blustealer | 7bd15f22d0da7a1c042f50925778bcb0e8e90397ca578cb1cd2d2cff07c28b97

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05-03-2024 19:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3040-140-0x0000000000400000-0x0000000000654000-memory.exe
Size

2.3MB
MD5

f02928ac338e079f9392afded9cf036b
SHA1

6044a58728a468376fe00802bc5617bc1cf1f6b1
SHA256

7bd15f22d0da7a1c042f50925778bcb0e8e90397ca578cb1cd2d2cff07c28b97
SHA512

b24aa1acfa14f89ef6945946eec192d34a7fe9ce352f6007bafcfde0860b46403799538a1e4853463afe618bbd40f601ed133fb4bb48aa357a162f302cb9df05
SSDEEP

24576:IxgsRftD0C2nKG80Djsf9nz4mloFQnpXUMPQDR6q79dA:IaSftDnGfDYf5zaCpXxPuR6E9dA

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 22 IoCs

pid	Process
4916	alg.exe
3352	DiagnosticsHub.StandardCollector.Service.exe
916	fxssvc.exe
2400	elevation_service.exe
3556	elevation_service.exe
4676	maintenanceservice.exe
384	msdtc.exe
2272	OSE.EXE
4776	PerceptionSimulationService.exe
2552	perfhost.exe
4680	locator.exe
3708	SensorDataService.exe
2856	snmptrap.exe
4456	spectrum.exe
4956	ssh-agent.exe
432	TieringEngineService.exe
4940	AgentService.exe
2120	vds.exe
448	vssvc.exe
1456	wbengine.exe
4944	WmiApSrv.exe
4980	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\locator.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\spectrum.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\wbengine.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\AgentService.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\System32\vds.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\System32\msdtc.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\vssvc.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\a1be3cd8205991d4.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1512 set thread context of 2032	1512	3040-140-0x0000000000400000-0x0000000000654000-memory.exe	102

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000072c7e9da326fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008dcd6dda326fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000713fc1da326fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fd3de0da326fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000006cacada326fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b150f3da326fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000058a0e2da326fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	65	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
1512	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
1512	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
1512	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
1512	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
1512	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
1512	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
1512	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
1512	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
1512	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
1512	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
1512	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
1512	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
1512	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
1512	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
1512	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
1512	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
1512	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
1512	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
1512	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
1512	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
1512	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
1512	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
1512	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
1512	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
1512	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
1512	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
1512	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
1512	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
1512	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
1512	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
1512	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
1512	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
1512	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
1512	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
1512	3040-140-0x0000000000400000-0x0000000000654000-memory.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1512	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
Token: SeAuditPrivilege	916	fxssvc.exe
Token: SeRestorePrivilege	432	TieringEngineService.exe
Token: SeManageVolumePrivilege	432	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4940	AgentService.exe
Token: SeBackupPrivilege	448	vssvc.exe
Token: SeRestorePrivilege	448	vssvc.exe
Token: SeAuditPrivilege	448	vssvc.exe
Token: SeBackupPrivilege	1456	wbengine.exe
Token: SeRestorePrivilege	1456	wbengine.exe
Token: SeSecurityPrivilege	1456	wbengine.exe
Token: 33	4980	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4980	SearchIndexer.exe
Token: SeDebugPrivilege	1512	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
Token: SeDebugPrivilege	1512	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
Token: SeDebugPrivilege	1512	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
Token: SeDebugPrivilege	1512	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
Token: SeDebugPrivilege	1512	3040-140-0x0000000000400000-0x0000000000654000-memory.exe
Token: SeDebugPrivilege	4916	alg.exe
Token: SeDebugPrivilege	4916	alg.exe
Token: SeDebugPrivilege	4916	alg.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1512	3040-140-0x0000000000400000-0x0000000000654000-memory.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 2032	1512	3040-140-0x0000000000400000-0x0000000000654000-memory.exe	102
PID 1512 wrote to memory of 2032	1512	3040-140-0x0000000000400000-0x0000000000654000-memory.exe	102
PID 1512 wrote to memory of 2032	1512	3040-140-0x0000000000400000-0x0000000000654000-memory.exe	102
PID 1512 wrote to memory of 2032	1512	3040-140-0x0000000000400000-0x0000000000654000-memory.exe	102
PID 1512 wrote to memory of 2032	1512	3040-140-0x0000000000400000-0x0000000000654000-memory.exe	102
PID 4980 wrote to memory of 5156	4980	SearchIndexer.exe	119
PID 4980 wrote to memory of 5156	4980	SearchIndexer.exe	119
PID 4980 wrote to memory of 5192	4980	SearchIndexer.exe	120
PID 4980 wrote to memory of 5192	4980	SearchIndexer.exe	120

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\3040-140-0x0000000000400000-0x0000000000654000-memory.exe
"C:\Users\Admin\AppData\Local\Temp\3040-140-0x0000000000400000-0x0000000000654000-memory.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  2⤵
  - Accesses Microsoft Outlook profiles
  - outlook_office_path
  - outlook_win_path
  PID:2032

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4916

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3352

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2348

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:916

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2400

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3556

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4676

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:384

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2272

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4776

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2552

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4680

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3708

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2856

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4676

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4956

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:432

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4940

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2120

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:448

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1456

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4944

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4980
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5156
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
63KB

MD5
340b1dbfe1a8fc22fbf75720038d9384

SHA1
52936b2b3cb5bf254addee296c0fc9fa33168e5c

SHA256
8b6201018a4538ac251a0544b1cf35c5d08afc65e799e6742563a9c3c4a51e95

SHA512
05e0216e0bf6ffc175144cae69bb78d4a552d110b04b44b1b172c8b043f99c2cbe70b8937368fb69cdc89c16f0fec306c4786960abeb23d96bfa905a72531cea

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
8a592d74a49a7b93bea7ffa903d4efa5

SHA1
dc1ce11e8f1bfdffcf86c0f9c6bb9833f53e4517

SHA256
5b047f12c60ae98c04fd4befb5d3927fd871d8be4003fbc1ee94d927bd93f0aa

SHA512
1d455542c0731b7dd1a24a8bde9db3e6c98264f420b3b0a53fc85c2da80674020963ce74212e0ab0c7a83f25e75b0b1f7a441f67e9ee15cc713f646163792b9c

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
225KB

MD5
19969ad367584648f98785706fd2e1e3

SHA1
f684b0bff610cffaa84e29647af5077046109ed3

SHA256
96dd39d8f5af7126d426fc393f1a3367fecf3c05bb15494e64bf0e33e3a6127b

SHA512
6317f2f12175dd2e812bca8f75b5c0f8ee72dcc2c2a9940c0a50b3b28ae1ec9b36eaa7806f63477e01d6b777e0981aa8bbd963ef8ce0afb6d582568c71a25049

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
8c009dc4be1fbddb3911f6d192384ed9

SHA1
0b353e8cc2d19881596958ece30331b7e131d571

SHA256
eb42fb9e0e3bd0b4cf1a71669d44590312a346275737e4c28927017c3cc86ec1

SHA512
da7e7a8a6668bafdceac7935be4c808be39884ab829591d518b185c97249ebd4fd7b43fa96c17dd5e7fd1b15bd6afc464f9ab909809dadb84fe9f668a8809e63

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.4MB

MD5
5cbc5de2bf0a45950be2e38e1982cc9b

SHA1
818adcab4c0e045f0ff7d7eaa0d9ca5fa2b24b04

SHA256
c1a1d024ba74e10604c419b6a6dbeb2c4575470e7dec1fc491c534b35d12e6fb

SHA512
8146346d61423f76354660e5210ea4df9287d18f14fd29937a982330a77e0a0b0b9e9c36bf0e7771e713e85f041c694d6b06c4d6b4aa55dd7c2b83d85e5536d0

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
0391bf04f8fd7b37261ec9a993b8de2a

SHA1
37d75f5a46144a00adafb0aca333a67a260aea50

SHA256
8c92a99703f5920ccbaa52abf46d5cb30130dde8663ae1f74f07eaa318f764c3

SHA512
fb558c4916feaf955f1b9c1163ea36f0523e020ea9cf8daac577a448baccb0e4bf2a73fe96355f200fa0bf600afb5ff15a698753c0df94711252190991b60047

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.1MB

MD5
36790d215a30931764393ce47c0c44dd

SHA1
c242f06e51150b68d9adad0ca4cfbc60db6ee5cd

SHA256
9115ada8bc1f281d00ce50f3abba1c09bf1c335242d0a1ef12beaf092e2a99b7

SHA512
accafa0477627dd47ee7c6e43580866be2e4b039ffd1fe26908e8faaa60388b9c52f021402dcb8ab5300ea833549496472cf262b0a659b199172d6247ab52edc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.2MB

MD5
f1d1af2fc3f08953d34c568e4dbbfe00

SHA1
ede62b0d2241f326979efbc0859ecc8bd5476e2e

SHA256
112c7bb8696e8d3541699e4e916b11e52df3ed3504c87cbcb05c79700662b208

SHA512
369f5602f15011a96fd86ba271c66884d556679fc903f1a19b1b66bbbd8360b9c602b38a5a48950a86475703ae6fd2fff92acc8f702582ad7cc522c8451b58ae

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
1.3MB

MD5
dd4f4b0ee98852adbef3fe6bfcc92fb8

SHA1
0d1b443718e555efc1e3bd7b7e86118660cdc0d0

SHA256
0c20e60ded423f71f8804780931b3388dffc665398e21e933ab09b67c058a5ef

SHA512
68a0f24e7fe5c95b8dd48e2ffbbdfcc695f4d270d20ae30c61b3b35d669b81fddff60d86e16289baee26ae885e35adee3f648f0d6502700d2d007eb025d09c5d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.1MB

MD5
3e353a1fd156e5736611bfcf9f9e6952

SHA1
8e37970be71071f9b90e531ee453cec112406523

SHA256
d2f843fc7e34cc5f4050315cc8791922ba4443482859bc8893b35c36a2e8bc34

SHA512
98b3fbb8aaaa78dea8d83490b394ddb264ab253e8c22ffe9e6d7beef156f3cc9a6c3494cb23fbd2d80e6f5c644e0c809680bbb78629283d7bc0a9bf9c0d9d737

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
1.0MB

MD5
de5b0cf297231e2f474961d81a60138b

SHA1
52503a9af3d3dff2491390a1639f772d4ee96ad3

SHA256
589361baf33a6d897866a04df3537dd65bc38ccfe8023d0d3cc1a9be581f4e59

SHA512
801c9ddbf6eff107dc598b23fc81eacbfe64d7470cfda1f166ff224ebd04e78d718919bab7f3eb40e59ddc40d4f93b435045c3c42bf5853bf044233cf98be55f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
945KB

MD5
aa7662bbeacc888913baa4db3952a5a3

SHA1
f7bb4a769e927b8c3b091c251e052c6075a3689e

SHA256
075379f03448b4d4b53487c11509fbd6fab0c125e73d4701fa17eb55013607e7

SHA512
564b62e882ba4d567de5f1016ec4f7d22471d79cba7bbd9400e83913c0c1c6973dc561c4ab6aaafa483c984d2df55c74b951cf3b57a939a3ff238d9bc39b45ac

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
976KB

MD5
8e69f6787c3453afc7b4a2a8a1a6922e

SHA1
248e1649543d5f89894a7ca2b22256bdf531d568

SHA256
b02f0f1a09539686d770dca175520354ca22f0107d49c05ade9172a3160cbc73

SHA512
a9b08b722d477a5d1f5d58be14a51b09f15ecf122f5a19d0f716517f196f8221470aa9244313b2471d58d87e74002c5e2787c2671a4dd3aff97ea2ae5a6f3d9c

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
128KB

MD5
214f8f03a855ca3cea79dd311daf1ac3

SHA1
360a3df85d24cf8180a5e2c663245b95bd298fc3

SHA256
756162d5a4dbc468499664b78d8932aa2566a77c09f1955cde298521bf305f56

SHA512
99b853ef7c4284c3fb3fd7cbe541bc90d083c82c4495aa8b63403b8719547ba93965fb2b29819803387b80212f6dd959566ea29ad85bf49d610df444684d3ba6

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
742KB

MD5
e80be09f0f864d4e7f5087d394f18e0b

SHA1
02eb4c607249467c89ecf99f5375cc51579d1c16

SHA256
751f19de88f7796a3359864c5b4525c369a56c14c5baf73a0ebe67076eda2d65

SHA512
88926611144a534422dcf9b6d24882ed04d036db59f512743fac6515df43c7024f9d7222e905f21e92fdffe56acda5b03234942ca3da9bbe322a746d9b922232

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
550KB

MD5
afb2d8b02cbf925f5d642a3efb06558d

SHA1
f7fc306311bc4a7f62d8ca9cd3ae179652496c6d

SHA256
d1c728289c1901a67d0ec143c29bfbd6525c5fa268b516a0d3486b78cc8818a0

SHA512
9fcce91ebde1fda6a41614d49e1a8c2acf70cf5b523fa5b29c6b1ccdda3fef0a58edda56943aad02ffa56a6af37432373906b916c28ac1d111cb75888368d0ed

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
652KB

MD5
b491000024d956d5ef1653a5477e5009

SHA1
ff9e16677e6b3763d9344b630404f304d3b3319a

SHA256
cb26619c969bc9ee32cff2c8a9c419fbefc748dfc165f5a76f6c889aa98b4f58

SHA512
e50be09556556e70b472c82fe37da7e47645ded1419198f1c64d5ae70e434a0ff1776af219714c4ff5319ab7e9b4e2266470374df936f332a0b90172c8fe5d14

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
646KB

MD5
6054985a8981194a4ecbe46ea7a07c91

SHA1
3b0f7cf16dd51ef439a7441e4d6a2cd052b4affa

SHA256
57164cd46991f07259b82df492192d5648bfa780ab632a152eed5e43e2d8b05d

SHA512
2abfcff2bc2ba31fc8d781da582a110add3eaa3404883285a0c23f5bf6809132456646269831a5d04dc25b24f205ba73b1786b5665b078861963e88d7a5a5854

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
118KB

MD5
89e45864565d005537d7d98fbe6f30f0

SHA1
2c2912452bf18d02f2d2a66797066f323133ac44

SHA256
f15165e39527c946055142fc12d843950f367e4f5bb7bc930d3dcc4884ece10c

SHA512
f749ea5889ce575ff3f5c0d4ae23c03bed8d03e47da5600699920a1f8102a54e862d07658a6c997cadeb3b14c8c8e36e703374b0586a72c3f527a3a45d19121f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
529KB

MD5
09e6785370b5792d58532a5314d16bed

SHA1
d3b0483028aa4439b3f5eeefdef5ff37bb3f1008

SHA256
ed550e932664386b0202ed21aefec1e4c7313d3daa9fea9ab4f008a6bf4a328a

SHA512
13093170a71c14f7fc381eb998e1f7f7fb822a4abc5b11e2b91c6aa776e66d65dd898a8afc2ff071d4ac5343e7c96f2f5eaffd961f5f9fe206ce31f3ebe70041

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
607KB

MD5
a776e0c1742fe9193bfc5178cfcf7455

SHA1
ee484e4ba57a5eb503723995c00bc7205678c5c6

SHA256
130332091e29fe19b98e2cb0c69e4732db3a448097c2d9461db399c8cfc74755

SHA512
13254ba12981653ffbd60642702d5da5a727ea74ec2033a0d06d7e0ec58ee599597916ea196182c413fc0e699562713aa09bd395341692a1474b103be997effe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
714KB

MD5
52ed9999e722866e1bb827e4b7c5b5f1

SHA1
72a4fb255053e919cae298b0d08d69bd7c37690f

SHA256
4bda78ac80563797d9f861506ca6bf5d3ca6c36842057539cc2015b4ecec5be1

SHA512
005c5dcfec2845444b5851e5b542ea50e5929b07357a15f991d18f9d06ded090c77e1f3d9694062c3fe831775308dab4daf9e7dc503e187fb2280c58cd643dee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
666KB

MD5
b1376ef8539a9f471a38cd4e8ccec70b

SHA1
596864b9f0326a4807df83374c14bc27669110e3

SHA256
2ad47783b9c1e3840b229e1ba21a5a715b735fa2d9318668c307f7fe4796c852

SHA512
34a46a0a30848f81f5b76ee402f2ac54576ee8d2da8d974fd99c861cf80f87f2c3fa3635564881c58a56a5499bea65ea995cf09d5a772a12da0a630b8b384e59

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
608KB

MD5
0b50ef6fc2c8ee25c2d8b89ed4e6e80c

SHA1
ece4b2b3c2e36599b6c5575d69059a63ed712c9a

SHA256
8a1331c0b6d40499d7b1fabf13c2b4a0fa685f1321b1d9eec89bf9d6baf564ea

SHA512
6ed7845113464817db6d64f4a1633bda0a40447a11e235ad7addea6820bd1e090ccdb5c7dfb2cec47ae910d47c7c71f8ac21955aca11c555c4855292160196cf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
445KB

MD5
172f1d4954956c8c6dbe387019ea0246

SHA1
cf948bab19060932467d3c8c7124d111deaefc0f

SHA256
454547ad169304b0c1f52adcca9aac85d6b2f45cb4ecd21a41d67b8fcd983314

SHA512
0143b42514d70d8e5aeca59c0a7f7653a6cb139a211726da8b6f99895807578d05e50a00e6cc1b70d66e7d8eac7c12657e44fec71c7a1217b865c141715b9c26

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
440KB

MD5
4b9bd27944670d6a4d756ea2e2082630

SHA1
64942e8c7b733b70d463f13cae8d355df3b0e317

SHA256
9c0903afc6b5eb9de524b3860fff44feb5bdeca7aafcbdfaecafe6dfd8a5c2d6

SHA512
715971aa6f586c551e608f2a844a0d69e04f425c6e8a6caabd9eee8b0c418467a4ba776c14caefd1bd963c7567b0274400b7679881d169c32622b2c046eca100

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
633KB

MD5
edde7bc2e52f02dd74ca3770c8ad9a10

SHA1
f9a8ea402ac26dc58f090f57de0a194298c00654

SHA256
02bd637bc267a7ba124ba5213e26f2eb9d12ad39484d0fd94ddfe9f7937c1d5a

SHA512
b58fdc6172f236648b9eb496a7a8ffc35f79f65a2a4fdd8a742313569154624268280dfb2de3d6cae6b83b736ef4ee1cea99ad2f68c0895045f8676cd322eddc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
422KB

MD5
b8b88dab735d3193dd97dabca5e5e915

SHA1
9d8fb82f22089ca2b0e60513de678d6ba8b3b835

SHA256
88f11f672ea623f6d4f97bdfb302687d611c5c7651530855443971d0d1ce6476

SHA512
44eb1ecbccfb41491a87575adeaf76408846d388ec28ae95c5aaf478a0de07bdf47c03d5900b4e89adabf55d0f0c7a34d447cec6344810e55cef13b8bec56f24

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
498KB

MD5
f4030c02dcc8731c3cdf49fcf708a427

SHA1
8ed2a9a6ce3119dfa3dc98c2ba8440de91f83a2b

SHA256
ed441947eb8eb8703d7f39ddb04123ac498121f57fca5df25d6d3c66dcda910c

SHA512
5b3d592feeaaffcad130acb76afcd9eb995a17184823ca7a463b4fa4495c3aa4f0848f4d9d1e34935ff5dba0d5008438c02c64918fb5842d9f8229d46bec87af

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
576KB

MD5
61206c555dfbf3d6f3acff65d4e05d85

SHA1
d32bd7419bdaba8219e46d31eac49f31a566fcf4

SHA256
3e543f27e25f582d957a5d934f9408d15b59b1d7a31f8b8f0e7c67c2307b098b

SHA512
95a9873c7503040691c55c8a43d977e833e5c29a76bd33ee2b2f33f04a177dd2b0e6f936a2e7d6dd803a7db10129bd8bb60589d40721be0edb31bc5021a18676

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
370KB

MD5
2cbc18167cb9e213a029e320b271a0ed

SHA1
20eb69a18b3547a48f63a05e7447fb8fa1cc9780

SHA256
fe2adc46a6f841fef904b1f1922c3cf60920b42f32f9490c1de7dfcfc773e0dc

SHA512
72401167a3b116da24b464f3b4f4087bd820f900c508734b36e401f5180a6f6f03b1b35b78230a3a4955ae7b36c1d0e72227e611bdbd45552b9d3c1b3a8305bd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
560KB

MD5
6e2677fe8c423baa8e7cdce500c98186

SHA1
dc425b02eab72ea2c7c94c6b4f2452ccb96bfbff

SHA256
afd8f75226113052d5763cf7c56ac8dabdf2bc57534ed308e63020d98fa91b2b

SHA512
873237569d9cfe3cd9454c62c0fb7a772a3a0a21a65241df5911ced7bf31dcd6e26b00f3babbc4e1e8c33ef3d39bad3bc1a0eb59dc6de9409c2d0bdb067acb12

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
256KB

MD5
4bdea8a7b31eaf287c187584d1105e13

SHA1
58e6e2d28e755530f196c7027224be0160fdde9d

SHA256
64cb81e62b26de7565c18c2d6f76eec6ab92be9286f4e0631640166fc3f1cedb

SHA512
a35ba330adf2b6322735db26ed1e27fa9e36a2f7831c6cb86ae3a759f2e59fec41cd4347a5ee40ca89268cda03bae6baca4a5245c86f4d5117900619031d4dc9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
480KB

MD5
be7d1072f8da45633222ea63bb1ef05d

SHA1
e54f5b8082fe55f05a8ab91003c1477c51ba176a

SHA256
8f5746bbefbf155e398c96d93e6ecfe95115ed2f9ca0263987392f3791acab47

SHA512
ce38fd56574a2af8315acced22208c36f677f55ed4933de4ecad3f297a234b7c738a3c55753aeeb601b36c304df3eb5d5d33b794b6c61acf15f5721215d856f7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
412KB

MD5
1b9b20acde93ad36f9c278bf3fb0e620

SHA1
1cd6f5a8679f19376bcacbb98c68161f82342e6c

SHA256
811bedc47a4e3bf25a9b0d35618a7fada29aeb80f7a729d43a0ab46051d0257b

SHA512
81fd0ea2ffa951f45608578adae96dcc64f8a4ffdf205fd894cc4c9387a839928245dd09b65ce048a5d5f2de52fa2db8eb99003f41dbbfd3de0541009a5ceb00

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
301KB

MD5
7a9a2589ffeb0d1ed93117ff328b5e84

SHA1
9b84f014f5304ac67bbe38587b1ef86f07ac9e2e

SHA256
5e2b4343597a49fe3dfea570cb7f29a237984d69e22c4565b1b4bf11deaa8925

SHA512
b1e50aa0f483cc99be723b27a47744dc1cb870290f6189c923c3d7874e50e156c93a14ce868c12d3283cb740a7fbda8e1c88d35b8bb09e1f41678eab58f053a3

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
71d9080a8a3e30be5d26c669ee087df6

SHA1
0c3fb79c82a1ca652495dbcab9cfc14823fb433b

SHA256
fc23dd48d5fdf955441de38eccad538bc1ee930b705a86028cd99b4b1edba284

SHA512
f324a1db8fbcf5989ccef863c8d6ddc0a6c3e94aee203667b1225fe987aee4ef2944e1da0f47101d433614f099c7044d1a8621e611ecadcc15e0cdd6c8955d57

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
555KB

MD5
22fbef57369cbb8f14f62a9a46e21612

SHA1
16ac12b1ed730605e3c3d9cf81ac8d9c282778d0

SHA256
08d49616be4abd0afe59bcf37eb690da2d266303dee7529ef1520157f256dba9

SHA512
d39c6173b75cf253ee4cfabccb0097238ecbaffb23347adbf37d80d43756a1356a0e8fdfcb39133cdf6813346ac85bdd70618acb37b14e5661a875c2cc6d89b7

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
165KB

MD5
de8fdf8ecfa7e77b7cca4d65ed460743

SHA1
38ac482c3e93746e3a65f987ff7ea53e42a39663

SHA256
b729878855b43713fd8e0ee9d69d4e5a53a00e2a54b848e8927d8af8d314cd1a

SHA512
74ce10b7aea2a8732129e48c5668144766deb84ad61f612adb9f8bf44623e6616acd00d694675183f6a53982b391089c2a8403671e926784066539cb4a9cff51

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
143KB

MD5
7bd78b55a17c5b3c285e26881c255a9f

SHA1
8bfe9fd69bd4115795e5b806c75b946e44a4c572

SHA256
22d9244aad8e5426a1727d5cead4dbb2b1b016b12e94987e84d0b0b25ff27614

SHA512
6d13acaab2ddaed3d24d037f941a35d6c75b2e309c192414074608daa97a016a41a47dc0129609db24149a9bc8f76becf3f6301b8e0a81103a5ec750136b5cef

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
191KB

MD5
18818a5775d845147d189a7bf80c8500

SHA1
3fc52e4d65e9fdb6bc704a7febbb094602d9bfbf

SHA256
1ec130adeaeb9bb6d6bd13b08920b32fe8ea418c37f4fb018a08d2724fb2a429

SHA512
7a3cc9992cd8332472aac2ffccb36e11ba86defa7fab487c6ee82af92ac44b3ea74f03164a3d92e5c6578a5d678e83ba46a3c9af640a8cd1531fae7497fc5c40

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
222KB

MD5
c6c486c61177ec644421a396ea0c19a3

SHA1
1d3899a41d9ceaa5322e3a0d424937f4310bd723

SHA256
53731f8d6a859d739d2c409cc6412c5f1c26f5b208991c55cac6711ec1677feb

SHA512
3a8f46fff001c62f7cf6bf8b77fb35a2941de293932e90a9127bdc752899d49c57b4105e483e11e88621a4c2de663965747347a8136fdc387e91a084d07f901a

Download Submit
C:\Windows\System32\Locator.exe

Filesize
302KB

MD5
a05abc8e259205e54061f75594eae893

SHA1
9256206a7d0f1ce9311c5e720ad79f43e17eecfc

SHA256
1e86f30cdee1f27fe6bff04ce3514d9f976e9e1dc446b6c94538ff009d29f32d

SHA512
8b00fe9e7e47040616becce3b0c2e255c74f1129e8cf060cbafc8ab06b07cd92c1189d5b20cdcc65589ffca7c3a9cdbd9ec4376e067feea17639f87f44cd48a7

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
51KB

MD5
2dd873d99685450fec504f71af6f3def

SHA1
1229e19bab8c01ff264806387608d2537d661b4b

SHA256
0c5d86d0db95fcde8da17d714d638cd26ff9e0a226eef50435d940bfc6a8bd2b

SHA512
05aba3c1dfdac42076407e14651d5cc00ea7cd7601f784e8bd71e2482a02036397f3604dce70885cee3e049bffad7530d9352f4b5b01a153301efd686b7dc2d5

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
21KB

MD5
1314581e01a64018ee51dca3bc65e258

SHA1
5d83a8cdd259950a35ba9b4254380997bbef7734

SHA256
102d6de9e26b160b1e94868ae0c5082b1c1bfac62e24189f5a50171aec2d1bc2

SHA512
d5eff0e981bfb3118c0cb60177995636876fb3879c46bc4b95871d04d47521cb2e4c993b962d0d1e6ea52289939c58b5a70a9af241d40e145ef60c260797faf6

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
265KB

MD5
4f42ca41c35dd955415c95d8190d8f36

SHA1
0742a6f9744c4f3c31d25f63b1c91a80f90cd365

SHA256
d274ca23377ed5c530419b0be4713b2603a31df07bf6c76cdda98c9265283eed

SHA512
9a65d5730309e88b0bc71437d0eecfc2ebf029b15f30fa4f304b5c6f9cc3327d3d86a6b8b593ae540c2bb4b76bd09324a17a9a43754c4505efa68b6134a64d58

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
99KB

MD5
68d0d036251c65c2cbedb87a86f9cb47

SHA1
5c8a2a0945aedee57dc37c05db33ce3132ace902

SHA256
359e8ca86cddbfbdcea9ba10f24a85ebfc112a0898ae330a83c41fe754f2096d

SHA512
97a30e607a160790dbf779a8472d18594c731ccfcf502367c2bdf4a3aa899121993edf4129d52701afac33a8e0e130ec3e0a60e1f69da5697379787ad7e0d84c

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
81KB

MD5
8220cbfa262ebf059b5c4761022598a9

SHA1
d11fbedc6bea90b57d8239184aa60d415140a604

SHA256
4256883ea77ecab98849a4ab004d4b700a6c9a5676a857edf5334b99aa81944c

SHA512
b1d5c2de9ad7acb1cbde286afbefd89909e54bf03212235618c6790dd3e9b7796f060df5369c27106e05bd1f5637304368a7b33ac7b7e3b02ec85ca752ab2f5d

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
992d9fca1430ce79c59081dc9ba8c980

SHA1
6448c4289a8f1dff927c9021b25fcc1a6770eb2e

SHA256
0835049498730b4b5cc3fb4c7bc8aff98d01f0fd1163ad89aab8dba9616b613f

SHA512
31190a7289b7cb052f2fc61df623eb6e8164c2ea7040c5e9a36e1feac566171408b9f129051f62ee6e135c27fbdd8c5a76ace32a1f9576483fde249b2b5cc9a1

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
118KB

MD5
6d8591f5f07ccc766b59c64196aca765

SHA1
955b3e93fe0eece7ebef54e9300483f2c5681206

SHA256
a9a651d42b7235430fb63cd48f4c5c7615e8dc059d436d7433946be0678fb036

SHA512
550244174cff4103e6e6677e18855a9b2b04421093eb0a5115bab0da1f50af5c5f1d0de34c1d40d2332ce043d856d65ac2b200bc985b693bd43ab1ed57ef0de8

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
6KB

MD5
298e8eb62ce2b36a40a8f2c4652ce77b

SHA1
47d33a3d89b2f79aa93060d0d2775dcdb2999e5a

SHA256
95b735e1b31c149456aeb8e2da50d706df58996273a32493065e3959378ff68a

SHA512
b64d8c6eb99a71873f0832baa4dd118fd6d40061e911f44dd444ee98e86104e612a1c596bc49ec75eda5a03b35858bf495e797d5ddc137768b07b6b9a2e9b5b6

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
183KB

MD5
83f486e7cb37f407a0a238af77894fb5

SHA1
ed7ddfed6a65050d8f0485230d6c4a1225891a14

SHA256
da696c42559e726009b206a5c0e774d05f13d685a00b63f3cebb9a6755825948

SHA512
b71b3c787d1171050af02be8012d56cb4fc39e1711cb9fa76df818071976a5901deed9337e987a6ab50e3ca1bcbd7a80dff5f74f3aac22c86c4d3f2e4b6faf16

Download Submit
C:\Windows\System32\alg.exe

Filesize
9KB

MD5
7adb25f36549c823604a7a183d8a6274

SHA1
98d3222b74a8841613d30aab74652a4af6c9a709

SHA256
404095c5d2efe8c780551d8dfe3f0913e1c73a86c378d8f07f0e8febe8c5800f

SHA512
c00fa6fb77131250004706e7d469a6e1be9c3ceaad5f0706a9aba54f7f433faeb63a3e6a59be3355d816310084661d51f62c6eb6e98fd692fb327637b0d3dde4

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
137KB

MD5
e88f70dc823a03875f75f1c40bbd89ae

SHA1
2648f629e7bc6b9e2a3b96100cf996f0e49fc7d4

SHA256
fb6f817b5147be2d7db00d30e130e22e91f84163c9aca82c997a42104bcc88a7

SHA512
94fff3437c2dfc59dd74b7b16c21812f8e300f49b4760b1ce304167960463d8819c6f9e856f682d2fec3136592599ea744c813a4f56d944dacc52375787fbe95

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
53KB

MD5
9ea5e389249454c26c6836e91ad627f9

SHA1
883fc05d1e2a5d4b945b6c70a9abc9daf695eee0

SHA256
d5691f016e55437c0f8d23302801fa0230f428bc259d8472ed7aea34075d8290

SHA512
8a03c5485825dfc6c2a93bb3a6fb15b5420228e4abc769fd0491ad6cf34b7a09cd59cb104c15bf666388fffc53588ca1ac20538088766e264e9cf63b9fbbc1fa

Download Submit
C:\Windows\System32\vds.exe

Filesize
216KB

MD5
2587564b2e34a080d5ea023151b6d30d

SHA1
ea6d7ba9b8493eb8377218d658a96d5653c465f1

SHA256
a4c4daab8b5344edb6ce73ca242c0e12be376b6631b18e22520e11207f1037e8

SHA512
aba1e8a608dc4d2038230e4b6e83b6f39cd7e418798554e7ce7567db61393772b97e17e3e0ee9983ad40b36ecc2008defbc0159f8b1b742f5f18e38c4f2b7cda

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
143KB

MD5
aabbded1b404ea2c2325fd95f99689d3

SHA1
e2559be6d44bb9bb26e34c4e7c8112e48d7a4d12

SHA256
5df476bd583df003cdd4617d791ea6a2fe34d8fa09e5df648efa73086de403d2

SHA512
a1ee5e1a9a5496e0e64442de13cd85933236f8733edc4016363ed2aa7e68c97279a73fc8c0b2f44e3b9529f91879d71db1d99ffb8b5c37d7b182e52a18959562

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
103KB

MD5
fdb1b5c03036c455e66036ec8106175e

SHA1
774b58398829678abc989074ce7b806629991576

SHA256
8ea0a9c951c5914afcef48ea8f1a58ebde3ab872ed5c7c9d7225a3529b0b791f

SHA512
13cc1deda885b657940b3347b55a0917f16bd2051378fd52a355acfe3ac62255d0a4425f0ef40ea89dd82980aa783e2a0f641e8db2d4d928a50b00eb8859438b

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
1.7MB

MD5
7b5ca73615fc26440a792d79610060e1

SHA1
daa85082e8c421c6c106a2f5e5597926cff9389e

SHA256
6ae362a49f07497d04d656f1e41aa26b032628fa7a28ea7f2c463c808c95e5c3

SHA512
c83b1c0d0b60ef275ce6a8cd70e4aa60d3c878f9db1257e0d02ef810fc177cd1ca3b73f7ca492bdbba793a9a9ad396594af69a3b269aacf5b9f11faf612d33db

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
bf5f8f4d3daea21c9def12674467ae40

SHA1
d7d396a09d7d6f0f98190eb914d4681de0e17bba

SHA256
c9ad83faf7a70549afdabd347875b7400a15288c3cd2827e7999cd81931e31a1

SHA512
3e0ef962fead4c2dd9ad90e03110f50ad7d15efec76dc7fc872aa8bb36d86d5851e88b34d11a0173467547eab7eeb9d50f7e61eb7722fcaadc7b9ab7a7f827c1

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
d9285c5dee1d027cedaa0ac80136e216

SHA1
d651f6099921b1ac380ff39edf30e86d930a4166

SHA256
7f4e9e0ce601e44367e59ea42375ded8818f1330c3a31784927012b28e96e65d

SHA512
cc9bd01dd7ac3b7ec575b584a87f3fc3fe685bc3b8bd28d9f4aab8a0fae8c083e0879712a17acfac7e78318ddebd406523d861746f6d392f96fbfc2f2187b556

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
78e37b560ea9b94e54f2d60492469db3

SHA1
78a414b52e1ae6647c0ad0fc47a3943b3da95700

SHA256
2060146c2602589cd4a7a6d5e9d7e5e6f7beda3e5c74a61f0f73ffdeb28d0063

SHA512
6e2e4743790561494abe669f1916c6052438f71a5987132fe34eb7f25c9e40422e2f8e06f41b67aa1e51faf2c42b5669a37c5caeb8757b72de13c3a973baebc2

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
dae82bde75137c90e4ff86829cf0a88f

SHA1
a784351203f0cad8fa7328b88552e15d78db3cd3

SHA256
fc3f19dd88e1c3f19790a65e7956cffc647945cb8de08f95f1b992033a08bea7

SHA512
3abff460907ff133a0e3a11711df131863142269c40212b36b61f9d315d9e3adb700bd7bc310533d937b580ebcbdd6c4199f84d4f3c7b507a6867de02da427b4

Download Submit
C:\odt\office2016setup.exe

Filesize
1.4MB

MD5
ae2d3777f1047e6eaa3588f56f385f72

SHA1
c606b5e89380a754185993a20fad2ac12659fdaa

SHA256
ebe432b83179c315989a175f6a6f1faec41eb4e6c5caf600fb14e6537f36e841

SHA512
79f0cda2e1b23db62b4f4fdd103b8e353fa286f40699d17338c5cf5f183a68688428f3fc0d211740d6df191734e17c236bc319475fff2d5e5c6210d7c54b6cb7

Download Submit
memory/384-155-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/384-101-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/384-93-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/384-94-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/432-230-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/432-221-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/432-292-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/448-275-0x0000000000630000-0x0000000000690000-memory.dmp

Filesize
384KB

Download
memory/448-267-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/916-53-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/916-40-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/916-39-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/916-46-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/916-49-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/1456-288-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/1456-281-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1512-6-0x0000000002500000-0x0000000002566000-memory.dmp

Filesize
408KB

Download
memory/1512-7-0x0000000002500000-0x0000000002566000-memory.dmp

Filesize
408KB

Download
memory/1512-65-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1512-0-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1512-1-0x0000000002500000-0x0000000002566000-memory.dmp

Filesize
408KB

Download
memory/2032-152-0x0000000000D90000-0x0000000000DF6000-memory.dmp

Filesize
408KB

Download
memory/2032-158-0x0000000005570000-0x000000000562C000-memory.dmp

Filesize
752KB

Download
memory/2032-163-0x0000000005770000-0x000000000580C000-memory.dmp

Filesize
624KB

Download
memory/2032-157-0x00000000056C0000-0x00000000056D0000-memory.dmp

Filesize
64KB

Download
memory/2032-153-0x00000000737E0000-0x0000000073F90000-memory.dmp

Filesize
7.7MB

Download
memory/2032-174-0x00000000737E0000-0x0000000073F90000-memory.dmp

Filesize
7.7MB

Download
memory/2120-252-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2120-262-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/2272-107-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/2272-117-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/2272-167-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/2400-60-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/2400-54-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2400-122-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2400-52-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/2552-137-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/2552-144-0x0000000000670000-0x00000000006D6000-memory.dmp

Filesize
408KB

Download
memory/2552-194-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/2856-251-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2856-191-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/2856-182-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3352-92-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/3352-29-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/3352-35-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3352-28-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3556-72-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3556-135-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3556-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3556-68-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3708-175-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/3708-233-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3708-242-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/3708-169-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4456-264-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4456-196-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4456-274-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/4456-202-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/4676-79-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4676-76-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4676-84-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4676-90-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4676-88-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4680-148-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/4680-160-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/4680-208-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/4776-124-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/4776-181-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/4776-130-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/4916-22-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/4916-77-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/4916-17-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/4916-14-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/4940-244-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4940-235-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4940-248-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4940-249-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4956-211-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/4956-278-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/4956-218-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download