blustealer | d7604717f253c708b811bbc895b9baeb3f9060161bfcfc7791e42855ac3f1927

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
16-05-2023 18:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1200-140-0x0000000000400000-0x0000000000654000-memory.exe
Size

2.3MB
MD5

2a67b3a60052a5c4a7f5a799feb3e95a
SHA1

632f937a310a689f8cc71dad111a6a0074486646
SHA256

d7604717f253c708b811bbc895b9baeb3f9060161bfcfc7791e42855ac3f1927
SHA512

cdc3fbefdce5c55855ca8c1d3a0e08d49430d518ad01812636b84dbd97835ef528422dde80459f14f24113f4c482ae599a6db2a88990aeb291d15d935d80785b
SSDEEP

24576:pxgsRftD0C2nKGH0Djsf9nz4mloFQnpXUMPQDR6q79dA:paSftDnGUDYf5zaCpXxPuR6E9dA

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 22 IoCs

pid	Process
1048	alg.exe
3916	DiagnosticsHub.StandardCollector.Service.exe
220	fxssvc.exe
2744	elevation_service.exe
4676	elevation_service.exe
4444	maintenanceservice.exe
4100	msdtc.exe
3204	OSE.EXE
960	PerceptionSimulationService.exe
4368	perfhost.exe
4152	locator.exe
4456	SensorDataService.exe
4272	snmptrap.exe
3880	spectrum.exe
324	ssh-agent.exe
4292	TieringEngineService.exe
1372	AgentService.exe
4916	vds.exe
3468	vssvc.exe
2240	wbengine.exe
4904	WmiApSrv.exe
3212	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\locator.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\System32\vds.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\wbengine.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\System32\msdtc.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\spectrum.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\vssvc.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\AgentService.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\msiexec.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\703d3d43c9ce9937.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1216 set thread context of 1112	1216	1200-140-0x0000000000400000-0x0000000000654000-memory.exe	88

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsgen.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\orbd.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\orbd.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jp2launcher.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ssvagent.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\tnameserv.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmiregistry.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ktab.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\servertool.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\unpack200.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\BackupPing.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d9415cc43688d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007417b2c43688d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009d9278c73688d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009efdc0c63688d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d63f7bc43688d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008eb852c43688d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003d0480c43688d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000078ec61c33688d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005ef62ec43688d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	68	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
1216	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
1216	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
1216	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
1216	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
1216	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
1216	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
1216	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
1216	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
1216	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
1216	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
1216	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
1216	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
1216	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
1216	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
1216	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
1216	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
1216	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
1216	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
1216	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
1216	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
1216	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
1216	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
1216	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
1216	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
1216	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
1216	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
1216	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
1216	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
1216	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
1216	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
1216	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
1216	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
1216	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
1216	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
1216	1200-140-0x0000000000400000-0x0000000000654000-memory.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1216	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
Token: SeAuditPrivilege	220	fxssvc.exe
Token: SeRestorePrivilege	4292	TieringEngineService.exe
Token: SeManageVolumePrivilege	4292	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1372	AgentService.exe
Token: SeBackupPrivilege	3468	vssvc.exe
Token: SeRestorePrivilege	3468	vssvc.exe
Token: SeAuditPrivilege	3468	vssvc.exe
Token: SeBackupPrivilege	2240	wbengine.exe
Token: SeRestorePrivilege	2240	wbengine.exe
Token: SeSecurityPrivilege	2240	wbengine.exe
Token: 33	3212	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3212	SearchIndexer.exe
Token: SeDebugPrivilege	1216	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
Token: SeDebugPrivilege	1216	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
Token: SeDebugPrivilege	1216	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
Token: SeDebugPrivilege	1216	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
Token: SeDebugPrivilege	1216	1200-140-0x0000000000400000-0x0000000000654000-memory.exe
Token: SeDebugPrivilege	1048	alg.exe
Token: SeDebugPrivilege	1048	alg.exe
Token: SeDebugPrivilege	1048	alg.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1216	1200-140-0x0000000000400000-0x0000000000654000-memory.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1216 wrote to memory of 1112	1216	1200-140-0x0000000000400000-0x0000000000654000-memory.exe	88
PID 1216 wrote to memory of 1112	1216	1200-140-0x0000000000400000-0x0000000000654000-memory.exe	88
PID 1216 wrote to memory of 1112	1216	1200-140-0x0000000000400000-0x0000000000654000-memory.exe	88
PID 1216 wrote to memory of 1112	1216	1200-140-0x0000000000400000-0x0000000000654000-memory.exe	88
PID 1216 wrote to memory of 1112	1216	1200-140-0x0000000000400000-0x0000000000654000-memory.exe	88
PID 3212 wrote to memory of 1120	3212	SearchIndexer.exe	115
PID 3212 wrote to memory of 1120	3212	SearchIndexer.exe	115
PID 3212 wrote to memory of 1036	3212	SearchIndexer.exe	116
PID 3212 wrote to memory of 1036	3212	SearchIndexer.exe	116

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\1200-140-0x0000000000400000-0x0000000000654000-memory.exe
"C:\Users\Admin\AppData\Local\Temp\1200-140-0x0000000000400000-0x0000000000654000-memory.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  2⤵
  - Accesses Microsoft Outlook profiles
  - outlook_office_path
  - outlook_win_path
  PID:1112

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1048

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3916

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3972

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:220

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2744

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4676

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4444

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4100

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3204

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:960

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4368

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4152

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4456

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4272

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3880

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:324

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1520

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4292

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1372

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4916

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3468

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2240

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4904

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3212
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1120
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
d10f5fd8c0d81a2e5a4640c831e7d2f5

SHA1
395c1743580199157ec7710066aa6281b65f56a5

SHA256
07905e467da696f3a585bb3e2956e3081315cfd8834508d1b579cd4a2e51883f

SHA512
0e437bef16e9d55a7fd6f2da3b0689091d79ed62d72c0c2d434e155560eb3c88bf0b474b0611bfa24746c01c4e1b83438d9b90ae5d687d5ce1f035ac8e53fa85

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
9d8624f02e888d45460a53bf25ccb82c

SHA1
ab142ca71cb3b5412ab204c38dc6c8abce0557c5

SHA256
78dcf33b218805397deb977012ae682ba98aabd8fa1af2566da8f7d0b184f08e

SHA512
9e6997059ce04d348153733576eb98273175be87262c9ee00ec01ef32e0add202aca3d27e2a60a618f877bbd69f31454d1a4d471f1d76003a37ce636ce94b25f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
9d8624f02e888d45460a53bf25ccb82c

SHA1
ab142ca71cb3b5412ab204c38dc6c8abce0557c5

SHA256
78dcf33b218805397deb977012ae682ba98aabd8fa1af2566da8f7d0b184f08e

SHA512
9e6997059ce04d348153733576eb98273175be87262c9ee00ec01ef32e0add202aca3d27e2a60a618f877bbd69f31454d1a4d471f1d76003a37ce636ce94b25f

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
ee3d9e97989a0facace78b05ca6ab97a

SHA1
ee27d5cf78a517f3e9b95e18587c9e5607a210a9

SHA256
30e792fd4be8ef3a41526d8ceb19003a2c1efbbc25f6e6a238e1b5ddffae5587

SHA512
6302d9ec985257217bb83bb7b57adf16fe95b1131f7de9ec4dd3a667693b025c5298bca34b0d87cfc94307c15189b7a4423d2f37f81e343a6fd9ecb3eae98e76

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.4MB

MD5
03fa33825c17cd4da422465d1499276a

SHA1
27da3d1702dd2afee8e092720e11978122b9933f

SHA256
d6063ea07c4b1f969967db4f2d56c5e6fb1f62343990dd630073c95cca95965b

SHA512
814b8d090b3663ba58747523f3f343ba54376869b1580a651432f9ae77ceaa9ddce23d0abab1598af66a2f5bb91de236e8a3ac0a176b8aba1a8b3fb3a4982435

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
635a68df4542606ed20bb9d02d48ebf0

SHA1
c2839cfa4a5cf1b51fae9cb05cc790df05f87412

SHA256
31898d9920770db71f6ed4be4fbedc49788c75616100073fd1be1aa3aabf4089

SHA512
f788885116b4c8d4669163682b8089b91e95c7882b7d686380b1c11923841332bf22fd0ef0322397214dd60d39478e8be897f78c377d7b704711b7c2ad0747a4

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
2506a51b84bb5562290348c02eebcf61

SHA1
f03192b6d4d8c5a4dc97462fc73b2134c8ecbd3a

SHA256
e30f89e574a2a85fa5ccaaf423dcbfdcf133d86c5a5fc6900b3cbc1dc996922e

SHA512
621e33b682f0f119799f0a6e49694db46254d8a83631360613d84c02125397ba65a3d446e5e09292974c7ba012edee8f73f0e30f2e3dd37272fbd9e98bcc8d67

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
6c446add1557464423e06bf4c08361d1

SHA1
cd37d7103aa02963bef7362e4ed84f6b2b402f90

SHA256
e2d68119318d0d9e7db444a2de11cc19dffdbcc20c3425bcd4ef2aca342ace96

SHA512
287f078fd0ff3f9c3870bb654385b4a82c4e41fd2dacdd30ecb2771483e7410c9b8a7ff3c9d92e38763755c51de76e877d3d235b4dd8dd6f96dacf3d0a24e2e3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
15daac17cc08ff752cce7a996d15fdeb

SHA1
de195ea027b61a3a5e3cd5c80369ac73a9fd1384

SHA256
427f1580005309222fd3200f1d60549b0b45ddbf14f22f12f0585c1b66706ea7

SHA512
bed53f3feed646f65e09f670e164efbdddc3e24e5b2233e7fd29dbf7beae3ca1d8fb9a20234e80993140491b1f4796ae789c42bb408bbccb3a903bdb173d7284

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
4bccfb623354f2846de57d8041ae26a9

SHA1
90debaf73fd5873b523d0258e11a60dea600bb0e

SHA256
2d6ca42f65930f2d8bba37c40cf08b6bdebd02e01ff4c331615df02a3eda62a0

SHA512
dd295e6b285f692841216efa7e9fe03ead41a6bf26b72db303d1b7ad40d726f1b8ab55f49308d61eabb99c7eb32d751784879e244e82b38fab87e3d642aca7e4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
a83628c26c90716406cafdc6a9e25c07

SHA1
cf34661534b8a7add478127a85bf33f26f5329ec

SHA256
7b92a68bc6d085544b2b49ec7c8e34db6cfc1ef8e8c12baa042dafab46efff84

SHA512
5cfcaa562505dd038edc0d90272dbf6af0e67a6fb09cb6a54262d5b583f57dfe661f74d55541060e95592762caf441644da09580f56880dc142815e76ab89193

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
cc4085811c66413ad21190d97865507e

SHA1
99c7d49cfdca387d174a67c67c7fbf3de8abdefa

SHA256
1ecca3ea586f2f9a44a90d92917ec37b8809cb9bb21604ecc101072770b56cd7

SHA512
b879c486cd2be4ed8807ac740a60b3eae82cfe7a4969b84d113dad07e6747087b08ba6625b50959b3af193260cf00ddaf57227054fef4e40c44a8fb4f4248627

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
42343f4a2d885af09892df7b61a62c2c

SHA1
5eabdc4f2b6fc4babab588cbe4b89d184e959087

SHA256
8e6291bad498a45640b1b990ea51cf8029098b59a5d44ce3cb3205089bc77749

SHA512
987b2cbeee8f9fc639ee2544e1a551c10704c09f4db6b32917dd3e2739168efade7aad645d3b6606c579599c862588fb5e04211d6901bdd527f9c1cbe14dd5a8

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
843cfc8c8e6a319e97f99b1636c47b44

SHA1
d4aab81935e89833025fb7f03028afd63f3fdf38

SHA256
cb61807cb5cc899e9a0259e65012e288ee3e47a438aab7b5669c84489aa8644d

SHA512
d23a0a22be33ee619596b515685cfc1b2fe2bbd8374c4c89b9e4e74f0b42ceb04a182a232b1293856c97abb92c9dbf214bc1674140b8d5b7e7d1788028be78ea

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
e18fa2c78bf096c18830e2c3025681c0

SHA1
09a0747271f1e6fc6bcde10df68523e6e6e056bc

SHA256
a8a13967f6eb506b50a918cf518284d4924b936464e604458d0a8f8e01a6b229

SHA512
f1e432c76d1a2b230567f6e6d991bc0d8a9eb894e9cb08ec81e3a8825d495b5a6fe885056ee1657138cf8f6f4fc19134beddafc1c7f710472d8bf31d52e3ba23

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
b6d5de856de0e86189733f96e8a2fc0b

SHA1
2d90182d67a7e10fa616f36ad670fe2b99d6f026

SHA256
45470330e5513b831b4cb01e6f257abdec95016f2a356451c149216f99a93d0e

SHA512
c1fce8baa6cb155156c41dcae4326f053d896659a21fee66874eb7796bf0b68e5c9e18c3c949bdf03541ce137497507d113b03797ff08e3246a8cd11679b286f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
76676b7b81432b650916dc1697ea6692

SHA1
b67fdf810b35e827a4d607dc65cc41f4a4acf569

SHA256
f42dfd1a62c7b25e19cfe484b41f89671a9a7c11bd2684cf7d881526d7c02b9a

SHA512
1b0480e3d78bfc47239ffac37e85480d7d24b9e07a70f8383a38f59683b5a0c384c29a4c2ca2b1b01ff7445c4fc2505a202c07269f83cea06d700234d8666781

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
2b3e2e3eac7407ea90f642b473985bc2

SHA1
bfe6be585360114f2a6c1e358eb41b8b3d2ae692

SHA256
0bc977fba1238e99fa641e2a22005fedeb3aac137dcf907fc3ef5a41c669c3a7

SHA512
a33d51a7db387cc9e015c10f2972b4d589291c6d052a27b535d0a2046224d633ebf0173acccf96aa0668ac08eb06a4a10a5f337a7f765b9dc79deddd11014c15

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
b0955343ff90c867fbee6b4d12d207ca

SHA1
e48088b60fdb2864388326d9a6147d663d4c35e2

SHA256
ab469a3e21edf1798c2b437e8cb3fab78b92e9dcd62693b9f07e1a18a81fb56b

SHA512
563af071861bc8bfb3ad7f0c4ac249be8efe8e197c136daa4bbddb79dd5061555d19e55c14988feeb0ecedc140e4f950d4eba90e95f10d84e34d9991f1378dc1

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
270e45e939235e3d1343e951b2b9d1cc

SHA1
8967282f00e0041671e42a2beff881e875b0018a

SHA256
130298a97f865ec3f40625ccb7122620404ed27e3dda9600b671dff4e0ad188e

SHA512
c3e62f6602483d4a10a6c59ee588c4f322822732ea37ac9cfa82ce9c8f2c943a311fabe19ec6bc46576d5e0f30560c88a00b819e11a34e9d4eb02ec3b7bb10ee

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
1e84180978da7f89893e21e82713627e

SHA1
b5e7645963e01f0c434c2118d0b46f35a218d798

SHA256
428b6ae445212ed12deeca090d7b9abba75d95d569e34835e6774d147b001fa4

SHA512
6c6105f70ddff434551a9241b25b25528b2124c36e86527589b63cd5c31c46234c9c17a03fc6d3f675feaa591ed0f5c6579868b713ba91320d3885124bc52847

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe

Filesize
1.2MB

MD5
5368e3d264d13c952e43bd509b2585b0

SHA1
140de250326750ad23759a33ae9ce068e586a453

SHA256
9a209034825fce131edec56b066306b2b0e28afcd293cf7e6ce10c19975b73d9

SHA512
9b13feca06f4e898c5f0d5c027732c089091a81471dacff18f2eea3db451a148df8c10c09881936e20a135af6171693691ecfed0ef29a9d12f74b8fdba098eae

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe

Filesize
1.2MB

MD5
fb56b0f2f6e0c46fd8a7879bdc6b1e72

SHA1
30e9b975dbe33968386efbfb13e3c1e35c769c63

SHA256
05269bcebaad5b1e8e3db95fb41d212ae044fb001b4ff8aae16fd3a3db3d075a

SHA512
cbb9d00af1d66b74e49ba50a89db0a3738760e2ae45964715146ea0650ca5d349c994a9aad17e1a161acb763246303edf55337cc4daa20dd3427632def80771d

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe

Filesize
1.2MB

MD5
67014fdecba0df59cd5b58396398baa9

SHA1
3fdd2dec07afb0ae015373822e8b1d267e9267ef

SHA256
0ce2ccfe8711d0300ac737200e046b532479b6a6ed58d3baaca0b6f84d451911

SHA512
e925653cc50bde086bb259896bdaa66c22ca3821e0e598f59a9bded91c5c4bde46cdf414923c67013db0a68ed13e2456f5c8f4d566fafa130deb16be2f9934d5

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe

Filesize
1.3MB

MD5
4c9505a1a3de86ee58c3808781060845

SHA1
0c2a8e085b613b47ec8bde1871a5b902cc8b8bae

SHA256
dd83f1fc2025ce42a5003fe4b09f463d2bff75c5010e3b0c2b058ad584349f98

SHA512
aa54fb60e877d7d024d8f89b1893e634b21e907cbed89ee9a1728cd0122e31b98c4f41a572dfdcc69fd901c173462a501aaad0e7f3d39d91a13947c6fdd84d88

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe

Filesize
1.2MB

MD5
6e287019f3b22b74076fe0835cc22573

SHA1
3b2d8d52c433e8d7fa0a617b74e6467d7169ad51

SHA256
c8cf7e872a7089d46a73391b50a74db324ab0859a8a39d9118fa0f8291589708

SHA512
73d61448f91d2aa1e645d6df3a5d4ac425d9a113905fa9505395c1f11fe1e066b48beb3032de1156498f0807e9881d344f0f239db3111a5aab470b47633a9782

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe

Filesize
1.2MB

MD5
d5cd8d8fc616d031ca95d3233f9f7a59

SHA1
df48c073bbf333bef2e492623aa815b87681b344

SHA256
bda915a91b259b6bef22a72b5d8f491020199017f1e5ef0a1c3fbd0126a9ff2c

SHA512
a5ddcf8c3ca23d74939d681d2360e710397fc6fbe267643dce3da43e647078d14c6bb94055d06e5b3418d2b2defed793511fbaecf248ba10aa412b54a4d99b50

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe

Filesize
1.2MB

MD5
780334482680014d67c7ce2d972e0c40

SHA1
1cd68e3363a40867138a9b710f57766b496d4662

SHA256
88f60ebcc0f87cd7891ef8d12aa1592a3112cfa40af089b11ec1fa36a4bb32eb

SHA512
1b5e8f066069f60c80d749686bb18bbd259063312e2fadbff969e5d0724d8359a7e79bb085e13beca1d8c552af7438d2aea1051c084ee0ce265d4534a80fa5f7

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\java.exe

Filesize
1.4MB

MD5
5caa9b64a7aef16d2b33fe653b4b53bd

SHA1
69a3616707b9cc21c1808785acf6355296c21b16

SHA256
e9c63b3eeaedb73ddf57b12e9339c5204790b25231285c434b6dd067bcf057af

SHA512
bfbcd4be0c1946103347466122628b0d8642de14201044d9582550b1434f414aef64541d80d59a5976185ee6477e924be9bc0ae25306aae3e62a429381438dbf

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe

Filesize
1.2MB

MD5
d71ff98e65efc43776a3081fcad83b34

SHA1
fb7f3a1dfbc56eebeeeda48e890502b4d69d5684

SHA256
c4b0fc30eb75b2a8dd6f19af9530412fcca360634ff9aaec0135c50b873613e1

SHA512
15ba0a341cbf2b1b4ba8ffbc5fd2e028269bb2039124e038df999623d55b745736ec7b35bfc6e539a9df80ff76ed18217af5edd3f37895847e270da8ae3a57a5

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe

Filesize
1.2MB

MD5
c0864d928fabf5ad77feafe7e36c0d7a

SHA1
fb09ebad73c8ef0887852eb09f2a753b248a2f45

SHA256
716250f6c36f72632d41b2987c4639290d0cbdace2f29c0d080dc13c9c7c2e30

SHA512
72d216c8b61f53b3dd515138ddecacb85cd91286a9c6a1108596192ba87a40f58e6102a8304934b27e06b56cd88ab2981a887e08943b180eb633d425788449c6

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe

Filesize
1.3MB

MD5
d2d1ec474ef0d61e1f5849ae8ae110bc

SHA1
757839e7138bdb6a8bd8d6e7ab3142bcfac0e3e1

SHA256
ec7129e0a7a742b9ea6fc47eec8d943b95b95d082f89b6e47c5c4388b47cae38

SHA512
d9a3093d660a82cc30602f56d7b2f9c88a50a7b14174e0fee7fc70ac4080eac68db07c7db97e1734ac897c453fada75b15f3813b2e467074f9aca8f8565b6225

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe

Filesize
1.2MB

MD5
b3fa9a3208a375c3a973a967a415c013

SHA1
2a229be85b721d269707354acf1d05c7b2161d44

SHA256
cefe8fa1d088554b8fe8eb950512166b167300d671c70b95dd5e8aafd8d5c7d3

SHA512
20a06aacc60d01508517147e31cd5301e5b14039f9b070a02fd5ba0d501cbb62107e6a33af32926b30f705817fb72948a7e29793ca77792efbdc5940bc0381a3

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe

Filesize
1.2MB

MD5
7d8d7f1b5e77850cd567b2bcc5a6d187

SHA1
b2a15595e9971ca648009ca051176d6c62e23e14

SHA256
fb1894fefe08147f68027eb2a085a623a0b7eab3eb7996a21944d7c944269b59

SHA512
d129b82589d44984ff0574fa423a62ca25fd764a9c0f7676a0fbe2f700dd59fa95fabfa03692a4f6503cae4b4cea8dbb50925a4a2442ae95f0b71cb55a35beed

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe

Filesize
1.3MB

MD5
8b524ff4d76b09b8556ae0ca4e47286a

SHA1
ed3ee7e6c7b107475491ba3881635a39091b9bbf

SHA256
a93009cbb34d5ef915ddc4464857878a5be0f76125995bf8b855ffd192a93740

SHA512
7c475a9d4d81fbf5fdb883a8d80574932ed585c21433cfec87ada715380909833acf2027731168b644b3f448c1c5dc45a0462e66eb6aa26e720369221c6eae6e

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe

Filesize
1.4MB

MD5
2097d7f77f57c8a66633371c5dc8723d

SHA1
153d6e8e7c4fb338d322aab4223be368cafcd3ff

SHA256
e5545c02a6e39c2adf17317eabdb117f8ca4bda1c3d39b3155a18936f002bd22

SHA512
48d7df7efd9e84e9e83e82d4512905dbf9719a37192858b3459faa6a1d39795fef9d7a29b8eae58aa1b5cdacddbff8efcde4e267fdf619e6995bc76368437a8e

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe

Filesize
1.5MB

MD5
b307a57e35d702a9fe5e405a28ccbfc8

SHA1
de258cb3d20a259783d0c635652a9435f3e1f6d0

SHA256
24c42ee694228ecf74527339eac16c8a6b503e1662b24055a2c05cec4eda70bb

SHA512
3187c4909e240f8abba9306facc97f5c892fdffa0f5b7718035b3abb5f91a11429075e22a8bf434487f79010024ae9c5e4a916f6c1ddac73f05fb123eb639b8c

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
332fefac46735c8bad3b2cb2f3812595

SHA1
01760e07b35215a967cacf0b6427a3b6c50f1045

SHA256
124526336d84c322734ee6c4a7abf67cbfc9ef19bc89328986841f6882f1a486

SHA512
0018d883f108a8d7f0d3f18559670d05fb8a3bac86c2f17daf514f2d4b729698759fab385ef2e8a9af396adec623cf6524cfb11b33c4867d720980f4e3c9fd2c

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
678c50f9b6e9132673960303f09dacee

SHA1
01de7d332734d6e324b546ebdff1e98436cbc676

SHA256
fb1aac0760bcf5ba506d8fabaf4c412745620d24cdd7eb6512c36ad7f94196b5

SHA512
a0e5af1493fe7e8e28621ba192f86e745b486a9478bc71fda106f7f97c28f20acc305b6dfb65b45f72545241e4ccb160735767b0055155318a4ccd6ca3a9ff80

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
2a86693268d6130fa3ba7447832d1691

SHA1
14421f8fc4596d92391e9aec466166b588026fb0

SHA256
9ecba5a4508c747ce3d4ea2ebd5b2b103beb630f8d11e9d2cf1642519418fd50

SHA512
1d58fb4d5b7100252bb4199f9d5896abfa48dad4f87f9f6cc8a7dc184fa7c3e27501bbc2b6c79eff70dd701c53454acc954dde64a302aec5ae78acb6eb02b5bc

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
a203663862f60f4b91d0c2f0f94d3985

SHA1
22ac67cbe5d78e12f64c37d62a6a115d241bf303

SHA256
43052e29b77451346b46dfafeffa79d209676d939ffca1a51704cf03892d2776

SHA512
ae9adbb5a92383147733e0f84af39122ce3be602ce7dd5a3a16009255429d3660c7e720fc92c64eeabb1fd72ba7978bd3753bcbb5020d65d8e338001db0f3a3c

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
e032a1f3499adff73391401106f5c912

SHA1
01f63c4c8998aae0a20fa4c4978e46937290792f

SHA256
58f38c0281e6ae00139966f8712993a7b79d5d7b5f235fe8bde3ff7c16f28dd3

SHA512
3b7e4b4076eaebd685ae02da63888b788022cef32b83a97f6c65759ab9b541626f228a34f8dd939e2ca1ec3fd2c4fa30afcfea145e8813ddee46e07ee834cc7c

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
9514e7e6b321a1518126a913000782d4

SHA1
fc75c85c0de479a023adb757699b33619fa80e00

SHA256
b74f291c1927af433991c3f98807ff234cf57ce90df963ab36151742dd3615ad

SHA512
1d8992ebf6d64f3c755d6cd7d734842cb47686d8a1644a3dfbe95f22c4ea2311176ed46fefb9471cb498cc22d33658fb96fbe8836ff6e8124dd9528722e8a8b7

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
a3c760e4f2576644c0ef4a06252dd7b7

SHA1
fe24beb30a0ddf06e4aff707b061a781351b6660

SHA256
119a20887ab05c2320e8327394672a9c1e2899b75622eb647b2e892885a6e4e2

SHA512
36069a19994cc53512bdf695b345e971b474e7bc08eb8f22e1bdca9fa583871684297b3188b9ff150e3d23d0b92a15f822dedae294d6ec88c553748c535d99ef

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
a3c760e4f2576644c0ef4a06252dd7b7

SHA1
fe24beb30a0ddf06e4aff707b061a781351b6660

SHA256
119a20887ab05c2320e8327394672a9c1e2899b75622eb647b2e892885a6e4e2

SHA512
36069a19994cc53512bdf695b345e971b474e7bc08eb8f22e1bdca9fa583871684297b3188b9ff150e3d23d0b92a15f822dedae294d6ec88c553748c535d99ef

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
2003a72f748c0413f37e8bb2a00e4ec5

SHA1
6653402f363c166062a89c0c1b49e4c3df0e3b23

SHA256
d3552db4172406a21da2bd5343dc038891316e51004cef9a9ebc5529924dfff2

SHA512
9d54521a951a8db6a0098625b8f9d6f48743c40a8f4337333fb40eade8c681a521cc622839f1da4493ced6be1c00783829237f18703fd5005cec3a09e38966cf

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
e46341a7130ffc68472f03e7ade73e14

SHA1
797042f638de9da22d080bfebc725dac3f1d91df

SHA256
e8d10f34140be5a6cd74ff0501d55551dd3a681003f38922feb0752f872765d0

SHA512
e4ccfd2ab348b37a576cacae39907b53d9246ba069ad87c1045964fb2f0141f524f2b79d691a4404da7c3067db4f4ab205cea97c77842830b6bfa268330c4c56

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
56b0aee54be3ff64a4c7ca6ec9735892

SHA1
60da7dbf6596404f8cd73be70da6b3f5e657883c

SHA256
847da595f1b51c87adbb963d09d093c91f64065de7a49785ab4366fa50798963

SHA512
ab12641a0272e02cfd156c6ebd663dcb3bb02615f5038658549bfa43f3874678fe21ecdfa5c0f9cc6c4d8324a7996e11c2db3bd81ed763ec257029f203ec09f3

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
56b0aee54be3ff64a4c7ca6ec9735892

SHA1
60da7dbf6596404f8cd73be70da6b3f5e657883c

SHA256
847da595f1b51c87adbb963d09d093c91f64065de7a49785ab4366fa50798963

SHA512
ab12641a0272e02cfd156c6ebd663dcb3bb02615f5038658549bfa43f3874678fe21ecdfa5c0f9cc6c4d8324a7996e11c2db3bd81ed763ec257029f203ec09f3

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
6d0794764db92fb174c4233148fbeefd

SHA1
5025cb9cf83bd17aaa738fffcc288489019a1f0f

SHA256
3da77e380dd380244ec88fc5bf4e018fd9ae508a800c315402b8c15272b0e7f3

SHA512
6ad2259214f4e53f9fe26bc4631bfdc73875c6ca422d54932d183c09b8bf91d76896457ff22decf1a64753f2834dadbf90af0071d8a236830f48155a945779ff

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
a807ea049285ca3305f112adb6419490

SHA1
5eda81688675678043f466501c9d0dd7ed160e4d

SHA256
91d09a3f26a240054ede184cd6e2f743e4254995d2a40b24ac1f9e06b83d39ed

SHA512
dd874b284ec1cb96d92f3b2f18d1fdaf77b964c954ad07835b22f164f2b44ba855180e94eac4dd4a03b8b56a24687d0e24c3165e9a7c19afdc8595b5212db894

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
088e4108c1ab67d498c0421b72cc55e6

SHA1
c088b0aaec146239af9ff0a83cf6a2a87e2efe8d

SHA256
91537b017fffa7748703518e5b32cefcf3fa1e5daf2866c333d4ebf249621917

SHA512
29039c0d0c38dcdd7f8b22e1e91d67571814c6f12151e42857161111923d474f8532b3b015e8b32504f6eb9480ce7bce774c6699e6ba3d82ba5f0f8f0c785a3a

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
7c56be02f754a826dec83d2c2d524970

SHA1
b2af0e0234501904c5cbb3ca0cb475f912e05a6b

SHA256
734b1ec0f4d8a5e77155f01aba97569f0b2a7c3f73eda09083bd63a6a8db4571

SHA512
cf09eb7e2877ed44a4d8eb17dd61848cc8afd256eae5c0522ae1fe61aecb4015bc2747d7cc17ff3a2ef7d474a91258ab082d182f3d9403effd5fbe2d637dbda3

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
8d4eef8312fa3ca5aa0c3ce9abee0fc2

SHA1
7d93e3be2f21d0213274a00b31cfdcfa47bfa107

SHA256
bd8ceca07467f168d7c836ccfa83d2625aaa16fba48e837a18f5015515ccc780

SHA512
a2c806dd17599971f7edd0d7bc313890e78fb740e60992f311adc8c5e395ca8afe96f14381eae7211d3b3b4d15c51973bc5f6cee2a8612592a02e1031e4c740b

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
64120f94cefe7673007cec69c31bc5f2

SHA1
48516ebd813de3dc9cab1eb926cffcae40aebd6b

SHA256
4eb9ecbe20b946195926b4323b1c930c99be690789dbfd737f06ffd57878d0fb

SHA512
158371760e1ce2ed27d31aea516a56b9c54cf7a3fc7a48d3d090db01b33a52dff2fb4f10e6b5bd890ab6accdbb5ae05894d51ee1f80c27d1e645e7a56bb2119c

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
b3541a8771a582c51a8897bc9c061ab5

SHA1
f25d7a346a0ea882d6ce19dd5780e79f68e26247

SHA256
a2ffef72ad6414bff96b7d198897e55c4111594a76c33046af23437f9cfa19e9

SHA512
d4859bc2aad52feb8794e89ff50e17c7a9c6ab4c202339681c4c9317edeb5a38651d8f6994ace2a3afcf375c56844650c94c84d2d54e19cdd57c888054adf537

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
c1581078b35c38791a611e168f4c12b4

SHA1
50e76b803f4395902810a7c3c0b2b39acaddd9b2

SHA256
da74bd8ffb140d4bf478e228f43abb92f469bf06d64fa26f4193ea022eeacb33

SHA512
5ce36d49441a0e1198bc5dd2f532151ad45da463f6395990ca1e26dc6f89cd3ca6a5fed70002a9e64e1787b59fcf536a6ed32f55fd83066bad4e6832324c98dd

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
f8c80d9359c4c22248bdacac3fda1b47

SHA1
052f8acd4b943f510c051e1eeefef7c0a4de9922

SHA256
42554e0a689ffeed31c351f3d5af2054b4d5db32bfe7edca21d236d57e739c4a

SHA512
e8660d367f5a0bc2d45a0bc146581f3218a8eec315a105facf544131d555a8c4c26b41b2b3d9f0c6fb1b5a12f6081669ea7cf8f5c6ab0acc6bd52ef1ed35bbb4

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
1.7MB

MD5
2a86693268d6130fa3ba7447832d1691

SHA1
14421f8fc4596d92391e9aec466166b588026fb0

SHA256
9ecba5a4508c747ce3d4ea2ebd5b2b103beb630f8d11e9d2cf1642519418fd50

SHA512
1d58fb4d5b7100252bb4199f9d5896abfa48dad4f87f9f6cc8a7dc184fa7c3e27501bbc2b6c79eff70dd701c53454acc954dde64a302aec5ae78acb6eb02b5bc

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
fe196ad84d32707aec5cc8c8f7d9667e

SHA1
2eec3674c0a85916e0d7d8c65c96a7af1c384626

SHA256
ac28b096cc528ee17bf7d16af76aaa60003631512ea7578ab13620c8be71f0fc

SHA512
c0b70c08fc24e8fe46db87f1219831ceca696454db5560721d6dc55ff71208f28b7699c8dbaa993f2cbece0f5a09343e229d7d5f0b016eae7857bd896fd6c76c

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
d75bd0c468fb519e5a78b0111c63a2ae

SHA1
1eb6f023cdc532f906e11bd2d8ca46864016043a

SHA256
025a96578bf75d5543958cc5afc9c0846aabbd0e505f86ba46b3e2f84f261283

SHA512
88044b9ad793232e4084373f095ad337d6033089ce55fd290a9447742a9ddfe829e283ef8859285a1cfde3176f6133a897815d09ef123b0ad1908be36cd2f040

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
e032a1f3499adff73391401106f5c912

SHA1
01f63c4c8998aae0a20fa4c4978e46937290792f

SHA256
58f38c0281e6ae00139966f8712993a7b79d5d7b5f235fe8bde3ff7c16f28dd3

SHA512
3b7e4b4076eaebd685ae02da63888b788022cef32b83a97f6c65759ab9b541626f228a34f8dd939e2ca1ec3fd2c4fa30afcfea145e8813ddee46e07ee834cc7c

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
a68844b1ce37823da4411c3fcd60a63a

SHA1
b58e5b085494a1f697bd4bdc3d3dface7a6d75db

SHA256
b16e60c676f0e5f9f839db72585433ff4d534ac770221a25c0c5162e14aefc66

SHA512
2f23362ccc7572043f2805c9a86f1f8301f1f672feeccddb5f10bf9f2a6ed12f0a65d2bc98838eed7dc1baf6b538b287d5f57506816fd5088d2ce7a95df1dfcd

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
5e998baa521e209e39a6fb279d6e4bfc

SHA1
823f6c55d07656a4a5a935110224411f0b3afd82

SHA256
d6938db24974bc5c9637870950ce5e7ff11ad1d17abaa20ccbc6b4f85b2745eb

SHA512
29de0ae6723d608c60d4c0d8cfd75f3efcf95519596ab8b5872ec83ff3557a6b06c7d8c752461ada91953552323b0a75f3831cab3a6e8f44f21133735daab918

Download Submit
memory/220-169-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/220-176-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/220-177-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/220-181-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/220-185-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/324-596-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/324-318-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/960-260-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1036-766-0x0000015249E40000-0x0000015249E50000-memory.dmp

Filesize
64KB

Download
memory/1036-762-0x0000015249E40000-0x0000015249E50000-memory.dmp

Filesize
64KB

Download
memory/1036-767-0x0000015249E40000-0x0000015249E50000-memory.dmp

Filesize
64KB

Download
memory/1036-765-0x0000015249E40000-0x0000015249E50000-memory.dmp

Filesize
64KB

Download
memory/1036-764-0x0000015249E40000-0x0000015249E50000-memory.dmp

Filesize
64KB

Download
memory/1036-631-0x00000152497C0000-0x00000152497D0000-memory.dmp

Filesize
64KB

Download
memory/1036-632-0x00000152497D0000-0x00000152497D1000-memory.dmp

Filesize
4KB

Download
memory/1036-633-0x00000152497F0000-0x0000015249800000-memory.dmp

Filesize
64KB

Download
memory/1036-659-0x0000015249E40000-0x0000015249E50000-memory.dmp

Filesize
64KB

Download
memory/1036-660-0x0000015249E40000-0x0000015249E50000-memory.dmp

Filesize
64KB

Download
memory/1036-661-0x0000015249E40000-0x0000015249E50000-memory.dmp

Filesize
64KB

Download
memory/1036-710-0x0000015249E40000-0x0000015249E50000-memory.dmp

Filesize
64KB

Download
memory/1036-711-0x0000015249E40000-0x0000015249E50000-memory.dmp

Filesize
64KB

Download
memory/1036-712-0x0000015249E40000-0x0000015249E50000-memory.dmp

Filesize
64KB

Download
memory/1036-713-0x0000015249E40000-0x0000015249E50000-memory.dmp

Filesize
64KB

Download
memory/1036-714-0x0000015249E40000-0x0000015249E50000-memory.dmp

Filesize
64KB

Download
memory/1036-715-0x0000015249E40000-0x0000015249E50000-memory.dmp

Filesize
64KB

Download
memory/1036-749-0x0000015249E50000-0x0000015249E60000-memory.dmp

Filesize
64KB

Download
memory/1036-748-0x0000015249E50000-0x0000015249E60000-memory.dmp

Filesize
64KB

Download
memory/1036-750-0x0000015249E50000-0x0000015249E60000-memory.dmp

Filesize
64KB

Download
memory/1036-751-0x0000015249E50000-0x0000015249E60000-memory.dmp

Filesize
64KB

Download
memory/1036-752-0x0000015249E50000-0x0000015249E60000-memory.dmp

Filesize
64KB

Download
memory/1036-753-0x00000152497D0000-0x00000152497D1000-memory.dmp

Filesize
4KB

Download
memory/1036-758-0x0000015249E40000-0x0000015249E50000-memory.dmp

Filesize
64KB

Download
memory/1036-759-0x0000015249E40000-0x0000015249E50000-memory.dmp

Filesize
64KB

Download
memory/1036-760-0x0000015249E40000-0x0000015249E50000-memory.dmp

Filesize
64KB

Download
memory/1036-761-0x0000015249E40000-0x0000015249E50000-memory.dmp

Filesize
64KB

Download
memory/1036-763-0x0000015249E40000-0x0000015249E50000-memory.dmp

Filesize
64KB

Download
memory/1048-145-0x00000000005E0000-0x0000000000640000-memory.dmp

Filesize
384KB

Download
memory/1048-398-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/1048-155-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/1048-151-0x00000000005E0000-0x0000000000640000-memory.dmp

Filesize
384KB

Download
memory/1112-193-0x00000000059B0000-0x0000000005A4C000-memory.dmp

Filesize
624KB

Download
memory/1112-179-0x0000000001200000-0x0000000001266000-memory.dmp

Filesize
408KB

Download
memory/1216-153-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1216-133-0x00000000023D0000-0x0000000002436000-memory.dmp

Filesize
408KB

Download
memory/1216-138-0x00000000023D0000-0x0000000002436000-memory.dmp

Filesize
408KB

Download
memory/1216-396-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1372-349-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2240-401-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2744-191-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/2744-184-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/2744-205-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2744-535-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3204-257-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/3212-406-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3212-630-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3468-371-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3468-610-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3880-316-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3880-595-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3916-175-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/3916-165-0x0000000000490000-0x00000000004F0000-memory.dmp

Filesize
384KB

Download
memory/3916-159-0x0000000000490000-0x00000000004F0000-memory.dmp

Filesize
384KB

Download
memory/4100-567-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/4100-224-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/4100-223-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/4152-291-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/4272-314-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/4292-346-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/4368-289-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/4444-215-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/4444-219-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/4444-221-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4444-209-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/4456-293-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4456-577-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4676-537-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4676-203-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/4676-196-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/4676-207-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4904-403-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/4904-629-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/4916-370-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download