975cf0adbb722131b9add9d1a167a

SHA512
0368527061d2f9d3780206b4fab10500b09f96498ce01c873ac587623adcdac4007c12a95b0dc496635ea736fea2453523d1f01d38593c7228c25e1de0785372

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
6e9f663e939dee9124350cf500c5fba1

SHA1
d9b8940b35d80907d45a482251d2ce6399303a22

SHA256
9628a34b48fd49e2c6700022848303177e109ce55729d0496b87f736b5a6ac97

SHA512
5c6af546c69fe8776d41892200fa95ace609e369c5d6065363069c53c47794a173a9966f7408150b7f69e6a01e318c68a1573e02ef242bc88652cfb43b922beb

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
90ac20a5a0a48ce000fa0e4ad157c12b

SHA1
ff3ceaff876af316062171b3f064d379ed9479b0

SHA256
553ea2ad7d7932aebe0ffdd1589239141dba5ff355aee35a1ce13c66bed77985

SHA512
3b1f69eb1b06c00412bcf63d2c1b23ed328dae68d6972deb416d0c9c5090d761cb49c857c41861deafe8383703409fc590b17f0676f2411927499b8c13a6b15c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
3fcfee6c38142bf27d7c0b3348f841bc

SHA1
203e5ac5f95c661e39fcbbf2d76600fc34fe5272

SHA256
06aae515fb6aba13b7847ce212e78b55c7d41dceac2341873fa35e72f3c07f7d

SHA512
16c7bf6226dd41713912004b521e855ef73f32ce8b2ac173cfd5d73e220516e9d3d421fa4bbe9a350d50b7a11c45531660a613a05e1fc5bf24c48429a5ff9dfc

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
a897c546d7604003faf1c42bc1529b14

SHA1
de1728b5a8c1ef98abfbf349c777d93569a07ee1

SHA256
711231ad05a59ee79e3706baf10fafdfed1b1375d8863702a3569ed467c6b245

SHA512
084f8a9449081c48f55cbc86e48810ed8dcb6a7c47993ddaf9baca402d6064d4099f8c8e0f882617fcab12edffefde1b42dae5284dff68d6fb2232686fd3fb2c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
81e3382c7a2a9198813dc2368941feab

SHA1
e00a1198da30722c4d917fd9545935623ca4b0cd

SHA256
3e762548f307defc45cf18e75a7f53ba56336871f7adfde0cce426121e3a2a31

SHA512
4c488958aab603e04a4a99215028c0ef5f3651fc6376af66d1dda95549beaf15cdacb77082903504531aa705cb5ba2d1b82e7a58bc2df003199c7466903a7565

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
9a3b542cd791c434fbf96a688339da1b

SHA1
2805280856c35b33bcd8c7ac32bc35ba31ad1c3d

SHA256
d424b77eb2bc0cac626d33d18d15d61806575ce107c33b6a3c90e6546a8c8dc3

SHA512
fd051436837f52c0c1a1f389983cb8bfaacfe28a5777cabb6afb54574f4105a97153fb8378eee7ef252b8bbda3a4f4744cdc8ccd62006b663022ed8638fc0835

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe

Filesize
1.2MB

MD5
14cd88f7a768defebd2309e0a29935a2

SHA1
1cc9eb18cfc56b4056a858a7bb7ecdc826553ee4

SHA256
663b938f0c50ee148bb42b58865146f7dc3b79aa29f835e45c872f6a0d48a620

SHA512
e4289e7c52c232485f1af0719e011192caeff221fcc2395f173025cf2fa5ad5efb5446fecaf3dea9902378330ef7d3d8a680efbbadc8bf5b8fdbe938da71ee11

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe

Filesize
1.2MB

MD5
eeced4df0d65e9d10c3ded23170340df

SHA1
5ff8ef3aabac2d793dae86551eef546f0d6a4582

SHA256
cab7eb629bb6f8d6b6b873a84d8ebc9bacf345273aee1737315479be879253b4

SHA512
7580b879f742175c4d9909fd484feb2f4ff011d5bb880e1b8b59c36f0b1a9f08f7900f8ee3cb26dce6516679763a1851a225d49bd9303d1c370912e26693371f

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe

Filesize
1.2MB

MD5
a6f7e60d1346aa137e67e1b1a9ee346b

SHA1
a567d318dcee2add7173867846bf1d2a56fac718

SHA256
f040f7557c05af6d376096468f9f073f0b7b5afe28800555aad9faf655776867

SHA512
a723082516328a82837c0622fa8762911a83c64f2eb45d76134f22262375200b86cd7c3a8c6c16d8097a2d48fc55d19c6945a2ce6ec40da13bfbedcedd2d900d

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe

Filesize
1.3MB

MD5
b50865dc5f88924714a9a486d7e3ae76

SHA1
e2410c8595e3b02d2732526095f4e3b6993c0132

SHA256
c287cbf3765b14bf1fe534b57d25e5fa30542e5adc89b37ba035e2c934475d2b

SHA512
62ffc0b91b29c0944f51aa4674d4181f7e84706667a3f0f2c4d4003967d025127ab93e4ce43e923425eb5761dc6761470a0abf2d12704468b5738925021d3984

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe

Filesize
1.2MB

MD5
151de6dc17080c66aa981b583bb5d48d

SHA1
e669b4a9814466de2ad3926228de5ceab6c4444b

SHA256
1cc5a21e93806ef87b82c9b57e19fd78a083ccae86469b80d779493bd453e1db

SHA512
4d48109b254ed415d5ba268a9a679aa897ee7a89826475a0842908d6cd6629868ec5a78c6ac3b6cb6139c91dd0a14b3ce192fe936a9966b7c26d624e5dab7a40

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe

Filesize
1.2MB

MD5
98e17028e7db618159575b893487a7e8

SHA1
c480acc77d5eab1d9f2599946a2a849fbbe519be

SHA256
4468bd81883d95506a4c62379244fa32aacc8dd6e7dba79b4c17d59f7e950c06

SHA512
aa42be1445dd7986bc1888dcb15f2a24dbe1a17eeb0da824cc863339867aeda38b3a7cbb76189f783eca51f5ebd9f7ae39f084990b4f1c3f1da8eb1a080261f2

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe

Filesize
1.2MB

MD5
e70c234153e4d8aff3870d442487968a

SHA1
afa886116ee4a3f3a55625f24fb08b823c8b3163

SHA256
b66868ad04216cc4465eb20a8b923cfed4d01b34eb2d40de7a7c52ee69d1439c

SHA512
f3392ac48d86baf3d7fa0d54cdd8f68b45baa304bc304e744ed06088688f985546ea10a788ab35ff1234fc437919e349b594387060a5e64c86ea2df2f218e655

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\java.exe

Filesize
1.4MB

MD5
dbfdf277da1f9a67091ea40ce2558029

SHA1
5ab327d787b3c49ee8c1aeec823ca73b6270660e

SHA256
62a8280effd99874039faa98bc061f1899251db1cc6235a9fa1968099c590408

SHA512
359cf0854e29cbe5efe2a0c88926f1528be6018d8e9cd7d573ae7808a5d35fa081950d9af0f86abf5331b7684e7391fbb7e6e7ad339c2dfa67e7b5b1a1eac286

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe

Filesize
1.2MB

MD5
bb7be072cbc198793c4fb3164d7d8ccc

SHA1
a70f82934de5330bb15391eb9bd0932c20527fca

SHA256
88586fe874a49d8c0b206965e1981f31361fb5f2016cf3da622a1467e206ea13

SHA512
052fe71398c94678c4a42d867c91f168abce03bf2d0ed0b87a79906b9bbd9fae7dc2a927aed1bb4310a93e8c7e05c495a87d53331102e61b2ea773399f445577

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe

Filesize
1.2MB

MD5
c64e88d495edbdd6fee50f97152b3e7e

SHA1
c9b15fc46ca978ebf85894d90ea9bc2a39974ceb

SHA256
c00950193a673251ceeeeace7076e60e9650a40819ef2434eccc76fb27328f82

SHA512
ce3f579f3759576487bb778e91e82c96fcc2cda54e80a3502b63881405aff60e4544d10c775f6cdd88e49cc46697439e11bfd64e6bd714ccbffe658b6ab8ae1b

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe

Filesize
1.3MB

MD5
dd8afd373722f0939f678c55e1cd2bbf

SHA1
19ae1b0428104f4f1523360089e5bd0cab09d5ab

SHA256
950cfbc2578c8aaaa97011d5bf472ba808b1004c1eb88a68b6ec1a8498ca5543

SHA512
c7bb1b9efbbb36bff8acd8fc744faf150edd0c7a9cc57fc7ef95c7e4c114d4d01a94e143acd925d93635720769bc1b679659f8d2557a8d1c470c2e1dbd530948

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe

Filesize
1.2MB

MD5
07a8d1c7d8d89e19499aeeb2afea0bfe

SHA1
fb25add3b7352df42db3c200f1895f6e1fdb7cf3

SHA256
232fb72ae6266324a76de0f840e18cab10097c78336afb3fd05016fda932c7ea

SHA512
58e37d1c4fbeb085560777774ef2abebb0930eb578337e6dfd689a4e91aac30541c93edf9386bcd7ae5eb668d0dc5a8a9763a45317a56e146282a5bf58d12b17

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe

Filesize
1.2MB

MD5
71cf156565011b8c4384f1e9ee3c88f0

SHA1
8d70972bd3c9b953bdb0dc8649182d4e37270097

SHA256
8f4ab447711771b7e476cbd4f241465c8ae4dfc951c671cecfe1283e9f240124

SHA512
0a9b65bec39ab42e8599371368e7de34a219cdd304d8b3782ec278c4547be88bd5bcc386f04814e842f80f96c85223c250f3d104ca98c5e838849d9fae43bd82

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe

Filesize
1.3MB

MD5
88a09ab0c3f0c6bb1c2042402c038cb2

SHA1
79c6ee0ee77f860bc2d95909f262646ac2a15c1b

SHA256
c0c8c7dd155d44bc2a76a41f0c2fa1d93e42ded08695c5d9895d50019f32694b

SHA512
685860822c458cc2e4dec9e2acd02d2f6090906aeab2560432a5d79b85f0a4679fbe8c31bf7eb5a7e1ff1e97e0c4d3c652c36db33be93d9c831146db695ce4bb

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe

Filesize
1.4MB

MD5
36a99a67fe3d947a0d06c17ff2b489e1

SHA1
b43fdae78e98dfb57210684256983c0a9adc9243

SHA256
b2fd0c418f43bdca86f413aa170721b26fb6e7b14ecea92cbb84a65a300f51df

SHA512
c8cf1a9ddc6cd5da607237fe8625787da1ace9964eeffb661d7c576033fce001ce6cc79f4634b77bb2b2574ca26b25e2a6e0445f0cbcbd3fd8d02c09b9b3b13d

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe

Filesize
1.5MB

MD5
429fe2a5114c2416e7c0252cbc448dd7

SHA1
12425aaf4ee62366bd53503431be7790e5a7863d

SHA256
bbe2f8750ea72fd465ed604b92490b9d5c5dcab6f5cc10ac1f439862d858bac2

SHA512
ffe9482262be07a2beb319047a681e186f37a02b017c2fef0982dbc6e55419c4cdef1feb08e4926c0b53903c5ba4fd00a75f5482b6ee317ab185f9fab0148ccb

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
3121c055e863de73078492b51b039eb3

SHA1
50fc332894a801df95126ee03b3de17646ec296d

SHA256
54c17da9ad6f1b385547563772af11667854ee31b1e26d15e64e7f6d0a0c96e8

SHA512
47e1782a8f1b506bde477632b9f93b3877be83238af731dbc52802b4d8d0dc47befbd30fbda626f0983ee14c93bf3c11efff3417cbc309de5b89599d0394cef5

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
acba2b59945a83b8c2a2b451a3d37281

SHA1
23cbf35e95eca7435e405be8c1187d4574997306

SHA256
80fd2471b1f02f246c80b07684dd20cfe1c7cdc72d72eb1a5aad6d781e8abae3

SHA512
3449a2988237c0929c6cbcf8f4194df5fe2b8ff2e5ef35e1c6a2206d59b6329f6b89a3f6955619b1b95679d57a14aea3f01fa8e360ff40f24868b970b0f4e65e

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
774fad7a037baf7506d602d4cceeab82

SHA1
3d62157ea1340918a0f961604a7dfbdcdcab77e8

SHA256
cf9435f96daf090574bf1b5ad9790a472d68d352d1a0c33740ced718916cb599

SHA512
a7805ef0aa3d0f78f181322a1f93b06f8f803289aab9b8bb547ebf6128f2a22d11a8689ddc8de4f298b4958740c5719e9ad0eafed24b4096d433da014feb3f87

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
8fcf09e368b18a2960a1c40a41d6407b

SHA1
a796436be58141e7d629b29556bb2f35c8f4c3fb

SHA256
cbd59e37f57420be0cbbc8a17975c09cb57e62a93ab79ee56a116e9c2b448d7b

SHA512
7ffa919413a6477dbf8c80588d2a1045ffe15b188a6bcdf2d925a7304c7a4091414b1720f1befef3358ba2d4182309e63e13f2ce4219ad31b3564b13a377690f

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
97bc68c92694162c48f3f49a75ea9ef6

SHA1
0f3d6f44b4697289a6166e168ad7ea7ff28e0d34

SHA256
24adc12cb12b38d9c5f33af54432e8592a9e141e2578f18a315425fcdd1b7d31

SHA512
bf4815c2835c2242fbfcd3fb02eeb3cfa4680a570e32a6610c0755a2ca305a25469fa8682d35afc6cdb444419117e986032a22c6f137181cb2dd2c21297377f8

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
1f82f5d3a2a35f23c63671fa3fc65cf7

SHA1
b83d62ead84a9a5ad760ebdbd1c37c6d3041c7b0

SHA256
2110cbb97ef3b047d3fe57c3f095fdd9200e8761c1a122f364ab397932c98264

SHA512
0fb130c0b3541b33c018b5b2c24710878d76698dde652a6b8ac07d1a472861ce0785fae3c61a23919af7e0409a660380a2de196639ea6c3f87d5efdc1435df46

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
2ba53dc4656ec8e7eab843c077c8ee22

SHA1
52e12d6adde270e65b71a7817988a1c924bae839

SHA256
164cfc90e13f394fd1b6f5031bce266fa91aefdb62a456c05cc5d762cbfdc429

SHA512
e5948a39f8609b2f2e11893647990f4645407ae8cb5962455cb744ca925da8951a7b30d0d0b9610b7e54dc4fb7ae6610564dfe31d1f6ff5f7e25d8a8825c6eb2

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
2ba53dc4656ec8e7eab843c077c8ee22

SHA1
52e12d6adde270e65b71a7817988a1c924bae839

SHA256
164cfc90e13f394fd1b6f5031bce266fa91aefdb62a456c05cc5d762cbfdc429

SHA512
e5948a39f8609b2f2e11893647990f4645407ae8cb5962455cb744ca925da8951a7b30d0d0b9610b7e54dc4fb7ae6610564dfe31d1f6ff5f7e25d8a8825c6eb2

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
e2cb9542aec8993e04122a2d27508dd8

SHA1
e1423dbc9ad5053efac6ef1caed765e299ae4150

SHA256
481014485838db6a3abd8369019d892d441b27447a851423b5aa69664b0ea230

SHA512
d48788d6686864cc383a989da6829687328018b73aba68f46056fc6557a8424d9b27d343b2b55e73589fffb7104bd761b9acd734479db52e3f0de48b3a1c3afe

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
b551dfa9f36e37a02b273271515137a4

SHA1
c249d63feac96c7968a1a0df0bb5a718b30d1d5c

SHA256
286700ef402f83cb463f958e1ac87b3ea13ed57d80805ef39af027b34852f838

SHA512
003584e5b2a909e43e4c316a197e31214bfccaba15c1d2251a85cb307ec5e8c9f915638ca92692d562f941b7be0bb41c977f715a098cba82b3232504e93787fa

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
b78d985d90c7f8307eabc507f487a110

SHA1
519175d6747eca7eb0931ef30acac57e7d375d24

SHA256
4fee1ecdc4b7c936de447a1e20595577ceb7b3659757a9e2405879b86893c9ba

SHA512
0a989dfbaa782d10170b477c696ae614a537865c56e3f00840291f2fb98a44511d0c5ad4bfe76e687e4257f46069fd3c2246bd1cd010b868f9e17610b074ad9c

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
b78d985d90c7f8307eabc507f487a110

SHA1
519175d6747eca7eb0931ef30acac57e7d375d24

SHA256
4fee1ecdc4b7c936de447a1e20595577ceb7b3659757a9e2405879b86893c9ba

SHA512
0a989dfbaa782d10170b477c696ae614a537865c56e3f00840291f2fb98a44511d0c5ad4bfe76e687e4257f46069fd3c2246bd1cd010b868f9e17610b074ad9c

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
148041392fd784f6d064c2eac8466a33

SHA1
bccdd0191b7fa79dc518cd675e2d83def0e5426a

SHA256
157d6f36bd2019c9f1813a1940941c8d916773fb290a3d8a80c008b018931cdb

SHA512
e2d343f7b769d64ed770f02dc3510a026d2373015082581903611a0b70325ba37db433cc96db6d686b35abc689cb744a034765f1c2503e7a5b92ef9e4ed7074a

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
d261107ee7abb2ea1cd461c7363efedb

SHA1
0469265d8b5a625ed787091e4ec68e63d4038ec9

SHA256
b6e40f54e611fa5d226626e072166c356651964e787e8f531521592e0e81f7fc

SHA512
d5f59f82ea56f529d0170b41615fcd2e646e1c39a61ec31e934b4348cc108fdc577d8fa3d8cd1c64d446450c343508b4cc3c0ac1986fc5e1f102cadec2aacb67

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
c73ac2b1a2de1ae88669d86749d198ee

SHA1
a444c1d72aed7aff2cd9ec24260bf0be9902e4dc

SHA256
e90cb3ce5aed942f856405c2b2876cfc65107cfc97bcb28a1de92fe56f0dae26

SHA512
01a43e550f55bcb198daff2e657f0b25aef8bd5a8106864f321662627d75b7dcd8c4a29cf7ea2ae48504547eab4a80d24704481381cb3fcb0a16f1b8038510e0

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
94d378919d3ce77b751c1f25e0a55af2

SHA1
663395e79a95dfadc4e3de4fb173c8d89d7d7ba3

SHA256
3fe6f3da93d4fb040ca8fb46213dd3b6afccd8a58c516a8b6b03914a6562f865

SHA512
bf1cf32e3e4f253765c10b3f96f67939305db56f02a2a40595bc85156757c754c2777517270f85d5e99f8a02a133cb961250a8215e1786a5b6cd4c8d453b96ac

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
cfeacc0ca1741d6ffd64dfbf31026c31

SHA1
cd64247327ddda7e9b61d344d0f73c59fb071502

SHA256
436d20150a09d6b7c1cbced85ba51d96dbbc1fe215cc74b75ca5b511f30ae99d

SHA512
2f12bfddcf15cc585c871fe0183c70d9d7cb174dd6ab46b2d5798e6322af92bdf3022702a58e32ba1df8d0ba2c5840aaec3ec2eed94f49d73628d924ee1b2a03

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
90a5b073779940d035608dd23d960b92

SHA1
6263500949840c045559d79bf8a8692fb02d0755

SHA256
32fbf0724823eeb7268f964ae543d79a39e8159ab8528bd75785c026b55ad821

SHA512
7c6d3bf84a67d656a3f04db89586963c5b7f9311ae0b44fdeb13bce329d5c0c4ca27b67802c6aac9c66f6965b69dd507ec95449169343534a6ad9462d3bd7e7e

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
89160303be44ecbe481761ab30eaa2d6

SHA1
6ac38f3fbfc88f6480b971b694504fcf37b17e13

SHA256
acecb1b63aeb99e96013eb8d416095113360c8ea61021c8843aa3edab1a519ac

SHA512
cfbaf5542c35dff0773177eb2622edc0be4a0ea92b4796eb37f2b9b6de57c2f43e0e7f6e343432e4ac9d14b91d5647766719d10f81313a831421742e65b0b2d2

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
99b3b60ffa9768ab7dcd8701d67808e1

SHA1
c6b6aa283215c707232c19d8fd417c100525300d

SHA256
bae7309e7ff0e14249032958fd5ff6e790de2c3f2f88e8a3ddba10b2334b4a0d

SHA512
31e6fbd0710ed681a7552e7ee3430f635ec837b583bfe0a7d2a4d076dcbea9e32ef220228966f89c5bdedc11d241622ec1101ed54a5b5f85ad423ca4eab9a826

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
afab78f11e042cafe320157ef2ef23a0

SHA1
7740f3877f1106eda3eced16f36937e0300ea279

SHA256
0f7fd3a9925edb26238566a4b5b900339dbd13dc79a2cce188553c465cd813ab

SHA512
9ee8082cfa7b2a3288d37c4de45a27d380b0dc8a984ca164567446e0bad31d39ccca9f5fb9167577d802a7166fba83be69e5ac1f9ef446430c4706be7a61e95a

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
1.7MB

MD5
774fad7a037baf7506d602d4cceeab82

SHA1
3d62157ea1340918a0f961604a7dfbdcdcab77e8

SHA256
cf9435f96daf090574bf1b5ad9790a472d68d352d1a0c33740ced718916cb599

SHA512
a7805ef0aa3d0f78f181322a1f93b06f8f803289aab9b8bb547ebf6128f2a22d11a8689ddc8de4f298b4958740c5719e9ad0eafed24b4096d433da014feb3f87

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
3ec5476f1a63e5bc626545035091e8e9

SHA1
a610b61b2e06eaecaf1b6fceba008e0489c7c491

SHA256
e13b4100c05263148aaf97d690fb617707bb08212d6e823d02de195024cdc951

SHA512
ccf848056e16d7982d0683d1abca3545c957ec8d1ca77213fe5036efda3ed6b0b181909a31bda63c111d6d6f0965b45279be8e3c3c6ecd1155dc349b2186919c

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
7fdd4ac64257e06f3039d97e06a78689

SHA1
4d0475083db4f18cc819a1dbaf370646da755b50

SHA256
96e90891d0d13082b0df3652550e3251a8777c28d034c69e79a1124770fe5770

SHA512
e507fb68397c79172fcbaf19055090c1ed49c690008827545c639e7e302c5809a49aae94206bee8732e97570bee9cada045521c3fd6711d283b68c15d17f9f9b

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
97bc68c92694162c48f3f49a75ea9ef6

SHA1
0f3d6f44b4697289a6166e168ad7ea7ff28e0d34

SHA256
24adc12cb12b38d9c5f33af54432e8592a9e141e2578f18a315425fcdd1b7d31

SHA512
bf4815c2835c2242fbfcd3fb02eeb3cfa4680a570e32a6610c0755a2ca305a25469fa8682d35afc6cdb444419117e986032a22c6f137181cb2dd2c21297377f8

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
78ef1add4da6689e55c3182abf9df683

SHA1
369ee11dfd88e84549c5aac8befdab01e39d2a72

SHA256
b70181b6c90afaec487565e0645a1e9a0d500417386e350d791006a4449fe885

SHA512
3eea28f4bd1b78e7834274b135fbc1495f4e83fed7c75e477620541dee0674db91a3ff82f18758beca8135c7cdfe3d2e6993c136a52741de67e8b3c196d02ba5

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
ea16f95bb98bcb06a7008ccc60747606

SHA1
3c90818826d0b386c1586046f169c049d55aeb2e

SHA256
2e01ee33fe283334c872d464eb3c8b06e91f11cd2ab5fe59ec4ccded89b3eb08

SHA512
833f71d2aa0acb6151c7a9363ba124f686c5f69f045f3c4e20c8d33304c6a42d0d33060eebeaf63af96309800ee3c1d420b281b3ec4aebecf59dee5f49835528

Download Submit
memory/456-338-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/1124-176-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1124-170-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1124-179-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/1224-378-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1300-196-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1300-181-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/1300-190-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/1300-187-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/1652-149-0x00000000028A0000-0x0000000002906000-memory.dmp

Filesize
408KB

Download
memory/1652-403-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1652-158-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1652-144-0x00000000028A0000-0x0000000002906000-memory.dmp

Filesize
408KB

Download
memory/1652-143-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1652-140-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1744-411-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1744-617-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1836-226-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/1836-228-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1836-217-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/1836-223-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/2300-295-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2300-584-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2884-256-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/2920-212-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/2920-230-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2920-206-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/2920-548-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3052-293-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/3204-203-0x0000000000B30000-0x0000000000B96000-memory.dmp

Filesize
408KB

Download
memory/3352-290-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/3424-407-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3732-405-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3732-156-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3732-160-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3732-164-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3956-616-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/3956-409-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/4080-288-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/4108-311-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/4248-358-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4504-380-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4504-610-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4528-137-0x0000000005030000-0x000000000503A000-memory.dmp

Filesize
40KB

Download
memory/4528-139-0x0000000006CC0000-0x0000000006D5C000-memory.dmp

Filesize
624KB

Download
memory/4528-133-0x0000000000480000-0x00000000005EC000-memory.dmp

Filesize
1.4MB

Download
memory/4528-138-0x0000000005150000-0x0000000005160000-memory.dmp

Filesize
64KB

Download
memory/4528-136-0x0000000005150000-0x0000000005160000-memory.dmp

Filesize
64KB

Download
memory/4528-135-0x0000000004F90000-0x0000000005022000-memory.dmp

Filesize
584KB

Download
memory/4528-134-0x0000000005540000-0x0000000005AE4000-memory.dmp

Filesize
5.6MB

Download
memory/4752-255-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/4784-705-0x000001C87B040000-0x000001C87B050000-memory.dmp

Filesize
64KB

Download
memory/4784-662-0x000001C87B040000-0x000001C87B050000-memory.dmp

Filesize
64KB

Download
memory/4784-706-0x000001C87B030000-0x000001C87B040000-memory.dmp

Filesize
64KB

Download
memory/4784-710-0x000001C87B040000-0x000001C87B050000-memory.dmp

Filesize
64KB

Download
memory/4784-711-0x000001C87B040000-0x000001C87B050000-memory.dmp

Filesize
64KB

Download
memory/4784-712-0x000001C87B040000-0x000001C87B050000-memory.dmp

Filesize
64KB

Download
memory/4784-709-0x000001C87B040000-0x000001C87B050000-memory.dmp

Filesize
64KB

Download
memory/4784-704-0x000001C87B040000-0x000001C87B050000-memory.dmp

Filesize
64KB

Download
memory/4784-703-0x000001C87B040000-0x000001C87B050000-memory.dmp

Filesize
64KB

Download
memory/4784-707-0x000001C87B040000-0x000001C87B050000-memory.dmp

Filesize
64KB

Download
memory/4784-702-0x000001C87B040000-0x000001C87B050000-memory.dmp

Filesize
64KB

Download
memory/4784-708-0x000001C87B040000-0x000001C87B050000-memory.dmp

Filesize
64KB

Download
memory/4784-701-0x000001C87B040000-0x000001C87B050000-memory.dmp

Filesize
64KB

Download
memory/4784-700-0x000001C87B040000-0x000001C87B050000-memory.dmp

Filesize
64KB

Download
memory/4784-713-0x000001C87B040000-0x000001C87B050000-memory.dmp

Filesize
64KB

Download
memory/4784-638-0x000001C87B000000-0x000001C87B010000-memory.dmp

Filesize
64KB

Download
memory/4784-659-0x000001C87B040000-0x000001C87B050000-memory.dmp

Filesize
64KB

Download
memory/4784-661-0x000001C87B040000-0x000001C87B050000-memory.dmp

Filesize
64KB

Download
memory/4784-641-0x000001C87B040000-0x000001C87B050000-memory.dmp

Filesize
64KB

Download
memory/4784-640-0x000001C87B040000-0x000001C87B050000-memory.dmp

Filesize
64KB

Download
memory/4784-714-0x000001C87B040000-0x000001C87B050000-memory.dmp

Filesize
64KB

Download
memory/4784-715-0x000001C87B040000-0x000001C87B050000-memory.dmp

Filesize
64KB

Download
memory/4784-716-0x000001C87B040000-0x000001C87B050000-memory.dmp

Filesize
64KB

Download
memory/4784-639-0x000001C87B030000-0x000001C87B040000-memory.dmp

Filesize
64KB

Download
memory/4784-717-0x000001C87B040000-0x000001C87B050000-memory.dmp

Filesize
64KB

Download
memory/4812-193-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4812-201-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4812-200-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4812-506-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4876-601-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/4876-341-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/4984-335-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download