blustealer | 3ed0594f9fef04feeaec1abc8f1ad0b85c75df614ba09377e394321ccb16e586

Resubmissions

12-05-2023 14:28

230512-rtgxxadd83 10

12-05-2023 14:17

230512-rlq6lsfe9y 10

Analysis

max time kernel
1200s
max time network
1205s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
12-05-2023 14:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Purchase Order.exe
Size

1.4MB
MD5

98ac95047944a90076ed642f2b56fc7f
SHA1

e34b95acbdbead3a7057f6e42673bed24aa573c9
SHA256

421845b1fbf3828e4f4fe3e7147f501a422bd6ae755e388a089c67d005770b58
SHA512

8d415d64193df913602752c3004a7a24d7bc0ab29129eda9a1e9653e7cbfbaccb5ada7a1aa4a8b4ea81ff7fc2696fea242caf722e655b43f41cdc952738c5f74
SSDEEP

24576:N8whh2b5/1L3Y5zhzKSYIb34DSNCZlk0pRIIV6Kkcd4UiivgEvyV1jBSH:w91Lo5zgSYUI24ZlkwRI+9WUiiv7vyX0

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 22 IoCs

pid	Process
1996	alg.exe
1168	DiagnosticsHub.StandardCollector.Service.exe
4988	fxssvc.exe
2288	elevation_service.exe
5116	elevation_service.exe
4956	maintenanceservice.exe
1900	msdtc.exe
3892	OSE.EXE
948	PerceptionSimulationService.exe
4700	perfhost.exe
5092	locator.exe
3124	SensorDataService.exe
1972	snmptrap.exe
2596	spectrum.exe
1604	ssh-agent.exe
1924	TieringEngineService.exe
3824	AgentService.exe
3132	vds.exe
1676	vssvc.exe
4676	wbengine.exe
1432	WmiApSrv.exe
5096	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	OSE.EXE
File opened for modification	C:\Windows\system32\wbengine.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	OSE.EXE
File opened for modification	C:\Windows\system32\AppVClient.exe	PerceptionSimulationService.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	spectrum.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	OSE.EXE
File opened for modification	C:\Windows\System32\SensorDataService.exe	PerceptionSimulationService.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	snmptrap.exe
File opened for modification	C:\Windows\system32\AgentService.exe	ssh-agent.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	PerceptionSimulationService.exe
File opened for modification	C:\Windows\system32\msiexec.exe	PerceptionSimulationService.exe
File opened for modification	C:\Windows\system32\msiexec.exe	spectrum.exe
File opened for modification	C:\Windows\system32\AgentService.exe	vds.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	PerceptionSimulationService.exe
File opened for modification	C:\Windows\system32\dllhost.exe	vds.exe
File opened for modification	C:\Windows\system32\wbengine.exe	vds.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	snmptrap.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	vds.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	OSE.EXE
File opened for modification	C:\Windows\system32\msiexec.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	msdtc.exe
File opened for modification	C:\Windows\system32\msiexec.exe	perfhost.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	locator.exe
File opened for modification	C:\Windows\system32\AgentService.exe	TieringEngineService.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	msdtc.exe
File opened for modification	C:\Windows\system32\dllhost.exe	PerceptionSimulationService.exe
File opened for modification	C:\Windows\system32\AgentService.exe	snmptrap.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	TieringEngineService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\49af447650d0d086.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Purchase Order.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	TieringEngineService.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	PerceptionSimulationService.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	TieringEngineService.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	TieringEngineService.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	msdtc.exe
File opened for modification	C:\Windows\system32\msiexec.exe	TieringEngineService.exe
File opened for modification	C:\Windows\System32\alg.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\locator.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	OSE.EXE
File opened for modification	C:\Windows\system32\SgrmBroker.exe	locator.exe
File opened for modification	C:\Windows\system32\vssvc.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	OSE.EXE
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	vds.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 848 set thread context of 3204	848	Purchase Order.exe	91
PID 3204 set thread context of 64	3204	Purchase Order.exe	98

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	OSE.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	PerceptionSimulationService.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	perfhost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java.exe	locator.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javacpl.exe	locator.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jrunscript.exe	ssh-agent.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe	TieringEngineService.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javacpl.exe	locator.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	TieringEngineService.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	OSE.EXE
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	vds.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	spectrum.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	TieringEngineService.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\klist.exe	PerceptionSimulationService.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	snmptrap.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\keytool.exe	snmptrap.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\kinit.exe	snmptrap.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	PerceptionSimulationService.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	perfhost.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	locator.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\servertool.exe	ssh-agent.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmic.exe	spectrum.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javacpl.exe	spectrum.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe	msdtc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ssvagent.exe	TieringEngineService.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmic.exe	vds.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe	OSE.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe	locator.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	OSE.EXE
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	snmptrap.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec.exe	ssh-agent.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	ssh-agent.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	TieringEngineService.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe	vds.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	locator.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	spectrum.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\pack200.exe	vds.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	perfhost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	perfhost.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ktab.exe	spectrum.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	ssh-agent.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	ssh-agent.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	ssh-agent.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\pack200.exe	PerceptionSimulationService.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	PerceptionSimulationService.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	vds.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	spectrum.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	ssh-agent.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	Purchase Order.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	snmptrap.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	locator.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	TieringEngineService.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	OSE.EXE
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	PerceptionSimulationService.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dade0c0aef84d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000bebf508ef84d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000097a290aef84d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000db32be09ef84d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000035190b14ef84d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000299b4409ef84d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005795a109ef84d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002444770bef84d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	100	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3204	Purchase Order.exe
3204	Purchase Order.exe
3204	Purchase Order.exe
3204	Purchase Order.exe
3204	Purchase Order.exe
3204	Purchase Order.exe
3204	Purchase Order.exe
3204	Purchase Order.exe
3204	Purchase Order.exe
3204	Purchase Order.exe
3204	Purchase Order.exe
3204	Purchase Order.exe
3204	Purchase Order.exe
3204	Purchase Order.exe
3204	Purchase Order.exe
3204	Purchase Order.exe
3204	Purchase Order.exe
3204	Purchase Order.exe
3204	Purchase Order.exe
3204	Purchase Order.exe
3204	Purchase Order.exe
3204	Purchase Order.exe
3204	Purchase Order.exe
3204	Purchase Order.exe
3204	Purchase Order.exe
3204	Purchase Order.exe
3204	Purchase Order.exe
3204	Purchase Order.exe
3204	Purchase Order.exe
3204	Purchase Order.exe
3204	Purchase Order.exe
3204	Purchase Order.exe
3204	Purchase Order.exe
3204	Purchase Order.exe
3204	Purchase Order.exe
1168	DiagnosticsHub.StandardCollector.Service.exe
1168	DiagnosticsHub.StandardCollector.Service.exe
1168	DiagnosticsHub.StandardCollector.Service.exe
1168	DiagnosticsHub.StandardCollector.Service.exe
1168	DiagnosticsHub.StandardCollector.Service.exe
1168	DiagnosticsHub.StandardCollector.Service.exe
2288	elevation_service.exe
2288	elevation_service.exe
2288	elevation_service.exe
2288	elevation_service.exe
2288	elevation_service.exe
2288	elevation_service.exe
5116	elevation_service.exe
5116	elevation_service.exe
5116	elevation_service.exe
5116	elevation_service.exe
5116	elevation_service.exe
5116	elevation_service.exe
3892	OSE.EXE
3892	OSE.EXE
3892	OSE.EXE
3892	OSE.EXE
3892	OSE.EXE
3892	OSE.EXE
948	PerceptionSimulationService.exe
948	PerceptionSimulationService.exe
948	PerceptionSimulationService.exe
948	PerceptionSimulationService.exe
948	PerceptionSimulationService.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
672	Process not Found
672	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3204	Purchase Order.exe
Token: SeAuditPrivilege	4988	fxssvc.exe
Token: SeRestorePrivilege	1924	TieringEngineService.exe
Token: SeManageVolumePrivilege	1924	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3824	AgentService.exe
Token: SeBackupPrivilege	1676	vssvc.exe
Token: SeRestorePrivilege	1676	vssvc.exe
Token: SeAuditPrivilege	1676	vssvc.exe
Token: SeBackupPrivilege	4676	wbengine.exe
Token: SeRestorePrivilege	4676	wbengine.exe
Token: SeSecurityPrivilege	4676	wbengine.exe
Token: 33	5096	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5096	SearchIndexer.exe
Token: SeDebugPrivilege	3204	Purchase Order.exe
Token: SeDebugPrivilege	3204	Purchase Order.exe
Token: SeDebugPrivilege	3204	Purchase Order.exe
Token: SeDebugPrivilege	3204	Purchase Order.exe
Token: SeDebugPrivilege	3204	Purchase Order.exe
Token: SeDebugPrivilege	1996	alg.exe
Token: SeDebugPrivilege	1996	alg.exe
Token: SeDebugPrivilege	1996	alg.exe
Token: SeDebugPrivilege	1168	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	2288	elevation_service.exe
Token: SeDebugPrivilege	5116	elevation_service.exe
Token: SeDebugPrivilege	1900	msdtc.exe
Token: SeDebugPrivilege	1900	msdtc.exe
Token: SeDebugPrivilege	1900	msdtc.exe
Token: SeDebugPrivilege	3892	OSE.EXE
Token: SeDebugPrivilege	948	PerceptionSimulationService.exe
Token: SeDebugPrivilege	4700	perfhost.exe
Token: SeDebugPrivilege	4700	perfhost.exe
Token: SeDebugPrivilege	4700	perfhost.exe
Token: SeDebugPrivilege	5092	locator.exe
Token: SeDebugPrivilege	5092	locator.exe
Token: SeDebugPrivilege	5092	locator.exe
Token: SeDebugPrivilege	1972	snmptrap.exe
Token: SeDebugPrivilege	1972	snmptrap.exe
Token: SeDebugPrivilege	1972	snmptrap.exe
Token: SeDebugPrivilege	2596	spectrum.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3204	Purchase Order.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 848 wrote to memory of 3204	848	Purchase Order.exe	91
PID 848 wrote to memory of 3204	848	Purchase Order.exe	91
PID 848 wrote to memory of 3204	848	Purchase Order.exe	91
PID 848 wrote to memory of 3204	848	Purchase Order.exe	91
PID 848 wrote to memory of 3204	848	Purchase Order.exe	91
PID 848 wrote to memory of 3204	848	Purchase Order.exe	91
PID 848 wrote to memory of 3204	848	Purchase Order.exe	91
PID 848 wrote to memory of 3204	848	Purchase Order.exe	91
PID 3204 wrote to memory of 64	3204	Purchase Order.exe	98
PID 3204 wrote to memory of 64	3204	Purchase Order.exe	98
PID 3204 wrote to memory of 64	3204	Purchase Order.exe	98
PID 3204 wrote to memory of 64	3204	Purchase Order.exe	98
PID 3204 wrote to memory of 64	3204	Purchase Order.exe	98
PID 5096 wrote to memory of 4624	5096	SearchIndexer.exe	119
PID 5096 wrote to memory of 4624	5096	SearchIndexer.exe	119
PID 5096 wrote to memory of 3376	5096	SearchIndexer.exe	120
PID 5096 wrote to memory of 3376	5096	SearchIndexer.exe	120

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:848
- C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe
  "C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3204
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:64

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1996

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1168

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1908

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4988

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2288

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5116

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4956

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1900

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3892

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:948

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4700

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5092

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3124

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1972

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2596

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:1604

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2384

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1924

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3824

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:3132

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1676

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4676

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1432

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5096
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4624
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3376

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
9e0adac3edd8b47871e16d44c3553cb0

SHA1
a12afe816604ab78116ea273304ae12bd1550696

SHA256
83c4ba67e73c557591218ac844ffa8bbaceb06f9e45c69ca64ca2c945fde33a7

SHA512
ea19d05435a6023e82f3b54a767312cbb4e20411f333fba813b85ee9eeb6a7edb86cf3ba2fa9496fc4305bb2513c132646ce32103c80ac42adf9f391e188c65c

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
43e2d4405dbc7851c4fa838e4e9aa9eb

SHA1
11ec2be0d9c9280c3d2c7fff0fb413099e44bec2

SHA256
3061238e22fb4276c9a04a09d6dbfc484f87e17ab111a41352356be8e4f920ef

SHA512
f8e3e06fa925706aaeaed42607f579cb2d3f92217cb8a2d9f04e704da217c4a9329b441de90f5d0593cd771a274c9db0920eddeeb5ff77191cc1a6174b94416f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
43e2d4405dbc7851c4fa838e4e9aa9eb

SHA1
11ec2be0d9c9280c3d2c7fff0fb413099e44bec2

SHA256
3061238e22fb4276c9a04a09d6dbfc484f87e17ab111a41352356be8e4f920ef

SHA512
f8e3e06fa925706aaeaed42607f579cb2d3f92217cb8a2d9f04e704da217c4a9329b441de90f5d0593cd771a274c9db0920eddeeb5ff77191cc1a6174b94416f

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
68d7a983594baafc494ba6962c1b3d4c

SHA1
76db913255a6b9fb12e757130876ce9d46ef9779

SHA256
5947a752eea07838cec6d4d9eae10d081dfae3929edf7f03112934ee1569ad5c

SHA512
e538b9bdbcbcbbcbeeb944325736b0d2925ba3918f2fef3346fc613f864e22f2ee9144d2c64c26815ce6f47fe638b7936163280503c7acbd7350a16858cf9a62

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.4MB

MD5
71400f063905f9ad83cf4b8f0eb56f62

SHA1
d47a412291f7f3db92e362459001ec5883965c00

SHA256
c77f1fcf45ae55375497f4dbc648b6a9822ed0ead72c8a3a4827d7b8dc50ac12

SHA512
23fd851aab0c51092d93d1d7b4ad6c8da6b1fb24895c690db5784beb344257db72842306b8af30caeca7115b147a62f4f6c77f1f334ac020b96932acdecde368

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
adc4c7bf443ab5280a1cc8243007a0c1

SHA1
83986b6b2c2c0d8b2d6f299e99a329d1057e5fab

SHA256
e5db52a134df16f9f1d1d2902b9226b36b6c7224b22cc821d6538b011daefbc2

SHA512
1a73630d288140ce5950ebe278762cfee10822aa15df62c14ca63ea9e807680364b5b9b59ae95c5c27c96989187a60851b42a8e4d5f5de0091db1c6438a02e58

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
3ff2ba821406a45f5714139b06ba97ef

SHA1
ff6bc87686b39a6cda93758c7a4aa96bbacdaf32

SHA256
3ac1f04f1d3ba8928b7075f330a07fcd2acd7c93624706a0f7193d594c76053b

SHA512
81bece904025c468fb998d7bbb1201e9c231a5365ead7509b608c24e44ca342a24e8d9408d7d26875467601124e0f17632fd89292db2f686f9c0b95263e5d31c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
cad84d92f35b00ef8c1e51e62d0b134a

SHA1
437ff3d0e7eff9111cbafeb2705d594818dff6ab

SHA256
dd15e0d1b73784aef4e038d73c9cc25e02f0861543a6c2b4a10010a0120ce053

SHA512
2fc536fb39fe9c33219d57d0279d279facba20787d32f4b4a0f4448dce5af0d517290321447681da2b02f204e2ada8ad0f8841f34bf473817edd4ef9b17151b5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
8689630c9c4e867a8b4f4ff8d8042462

SHA1
9d334ef6176afe7d545e8708387f3431655343b6

SHA256
aae928ecdfc9b65e3d5d06808132faf9f3e98120b897bac5a45f2f831521e6e8

SHA512
60ee37d7e7ed107d4a5c4aff310f200d7ac8b6433fd1cb15857e400ece8f153cde8ae55c5ca0a03e3f4f606aef89654c2222cc733a7416793a3990be5c05434d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
2b3e7cc4a227cfe2eb496bf1a7e4f714

SHA1
e1d602a870b14eb137ca858abc700f39d8f99ea1

SHA256
8b00643d941a4bc6cdd60644b0c1e2d58dca44c9e454a468ad4d63c919996bfb

SHA512
8417f659753a7e5e9b14578adab1ff847eda94aea142f4537f93a9cfc2844a82ab6c0e074b8607743e9de520611e05be308eb90e00751915805b022706e5ea79

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
d824dd8321f26d9e710133763d7f02f0

SHA1
96ec48194fd6aabf9aa27e1086a17865537f85b9

SHA256
eee52e65d232919ace8f3506cbb93d8ca482d8dd61ffba09e8aba2be5700ca2a

SHA512
bdb3f2d74e0464d1e7c12327b0d84b282676d2aba2d8d0b2270e02b4b6de74ca5857b7c1aef7b4147cb2439508ddc15568195373775212449f16634b52f77901

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
3c1a56578cff33dc667efce0be794503

SHA1
8abd5537fded3582e70f4369e5ef8ec62ad68c8a

SHA256
e1663b83bbe96a2cc19b8ef96f26d629797e4637f559e622c94a566782b64f92

SHA512
63a945435c2087243c7ce418eecb86a1140fcf451df1000eae64b6e90992c823f36e99c067058532f9e302423e9be661f919989ebc2fc8a0326057df7de1c6c4

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
18fced19767af1d9e677a5153a54ae9f

SHA1
74508dd722a8ec8ebfa17cb7f223f4de8093d1c4

SHA256
c4a5f0208676bcfaa1747b5edc63e986288c2eadbb288fab092029d8be45f7fc

SHA512
d3f260931a1dce0733af8aee7c87cd49196e69f342c23595a3e997d5cc2f0f03a2e8bc702d02a33712e334a0036143b6712210b104b6425d14932ff4b7964d8f

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
f12981acf0e22194e5d43ee2628de73a

SHA1
ee9ab20b8ccce76fcf64e3146eb112310c5e1324

SHA256
525a13828069f14503a8ced074ef598c132bb2149dbe023ef41cbae51fe96e44

SHA512
b6df1eaeade441ff75bc71800ce6595af5e38b49831c5ecc7598966357b532469a81804701f280ae4f11b55cd265a2a3fe8107bfe895784b6b1768726822ded6

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
4ff2c98194061a14cff9860230b73c94

SHA1
933f111a6c7f1ce709f5333e7b37fd3bc4ab853f

SHA256
92ed029dd6afd208f38d37cf58deb3c76e424de09b38da13a0fbaef545806211

SHA512
27ce922ad82ea08a4fe035d18eb3e0e704d71bc425ead63eaa733e33f2ef3caa9ba4c5d7c8bf61a18527450ea8a5eca5f07e1fbaebed6ed1bddcc20a9a414bfd

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
1446f1325304540ac3adeac101bb8a18

SHA1
f69773e8eb4b6192ef21bc4a591cb16567571d40

SHA256
29db44c478ad258dc2917696faf97ad9bfb76c1be9616d925ec7b880a1eaed47

SHA512
9810e2985840691cbcc8e39905d1c1a51dc23e5ae15564191df9115a176c3fb99fbb2f56ade2d30da25c7a7c83792cb6a3bf1e0191ec391141e6b58174a1c927

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
ab8ac8b96039a4a8c763bd43821d2f92

SHA1
4a74d75f8b8bbe297dba0a90f08dda7f66940418

SHA256
14d43500176fada1c7c03782213dea750779b9a895fc17b32b2e809679e1e779

SHA512
569de2cc4731bbe514c6bb25e14bec8a44a987d3a69010df6036c45a4c5a0f9dd1e30a315186c5e6aa7b8d2a547dc8af8c73371110b4bfc027a5dc59f5877de1

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
904bac20ca040543a7abd8da7fcf68d1

SHA1
0404b7d932831ccf77f0b94c6cf045d18470ce15

SHA256
b49a0b4cf93a4cce905c5aa5c47534da8f7e0dbe66b5758b7d6c8d38acb50c39

SHA512
49cebe22199da9d43a295497b7e625b07f36628f5c8a58a542cf53acfc1e40a9b4bbd2990745c56f43dd99cdb38857c06367987868b6309718376dabc106947f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
45e5792807d0cfca89d56415d799670e

SHA1
1d1d359b3bcaa83ee8d21084a79e6ef4d1451301

SHA256
40059858dc6ead09244c641a89e159561cf06f92bb0b469a9f3416d65312e51b

SHA512
48fd6d98470898dc6e73c6d393b82b6d4adecc546411268d3ae2c7aadb01bc8b69bcd506e3ea23ea3845c302717b64e673b960960c5233b179ae69e0cbe466aa

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
b04e5bd04cd41eab768efb4bf438fee6

SHA1
ead80b9ab96dc3af459fb1850a5cbfd15fec4bc3

SHA256
9722dd0907d0569924f440d877698c93859298de26df928d16b147016b58e9b1

SHA512
305e83c5c14afb97642dd3d92b076475602a040f2699b842c4f21c90588df41ea950a65c6ed490dcb4d4049e70065e967ae2ede942e840d4a5585f7cd7258f39

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
8f2b6436370ad892028204436a8204fb

SHA1
96e301bf79a6e8900aed787afc643253c692b252

SHA256
998b7c1dd9b19f657310d64d9393ba0da7269784b9ffce95591c0312cd188b48

SHA512
0390da15718a1e74342670045bb89b64edf1c46555d995b9fe23815f1e2e3f4f0b06a111d8b264cc50168836a8fad9d63398eaaf0c099bd602b57df8ac8d3581

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe

Filesize
1.2MB

MD5
e87c4656a2621632e7ef19a6152540aa

SHA1
aad779894274c3cc9fec676498562c97075db8dd

SHA256
e6282d6873738e65f1b4db5673a53a8c7462db453bcc8887b88be27fe6950c56

SHA512
ac686e2a8c32bd8a0ce9377ad6f04440f711261c2b0ab144e9b54bba45dc12a44371b071caacc09a50531bb83ec0777ea71ac08b72b7d2f536cbee26acb65410

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe

Filesize
1.2MB

MD5
6dd84ab145df09614d489715ce5c11a9

SHA1
5bc95ef713834f1d7d5d7026a2357d1b7384ca77

SHA256
e10de8ddfee0502bc32957a9aa14d94dd64fef33c32276e9e600eb6540464bca

SHA512
8b4cc1390215de64b391bea0b072f0da6c2b8b356afdf217fcb611a823e14f20fe160eb052fd0fd50f06b1bf882749f4b2528ce15ec101b992e9850cb1372111

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe

Filesize
1.2MB

MD5
3d97261be3808ac13f48a51e8e491ea5

SHA1
e6fe8702fb4056625a2e0d6873ee14b4bfd77131

SHA256
40d33cb4ab9e1d690000345316028b875df0cd3f7b146577c7c7e75c3cae2543

SHA512
7dc865ee9ff9f9767c966bf232d12b5eccac584576d60af903fbe03eecf64fa4e25ab9ea2d712ea3952657f5baf872ce1b25d2a92bedfa1c8a2d2034932ea14b

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe

Filesize
1.3MB

MD5
9cb6ae38be55fdb2124613c6459337a9

SHA1
f4c27a180dd8c321ed2a2799a76e0635f6ca51c2

SHA256
affe86d96bd23acc8d2dd700d5381977d297beca22234e7a8d7bc205a7e795b6

SHA512
a57ac4397c2ec07b258604af1510c72a00d291e3503adc1c51b54c64cf66ba34643bfc23e1b315a364971a66af627ba999ea84fb21f3eb7edcfe4f205652df6f

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe

Filesize
1.2MB

MD5
e5b243a645d83beeac572afced782753

SHA1
459a65847ed0e04b48291e530356dcdaf5da9c41

SHA256
c4986d10eb16404bbc1cf75c17e5c9b327b0777e8d567fd79077dbddc1a77871

SHA512
6e249a111eb494d63f202be140eccdfda0319ab99ef935900bf88319675a475bdf17ea3804a439e11df63fee35eb76216f45ebb6cf3ae8aba39a4f0517aa7869

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe

Filesize
1.2MB

MD5
007c4c410b17f5939183657933227826

SHA1
1fd0f94617a5e33529b79bea50e7b3f5a91ba77f

SHA256
6fbe4da518de0b83bcb8582b811a35a39fb286f6ea910ab8dc2e60e1b4c70ff8

SHA512
8ae02a6137a1808cd5e425cd9a393863e2b8667f6f4484b81fbaa5e736533d2d20afff92c641825cf10acb734dc6761016853b9eb3b96b4bc14958d46b26d5ee

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe

Filesize
1.2MB

MD5
74fbe90f4b1722aff3f3866fa5cf31b3

SHA1
06c307c3fd0741ec4aa7882505d00a01ea009bd3

SHA256
94a10efb25db265ebe1138c6ee09d21a836798d8b0c8a47ff943160505c74181

SHA512
fa11ac5c740d1b9075e030565a4c856188db624a4c36fa69fcebda71544efaec5c8f22b96bcb50f9b4eb5a1a550e8e1f9569ddd88cfc530bf892c051a67b2559

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\java.exe

Filesize
1.4MB

MD5
3b13d68b4d67dae7cd7cf2d745944801

SHA1
052d3bce24331740abc4edfd8f66330b3d04130f

SHA256
d38235b249ef8dcb885eb68e140176d2929b75e051b5311ef255cb2be0939c60

SHA512
d84f0aeda04ba402c1a258929fff1b88c5e902c03e479734382b52b1b64d4ae761df042af58c5df65616e12d177a71560053f92e6bda422224dd3f8f12a6f411

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe

Filesize
1.2MB

MD5
9aed82cb182fe1463e40a696035fdd1c

SHA1
7a0e3cdb1d62a5c81b3aed89a5487fdcc8da5e4a

SHA256
f4709b8e577e765a007af4715a858f14c6ad7ddfe597eef887aea6e7b5c3e99f

SHA512
bc723f8c3f8781ba1264ad984260e1f98e8604b752f2e202ef4040b4529e4db21e2176b36c821ef12e600b3947e7322638f370a44642951a76585a7d7c5398e1

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe

Filesize
1.2MB

MD5
948752f9adf8eb48d10821de50e2028e

SHA1
93bc6b63a3392387be291bc840aec306736fc787

SHA256
cf0964391b361832f093094eda364e4509a1c81517cf92cfa649d189c75fd75a

SHA512
6a67ab3d69c8a4664641bbc478738b61d53c48323156c9104e83dafa08aa55cbf9c2b86c08ecc01dacdafa2d88b9647c7c3f0627cc92106f45fd02e44cf8b58c

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe

Filesize
1.3MB

MD5
987dca8910e38ee6405fb96cc370f228

SHA1
9fd18bf5a2da0ad67de94966048d291ae6241758

SHA256
aad76b9ee6372a26173efb722573ed66496aab132d171ebe9d2491ba26c00e82

SHA512
d219d00e5d487761acb5b3333065a97f30ff8ebf4551a044dee80b44e60ca68247be2ce677a810336f254bce891b337d71549aac8c0b269c2c857e352e79d214

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe

Filesize
1.2MB

MD5
e1e72c645f0cebd567b0f657edff2b1f

SHA1
472d544931e35a7934b194ec6c036f6e56149c94

SHA256
5a69e5fb35bbcc5562108882b94565e5fcb1b6540c3a1a98216f62e9d8f68684

SHA512
98479625fbaf20a096a7051bdb53ea6bb33646f5a9f1863c31827b1068d8dc20dfe42aa3329377737ba96a84f885f5f12f0f62072f0dfe4ce75bf9a3bd29041f

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe

Filesize
1.2MB

MD5
b674c24d74b3ebfa09a4b8b4f23a49e0

SHA1
88cf8eb0bcc71790acfe15aef36d22a2481ceb8c

SHA256
6387d38015ecd5818bd65e399b8e71a901c73d040b6bfd0681025ee9ea719574

SHA512
b95c8adbec810caf8a29f6ed40bcb406d5f214ab07824bc96c3d579f38187d1229f8858bd649b7ad3c54f8922c51e915444732970a558de5bdf2c10532ef5625

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe

Filesize
1.3MB

MD5
455513551ad02d0ccfd7ed3b28a1b65d

SHA1
f985e22a00fe74c5bbc0c51e09e2a3285e99005e

SHA256
e1a00980df8cc5a702c0ff96dd72db5846e608f5e9abb6ba28ff16460dc99c60

SHA512
19978e24162fa7f18498efb12a0433b74147668f0aa1009000f430b0fff23df7cd5e4d06838e053a2b905512884d4300f9aa7be01ac8be7fe127a27d6b18d29c

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe

Filesize
1.4MB

MD5
2416a9243c302e4cc48bb4a82070d48d

SHA1
b71d04066ff5de9d79e6684d4a7102337bf010be

SHA256
c2348f99e3b0c860df4d4730b2c28f5c1e5d678f210210719e851dc781d1d6dc

SHA512
89df30930b53cbe6c7da2d16c1e19583868e87a2f74c7e51a6bff4e8475257011888768a460cc1be0802c4a1e76ea7be2045fcf60df6ce6ad04499619678cd29

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe

Filesize
1.5MB

MD5
ea19d6ca16daafcc96c9cdb57cfc9fa9

SHA1
80c49ba1b60e7e5e9c227879a746fdc3b8c37b5b

SHA256
7a999cf075a13d203c791189838bdd8b30973e18de6eaa54232dc483e55d4c60

SHA512
f6abdb46de2d1bd75e9ccc94dfe356b4fe0eca8d8e51a3e41a2ff79bdbf413e70d4bd742407c611a21840fdb3803e9b25a9395c3a3a300417cd72a46bdcfec2e

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
a0971305eb22750c0a20345634dfe808

SHA1
2d40bc0e59cdefdb3e63b673d479315009bc506e

SHA256
ff07f69c2a5b6a3b03ead621d27cd7c8a372ebca74ebbe77f978dc9b45f7d7e2

SHA512
f85e6dbfc8573690e6c1474ef16a84bc82c07d9aaaae9ed7a35e532fc77668028676bd574c12789908aee97a1c818263ccf0f216f6553d203d2592f819d94802

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
7e56efba71612081899ae21882886187

SHA1
7c07afbb736835f921d2df2b35d96a679d2d89da

SHA256
15e300675a9f70f835a30fd82884eeb3b112a6ecc5871bfa2b598d5522df1517

SHA512
8d63c930ef95afd4b8a061dcae5c8ae03573c3919d28ced51b58a4f3c1d99b12ff29e2a600599d39db90079e9e6447978117b0b07a96f73ae23598a477ee0f89

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
d1422b6fffe99ff7c1efcca7fe754358

SHA1
ab97b939eb7d9938cdc89dff593e7c5d6e215cf8

SHA256
db9565c690ca11d24caaaeb0f0378235cd2db339800de1c927b9cb2e2046b9ca

SHA512
68a76a39e38deed95589b950c4c8a8f59fa328057b3c47102e41fe3582694b3039de53602ec2e798edde1b2a18b86a7606474e9302282b5117a5617a4a336273

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
3e5818b0c05dcb62e444ace8751432c3

SHA1
c443dfecd2d93afd48bee6ae01067b7d2fd4bb34

SHA256
5229eec21bf5cc9cbfe3ca6ec6d7eb29e97aefee09d0d0b42c24118fe1ee4b56

SHA512
ac553f86ca09546a020343449b52efa04cfd09748caaee341bf001ec67ba618d372465ba12b25f848731297d4474332c00ace5fa719dd68d81ca79c935468ff6

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
8be85a0e33a8c5a2e799eea25a6a97c4

SHA1
baa4efbbd351f8b7eeb9acf978b872e45b3c72bd

SHA256
b01c67574e68f13944122cce1b8e6928ae51d1a35d9829e5a546577bd104deaf

SHA512
36cf8aca4304964e3af6c90509e6e903471971c4d2b259d155286a46a1d360bac9c6f06e42001af7c94e8ad98f675050767ce64bcacfa3efdea9682e807a3006

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
a4ec5488b360c09b7e0f51b92bfa4ee5

SHA1
c14c3e8982f54561f7bd23943af55a8969409cb1

SHA256
788209bc3b485722127f0557e9698249b1a4060e6c0cff61b8aa2df50b5a4f9b

SHA512
5f79e4dcf8f74f830e41e5243414ad791ae8f7591a95b23d46c84911f468db1a7b21a50151ea3cc7d8dc63a39dd40d8cc92ddebac74539de6db6f3241cc2c322

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
7881d97cb85eed8b92c32ee9b8c45819

SHA1
b0e176c3a84aba1abd872efe6117322114a6acec

SHA256
799f23dac5822337aa0d01407ca58156951d301da8c9d63211027b82b185b700

SHA512
4d10b8212580157ab3587b407e9ebe268719cc870c25792bab8bf5e5a3f2b5a3e13092ec41f482821914c61a27cc2e88cfaa9474d3dc39ff659d36b174be2458

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
7881d97cb85eed8b92c32ee9b8c45819

SHA1
b0e176c3a84aba1abd872efe6117322114a6acec

SHA256
799f23dac5822337aa0d01407ca58156951d301da8c9d63211027b82b185b700

SHA512
4d10b8212580157ab3587b407e9ebe268719cc870c25792bab8bf5e5a3f2b5a3e13092ec41f482821914c61a27cc2e88cfaa9474d3dc39ff659d36b174be2458

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
01e66100b3e002978ba2ed2cf5ba51c0

SHA1
25c26b52bd39483a8491d6c2be4e5f191d346bd3

SHA256
3f81b8fd1b4d946f6cd18c88ff89e9aebb710948c4eb46f79384c1ced7db019e

SHA512
f6349c975a6ba19fadf1fd85b5ffeb79b1266d3944294c7b0d14419b37e59e153515d563b01c5d605e17f122e0ff4c86e5b62baf75da4dbc2c73f57ccbd1d763

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
c0eb7888b1b6bc9c903a371bc93293be

SHA1
262f7a73a79ae15e2c1e64a31565daa3ee70b640

SHA256
32e3fce1267397408355c58a1478c3785091b49848da067535a78a9cef80dc59

SHA512
94528cc8bfd6b8686f1b3dbdb0b208f030cb4ba536785e62cb1160b9c540d2360d6c56bbc02138e96f9e364e8c2c9776bafafe19a3383bc72a1a7500d3d20f8c

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
cc1235e68a15c1bd88dde6a8b118068d

SHA1
a960f8553b5bb220d935ef8ec6ac0e03c2989abd

SHA256
0f4a4363545e02e2c5f9470662a1472e0161e3e434a8bba502afe08b228a8088

SHA512
8dbab088877465b1155ebc8194e46329b135e91bf63a1fa8665eebb1345d68d38e58d0f84053c259b46bf294a5da3d5bd63d99da5146e5ac4f0583bc442c0299

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
cc1235e68a15c1bd88dde6a8b118068d

SHA1
a960f8553b5bb220d935ef8ec6ac0e03c2989abd

SHA256
0f4a4363545e02e2c5f9470662a1472e0161e3e434a8bba502afe08b228a8088

SHA512
8dbab088877465b1155ebc8194e46329b135e91bf63a1fa8665eebb1345d68d38e58d0f84053c259b46bf294a5da3d5bd63d99da5146e5ac4f0583bc442c0299

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
e79016aaf8ca7c5e20d4c8790c782c3d

SHA1
421a6a4906f7a9ed722f400ec3200c3ab1a8f1f9

SHA256
7155e2b2f45e6191f76188a4790c0a82f2d160e219933818d733e1024b337082

SHA512
51595a9d4057d51df184cf916bfe8306367b76e68d93e6ddcdea4a3c3dcbf0208943732f64f6e2dec1b97abe7f939ff5108fef60ffa1c6eed5642e2655000288

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
52063995bf8fab75a113c85d3e670135

SHA1
b1b4c592092095622ce7985ad4dcd5e519447695

SHA256
8c2aa6515aae7e1e3ba60915baccd6ce1bf5eaf1a60157d40124bc114fcf8f1c

SHA512
82e0d861566a9e76869d9211c431e5e877de37779b5134be7e1fc8643082bfcdfacce3698cfb50b62f407a8d8e2260bcf236bbde40993fe55078b07201368b79

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
dc36b1fae9b0fc819367a2bb491a7d62

SHA1
64e7e9b598071e9d2c4dcdd0338bc5090d477b75

SHA256
97a472ea5db457f7ade1face526071f060f7c7c0d0a139a5f5df3b937df24f8a

SHA512
44b2b647c6a250a71e7bbf45b6184cefccf234de98e9f9eb756a2a5528331c89602192864d4ef5e0e47b4ea85a5e57f03809991d700775218fdc26e20f63b9a7

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
f232961a461579e0496c06ad00c6c832

SHA1
eeb296986e7f5bb529824f8795acc88777e0fabc

SHA256
33ee555f27c1a5778a5461dcef8ea7aa495b73375c86dc0d31700c777d59008f

SHA512
1ab29f8c8720c61a643440d5296ac0b7e299900a7d326886741fdf05345b451dd64b344cccc147325a9fd31d8ab352034e527c5cd9c98e4be0bba0dfa92b5ead

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
e88a6ed670b25f93da7202d48bc3af1e

SHA1
3f15d5e3dddc36cd810c503c70a5b6b7ed9792bb

SHA256
b0b2218bef3a94844236625dadeff8e2f6620b7799104a9b6e129a2dfd85a0a4

SHA512
eaf586b0300f673c0d94c8559c718265aa34564814455ed772992e05e85d48c7af83e4fd071c1955aaed1ed7c00aed7f4aa8a7360d3a9c18e9b4f84177393223

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
2627bccb449c0d317f33b008310ad6e3

SHA1
a69e6ab3d9d20a9617f4b8c822123a348ccdbf94

SHA256
c74559713dc2a30ba063da19306b9ba310456b556a94d814ac78570855167f7d

SHA512
e304789daaa43629dcfe468ef160fcfae85f1c3623c36520a7e6736b1a74d4ffe5e36a23d19cb45d9315b3eee5e70e43939c7cb06188a8361928f61131bd539a

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
5a18f171407d1d20d1799dc8d80c1219

SHA1
61ec77ab0bb0be82a82a581e5965bb249d7479f5

SHA256
c0f96179a4588a4a814fc8194775ab651c811ebd6e4d2fedad81da7492f4beb3

SHA512
3270bf71ed813729adb2e096da62240e6f82800db1f1a001ac3c88dff227c6c2a2dff9180451255597b813d3858c40c2b03229a729c12e42365a5c8bf8afbfe3

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
d8465d9094c74787e0901d212a374085

SHA1
1f14e846edae0a63d729b8f29de1600c9c958f68

SHA256
659f9cc106374cee582337b63b264fba036988473e2cc2a4ca0665f06cb8b811

SHA512
3a2476a0b2902ac0784cd9294166f4519ab77d332c4f63d0af9111c4433bb93bb52768333f73e39f7892e5da6a84c93b254d5d09f306f80375600263c1e1d50f

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
4e4685e8a2fee170ef84ae09eec5c9d7

SHA1
49827b4c9ad87b193b443ab4702c32530d8e8db2

SHA256
205b5bc668ce34fbb6220a86c77066ab7c3f79b76d4fb7e83959549d5c38d191

SHA512
eed7d72fd59c3f611fc7acd5c651b7d104da83f3d3adc18d7ee605ca0966d00d02bf2d2f53499d477cecb42cd2c4647cc18f4929d8a59560d3a657d420a4e260

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
1.7MB

MD5
d1422b6fffe99ff7c1efcca7fe754358

SHA1
ab97b939eb7d9938cdc89dff593e7c5d6e215cf8

SHA256
db9565c690ca11d24caaaeb0f0378235cd2db339800de1c927b9cb2e2046b9ca

SHA512
68a76a39e38deed95589b950c4c8a8f59fa328057b3c47102e41fe3582694b3039de53602ec2e798edde1b2a18b86a7606474e9302282b5117a5617a4a336273

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
f10dd94dd3a014168bf0096350e3f2d3

SHA1
1b65367ccea06192b02bc03fbacdd3eb48218fbc

SHA256
5745b0d9a426488b6edc5bcc87f4d2a334a4f0468704b99670d2a863d151afc5

SHA512
6337168e45f701ab7320e7064c0cf4c9b8fd0773998809422555a240722c368f7963554a81ea5c8c425f3607f4c0466f4d90e0e981a3099c2958049327d47a71

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
7dd6dbdbccca518d70e4cd8de2c15d39

SHA1
08243d050569d6b39bec5e83df5b2d149282c6a3

SHA256
78324f4465e00b61fdfa1100316efd8c63ca6bb902571311675ef45e4f08ebc5

SHA512
91dab37979e9c424cc5cffa21930c349634d8d06e90aa7a5d48c5fc308e1dc9e85317c9e05bfb42d38ae750b29b9ccf6f87c76ff0b4f7b6b6623392c57af05f9

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
8be85a0e33a8c5a2e799eea25a6a97c4

SHA1
baa4efbbd351f8b7eeb9acf978b872e45b3c72bd

SHA256
b01c67574e68f13944122cce1b8e6928ae51d1a35d9829e5a546577bd104deaf

SHA512
36cf8aca4304964e3af6c90509e6e903471971c4d2b259d155286a46a1d360bac9c6f06e42001af7c94e8ad98f675050767ce64bcacfa3efdea9682e807a3006

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
030c45b48f71f5095cb2d45c8515ede1

SHA1
81eb6dc594bdbc19552e4e85f4683fe03c4787fe

SHA256
a935108e9cd756afa1c67f6a5370b1be2c4b198c7e76a20ca7a7364854aa39ce

SHA512
850a50b3cabeec234416caa4910f8aa58d3cfbe1f1cf2d59bddcff32c802f3b7b823ba94573943367b68fe76834f505f8ef2370672ced17abe9574011d64d3bf

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
75e896c1b369e8462b0b8218244256c2

SHA1
53e4b664be8e82d0a5aeea4c771f83f2d61c4683

SHA256
b22850fe18828a77dd6a927f736001dbd8abf631ff299dd7e545e06eb312e074

SHA512
4ac0aa911fa1eb714d2de86e222e3c560829c4b2763ef78c94e23b3524893026c5c7821bf0d5a699afa83b8d72f6e810f6b8e2e752212f751b06397c1d640eca

Download Submit
memory/64-214-0x0000000000C00000-0x0000000000C66000-memory.dmp

Filesize
408KB

Download
memory/848-134-0x00000000050E0000-0x0000000005684000-memory.dmp

Filesize
5.6MB

Download
memory/848-139-0x0000000007BF0000-0x0000000007C8C000-memory.dmp

Filesize
624KB

Download
memory/848-133-0x0000000000030000-0x0000000000196000-memory.dmp

Filesize
1.4MB

Download
memory/848-138-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download
memory/848-137-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download
memory/848-136-0x0000000004B50000-0x0000000004B5A000-memory.dmp

Filesize
40KB

Download
memory/848-135-0x0000000004BD0000-0x0000000004C62000-memory.dmp

Filesize
584KB

Download
memory/948-279-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1168-175-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/1168-462-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/1168-177-0x0000000000490000-0x00000000004F0000-memory.dmp

Filesize
384KB

Download
memory/1168-168-0x0000000000490000-0x00000000004F0000-memory.dmp

Filesize
384KB

Download
memory/1432-407-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/1432-679-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/1604-589-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/1604-330-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/1676-380-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1676-672-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1900-233-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/1900-243-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/1924-359-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/1972-325-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1996-162-0x0000000000660000-0x00000000006C0000-memory.dmp

Filesize
384KB

Download
memory/1996-156-0x0000000000660000-0x00000000006C0000-memory.dmp

Filesize
384KB

Download
memory/1996-173-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/2288-482-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2288-201-0x00000000004D0000-0x0000000000530000-memory.dmp

Filesize
384KB

Download
memory/2288-197-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2288-194-0x00000000004D0000-0x0000000000530000-memory.dmp

Filesize
384KB

Download
memory/2596-588-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2596-328-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3124-303-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3124-557-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3132-379-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3204-460-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/3204-140-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/3204-171-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/3204-149-0x0000000002BE0000-0x0000000002C46000-memory.dmp

Filesize
408KB

Download
memory/3204-144-0x0000000002BE0000-0x0000000002C46000-memory.dmp

Filesize
408KB

Download
memory/3204-143-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/3376-773-0x00000245154C0000-0x00000245154DA000-memory.dmp

Filesize
104KB

Download
memory/3376-860-0x0000024515570000-0x0000024515580000-memory.dmp

Filesize
64KB

Download
memory/3376-822-0x0000024515570000-0x0000024515580000-memory.dmp

Filesize
64KB

Download
memory/3376-823-0x0000024515570000-0x0000024515580000-memory.dmp

Filesize
64KB

Download
memory/3376-772-0x00000245154C0000-0x00000245154DA000-memory.dmp

Filesize
104KB

Download
memory/3376-755-0x00000245154C0000-0x00000245154D0000-memory.dmp

Filesize
64KB

Download
memory/3376-751-0x00000245154C0000-0x00000245154D0000-memory.dmp

Filesize
64KB

Download
memory/3376-752-0x00000245154C0000-0x00000245154D0000-memory.dmp

Filesize
64KB

Download
memory/3376-753-0x00000245154C0000-0x00000245154D0000-memory.dmp

Filesize
64KB

Download
memory/3376-754-0x00000245154C0000-0x00000245154D0000-memory.dmp

Filesize
64KB

Download
memory/3376-718-0x00000245154C0000-0x00000245154D0000-memory.dmp

Filesize
64KB

Download
memory/3376-717-0x00000245154C0000-0x00000245154D0000-memory.dmp

Filesize
64KB

Download
memory/3376-699-0x0000024514EF0000-0x0000024514EF1000-memory.dmp

Filesize
4KB

Download
memory/3376-861-0x0000024515570000-0x0000024515580000-memory.dmp

Filesize
64KB

Download
memory/3376-673-0x0000024514F10000-0x0000024514F20000-memory.dmp

Filesize
64KB

Download
memory/3376-649-0x0000024514F10000-0x0000024514F20000-memory.dmp

Filesize
64KB

Download
memory/3376-644-0x0000024514F10000-0x0000024514F20000-memory.dmp

Filesize
64KB

Download
memory/3376-643-0x0000024514F10000-0x0000024514F20000-memory.dmp

Filesize
64KB

Download
memory/3376-642-0x0000024514EF0000-0x0000024514EF1000-memory.dmp

Filesize
4KB

Download
memory/3376-827-0x0000024515570000-0x0000024515580000-memory.dmp

Filesize
64KB

Download
memory/3376-826-0x0000024515570000-0x0000024515580000-memory.dmp

Filesize
64KB

Download
memory/3376-824-0x0000024515570000-0x0000024515580000-memory.dmp

Filesize
64KB

Download
memory/3376-825-0x0000024515570000-0x0000024515580000-memory.dmp

Filesize
64KB

Download
memory/3824-358-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3892-277-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/4676-404-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4700-283-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/4956-216-0x0000000002250000-0x00000000022B0000-memory.dmp

Filesize
384KB

Download
memory/4956-224-0x0000000002250000-0x00000000022B0000-memory.dmp

Filesize
384KB

Download
memory/4956-223-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4956-230-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4956-227-0x0000000002250000-0x00000000022B0000-memory.dmp

Filesize
384KB

Download
memory/4988-193-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4988-190-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/4988-187-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/4988-181-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/5092-302-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/5096-409-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5096-681-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5116-205-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/5116-211-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/5116-221-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5116-484-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download