kinsing | c4d1cae08afdbeb0430693842de3276f89ff58f1aaee887e331d7f5a3869e8b4

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 15:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4d1cae08afdbeb0430693842de3276f89ff58f1aaee887e331d7f5a3869e8b4.exe
Size

1.9MB
MD5

7b616afd3de0063e5a7d4c2732f19cec
SHA1

bd5068392df61b956fdb10fa4711aa8c86439ff1
SHA256

c4d1cae08afdbeb0430693842de3276f89ff58f1aaee887e331d7f5a3869e8b4
SHA512

3415dcb5a9446d9030e72ed8b2ad173672dae93d7373cf79b056a0a89776bdb65670aafa5bf66ee2f2f1734cd3d4f6ab53e8acb26141abb0714eab21e65f1cd8
SSDEEP

49152:KKjKWQc2b1FVgbjrjxPe1pbPSQm1Flo+LjUUSCfmzz9YVgY:KKjKWQckVgtev5mnlNLpSC+zzKi

Score

10^/10

kinsing loader spyware stealer

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
3264	alg.exe
784	DiagnosticsHub.StandardCollector.Service.exe
1888	fxssvc.exe
3164	elevation_service.exe
3240	elevation_service.exe
4080	maintenanceservice.exe
4680	msdtc.exe
664	OSE.EXE
4624	PerceptionSimulationService.exe
4356	perfhost.exe
2276	locator.exe
5088	SensorDataService.exe
2056	snmptrap.exe
3596	spectrum.exe
2936	ssh-agent.exe
3740	TieringEngineService.exe
3684	AgentService.exe
2928	vds.exe
2812	vssvc.exe
3284	wbengine.exe
2268	WmiApSrv.exe
2216	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

c4d1cae08afdbeb0430693842de3276f89ff58f1aaee887e331d7f5a3869e8b4.exeDiagnosticsHub.StandardCollector.Service.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\System32\snmptrap.exe	c4d1cae08afdbeb0430693842de3276f89ff58f1aaee887e331d7f5a3869e8b4.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	c4d1cae08afdbeb0430693842de3276f89ff58f1aaee887e331d7f5a3869e8b4.exe
File opened for modification	C:\Windows\system32\dllhost.exe	c4d1cae08afdbeb0430693842de3276f89ff58f1aaee887e331d7f5a3869e8b4.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	c4d1cae08afdbeb0430693842de3276f89ff58f1aaee887e331d7f5a3869e8b4.exe
File opened for modification	C:\Windows\system32\msiexec.exe	c4d1cae08afdbeb0430693842de3276f89ff58f1aaee887e331d7f5a3869e8b4.exe
File opened for modification	C:\Windows\System32\vds.exe	c4d1cae08afdbeb0430693842de3276f89ff58f1aaee887e331d7f5a3869e8b4.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	c4d1cae08afdbeb0430693842de3276f89ff58f1aaee887e331d7f5a3869e8b4.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\20a75fd91f063bd9.bin	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	c4d1cae08afdbeb0430693842de3276f89ff58f1aaee887e331d7f5a3869e8b4.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	c4d1cae08afdbeb0430693842de3276f89ff58f1aaee887e331d7f5a3869e8b4.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	c4d1cae08afdbeb0430693842de3276f89ff58f1aaee887e331d7f5a3869e8b4.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	c4d1cae08afdbeb0430693842de3276f89ff58f1aaee887e331d7f5a3869e8b4.exe
File opened for modification	C:\Windows\system32\vssvc.exe	c4d1cae08afdbeb0430693842de3276f89ff58f1aaee887e331d7f5a3869e8b4.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	c4d1cae08afdbeb0430693842de3276f89ff58f1aaee887e331d7f5a3869e8b4.exe
File opened for modification	C:\Windows\system32\wbengine.exe	c4d1cae08afdbeb0430693842de3276f89ff58f1aaee887e331d7f5a3869e8b4.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	c4d1cae08afdbeb0430693842de3276f89ff58f1aaee887e331d7f5a3869e8b4.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	c4d1cae08afdbeb0430693842de3276f89ff58f1aaee887e331d7f5a3869e8b4.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	c4d1cae08afdbeb0430693842de3276f89ff58f1aaee887e331d7f5a3869e8b4.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	c4d1cae08afdbeb0430693842de3276f89ff58f1aaee887e331d7f5a3869e8b4.exe
File opened for modification	C:\Windows\system32\spectrum.exe	c4d1cae08afdbeb0430693842de3276f89ff58f1aaee887e331d7f5a3869e8b4.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	c4d1cae08afdbeb0430693842de3276f89ff58f1aaee887e331d7f5a3869e8b4.exe
File opened for modification	C:\Windows\system32\AgentService.exe	c4d1cae08afdbeb0430693842de3276f89ff58f1aaee887e331d7f5a3869e8b4.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	c4d1cae08afdbeb0430693842de3276f89ff58f1aaee887e331d7f5a3869e8b4.exe

Drops file in Program Files directory 64 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exec4d1cae08afdbeb0430693842de3276f89ff58f1aaee887e331d7f5a3869e8b4.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	c4d1cae08afdbeb0430693842de3276f89ff58f1aaee887e331d7f5a3869e8b4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	c4d1cae08afdbeb0430693842de3276f89ff58f1aaee887e331d7f5a3869e8b4.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	c4d1cae08afdbeb0430693842de3276f89ff58f1aaee887e331d7f5a3869e8b4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	c4d1cae08afdbeb0430693842de3276f89ff58f1aaee887e331d7f5a3869e8b4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4E3F.tmp\goopdateres_fr.dll	c4d1cae08afdbeb0430693842de3276f89ff58f1aaee887e331d7f5a3869e8b4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	c4d1cae08afdbeb0430693842de3276f89ff58f1aaee887e331d7f5a3869e8b4.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4E3F.tmp\goopdateres_bn.dll	c4d1cae08afdbeb0430693842de3276f89ff58f1aaee887e331d7f5a3869e8b4.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4E3F.tmp\goopdateres_iw.dll	c4d1cae08afdbeb0430693842de3276f89ff58f1aaee887e331d7f5a3869e8b4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	c4d1cae08afdbeb0430693842de3276f89ff58f1aaee887e331d7f5a3869e8b4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	c4d1cae08afdbeb0430693842de3276f89ff58f1aaee887e331d7f5a3869e8b4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4E3F.tmp\goopdateres_en-GB.dll	c4d1cae08afdbeb0430693842de3276f89ff58f1aaee887e331d7f5a3869e8b4.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	c4d1cae08afdbeb0430693842de3276f89ff58f1aaee887e331d7f5a3869e8b4.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	c4d1cae08afdbeb0430693842de3276f89ff58f1aaee887e331d7f5a3869e8b4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	c4d1cae08afdbeb0430693842de3276f89ff58f1aaee887e331d7f5a3869e8b4.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	c4d1cae08afdbeb0430693842de3276f89ff58f1aaee887e331d7f5a3869e8b4.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	c4d1cae08afdbeb0430693842de3276f89ff58f1aaee887e331d7f5a3869e8b4.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	c4d1cae08afdbeb0430693842de3276f89ff58f1aaee887e331d7f5a3869e8b4.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	c4d1cae08afdbeb0430693842de3276f89ff58f1aaee887e331d7f5a3869e8b4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	c4d1cae08afdbeb0430693842de3276f89ff58f1aaee887e331d7f5a3869e8b4.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	c4d1cae08afdbeb0430693842de3276f89ff58f1aaee887e331d7f5a3869e8b4.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exec4d1cae08afdbeb0430693842de3276f89ff58f1aaee887e331d7f5a3869e8b4.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	c4d1cae08afdbeb0430693842de3276f89ff58f1aaee887e331d7f5a3869e8b4.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exeSearchIndexer.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000098106ab0a44fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000558ce4afa44fda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000040124bb0a44fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006da1d8afa44fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000012ae2afa44fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000191c18b1a44fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000429b54b0a44fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
784	DiagnosticsHub.StandardCollector.Service.exe
784	DiagnosticsHub.StandardCollector.Service.exe
784	DiagnosticsHub.StandardCollector.Service.exe
784	DiagnosticsHub.StandardCollector.Service.exe
784	DiagnosticsHub.StandardCollector.Service.exe
784	DiagnosticsHub.StandardCollector.Service.exe
784	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

c4d1cae08afdbeb0430693842de3276f89ff58f1aaee887e331d7f5a3869e8b4.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1784	c4d1cae08afdbeb0430693842de3276f89ff58f1aaee887e331d7f5a3869e8b4.exe
Token: SeAuditPrivilege	1888	fxssvc.exe
Token: SeRestorePrivilege	3740	TieringEngineService.exe
Token: SeManageVolumePrivilege	3740	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3684	AgentService.exe
Token: SeBackupPrivilege	2812	vssvc.exe
Token: SeRestorePrivilege	2812	vssvc.exe
Token: SeAuditPrivilege	2812	vssvc.exe
Token: SeBackupPrivilege	3284	wbengine.exe
Token: SeRestorePrivilege	3284	wbengine.exe
Token: SeSecurityPrivilege	3284	wbengine.exe
Token: 33	2216	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2216	SearchIndexer.exe
Token: SeDebugPrivilege	3264	alg.exe
Token: SeDebugPrivilege	3264	alg.exe
Token: SeDebugPrivilege	3264	alg.exe
Token: SeDebugPrivilege	784	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 2216 wrote to memory of 4648	2216	SearchIndexer.exe	SearchProtocolHost.exe
PID 2216 wrote to memory of 4648	2216	SearchIndexer.exe	SearchProtocolHost.exe
PID 2216 wrote to memory of 1844	2216	SearchIndexer.exe	SearchFilterHost.exe
PID 2216 wrote to memory of 1844	2216	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\c4d1cae08afdbeb0430693842de3276f89ff58f1aaee887e331d7f5a3869e8b4.exe
"C:\Users\Admin\AppData\Local\Temp\c4d1cae08afdbeb0430693842de3276f89ff58f1aaee887e331d7f5a3869e8b4.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1784

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3264

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:784

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4028

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1888

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3164

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3240

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4080

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4680

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:664

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4624

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5088

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3596

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2056

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2276

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4356

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1560

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2936

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3740

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3684

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2812

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3284

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2928

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2268

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2216

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:1844

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:4648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
580KB

MD5
2979dad56f5472fd62911a8f7f46553f

SHA1
f9d99a7f8e6c13b6dcac690d87687e1db92c1fa4

SHA256
970e9cb38cdffe77fe634fda198f6744d3984f1847efcb5d5170784a8353822b

SHA512
c9b9d5be26bcb76ebee1ee5b1c9eec1adfa1740aa45a64b5583cba9cd6e0ba79031c87798c945e5956371fa199ae4bb3bb50abe880c1d2084298929e221d3f35

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
561KB

MD5
89c44a0319ee4b6936ddb04d64a0025b

SHA1
c4b6ca2ad4b1bd791e565a9745cfd4eb5a397809

SHA256
1ceb68b366f0e40bb912bf2123813556736803de8ab3f29829834e691510cee6

SHA512
57038eb7f96bc9e83727bb5495ea04ef39c48a7941491088a55f96d40c2a9dd4d7595929899f2784c128708c5d37200aaa226f2a95df2a9fadd93c29628d62c7

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
443KB

MD5
1fcfb36883a6b3199aee5989470348ec

SHA1
666c8b5e66238453c5749cee436acc89321dfac0

SHA256
315379763e1448b389c84a6d1babc9796d4d1f0293ec80e17a0c9e86a85cab69

SHA512
669d4652eb13160a7d8eb29345013b4e09d0d6bdfad59742cc76a1bab323d721f53984928e95152700cd758562ccb6cad2e12cf9eee4a37e95227eb565f335ee

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
579KB

MD5
149354bf4d5859a0c1539bc0dc790878

SHA1
8de2d4972cd647bb091bff792cb0c379a33764ab

SHA256
375f726ad30930876e04cec370cd5465d3e6763dd3e0af69a591d53a4c95ab7d

SHA512
7d71db745d5b6d7d5373a4f0ccb99039dedc895d40d38c1d49b028d5f6c404642a5c66d0637708b8e6732c4442608e37fbac56c2b8eb2b330ade546b56b0135e

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
572KB

MD5
2525f40dc267035cd93684b4835435e5

SHA1
8c136d1e25598c5286e02cba8deba3eb01390993

SHA256
6b31e9f3b80b6b75635dba0da00f85ec565d0c9252e6a9f7999b4e9e0122e58b

SHA512
9cf47b192dead61e8f8759536386872d5789f91cd3319f1fb6e41d3aab42fe3b24eb04141099ee3147340b8ff3c04270cff65514b65720413d035622fa076fd4

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
375KB

MD5
3c7989306bd669af6389a6d9e3e51a9b

SHA1
5d844daa4bf40b50cf5e95a40a36be78fd37be3c

SHA256
5293c3b9aa75c5526683707d8f5852a21ace403708e978145ae3c19ebf49966e

SHA512
a34c74a7a14fc0ed0f6c4901b30d6708cad1fb97266dc1977564ff4996f68f551b848ca580691f625bce204c95c5d9a658a339daf3a57495e4d7e1746dd0686e

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
394KB

MD5
eced873cf8949ec1be3d81d2e43adbd3

SHA1
5e1629f638ed19eb388187f6ad3e1c61a823afdd

SHA256
da640b335de169a95a6b1308a9cf5a0370bca545c0baa18760adbddb4fe122a1

SHA512
9c95aca51e9e36217404adeffa8d8f9de2c15cf19278ec16543916644a31ba63129c074ed11a4fd7a378a48178f182930b39682894a567586a1ea6280aadd492

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
473KB

MD5
ca5746bb611d8169601b2338d6459de1

SHA1
878204e33bb27ab26ba5a5131cb53af4a5984d87

SHA256
e755ccb3a81522444f7a83cce453898ec0251b61ea0e67d3d305f6e7730944b3

SHA512
d08fa0a937dda3b090b27bc8123578b4b97d8463906ba141e81f59e8c1d143bb468c274d4779deee0d690fb01a42c9b202b0633f858a5d5fa403c6010589e9e6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
551KB

MD5
8753d7097ade003e5b3480940b88a563

SHA1
27ef1dde074acb1a3251a570cc45117bd3e52b2a

SHA256
9dab7280c798626ebb8962414aa41e4334d203d2df4e614817a0bc2d2efe9cb7

SHA512
2429e22d5fdf7d170b1ee13559c6b6259c0a03cd0569f17aff448c6243f81f4b037a211e1386a10751280fce759685a25abd1cad2f4d5b5693ccba805d94d1d5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
481KB

MD5
91536a431e5940d7b0d35a561528a0f4

SHA1
9bf054636169e7af3c836cc9e0226ba0c7d34fd8

SHA256
97625172226206a4634e99dfe0481762f5fc544f07851d1a21c2513189633d09

SHA512
fc39af40c831ceb012b6b03b95360a83f4d253d8bdfa998f985aa5768f5432ece0205b64399147197a7b94e6b77023b131adcba6a007e517f588843fc1279eb5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
230KB

MD5
6b5fa7510d3252b4de83a49eaae0f2bd

SHA1
8a3c9dd46b03fff8635b96dc00b3fe05ccb7f52e

SHA256
7d3f9e0b3546d54a4a59c9866d991e9e0de06f167a67fc4180e8fc7050fc963c

SHA512
92bc0b205da6c20753cde7d2361448c91d5cd95c78bec70a3ac4383f7621d072696091cfce89c829e1fddc1c29437c9a56cfd63304b578c03d649adc21690c89

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
425KB

MD5
70c5b95693af8461bfd7ba27ddafa4fc

SHA1
ee7ea803a30e1bea126dff7cc862b2c15dbb9ff1

SHA256
bc1b08d827be9d26b64a4563262125f4348522d7704e3edcfa440dc9fdf064e7

SHA512
560aeb195f577e70090961fdef74fe04408def8ac46d5915c3d006d33aa22cea66ea322fb40fcdfe2960e7eb231db469904b73c0274b479e53328a90279c3e4d

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
438KB

MD5
d0c59f33fb5b646991db4ca1478ff7f5

SHA1
46b9e2c950aa9fb5e6d848173bca5799ffb4a893

SHA256
ff8a3e355450c24183f04dcfff88b04a36c5a525e34032620edfe291d15c3c90

SHA512
e0e79ddce9ed03cd01dcd70e76db2c24c9fffa1dd641990a8908afff08e298fedb5e8e085c5c6e9c16bd6f13bdbce1b168deabf9fb3802827c217489ff481201

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
340KB

MD5
feafd074b8596d6ff72b853063a97fa8

SHA1
bd0a1e3aaf55137b903bf605689a3cb6d4a4254d

SHA256
7023f1122da5ff4d0ec31bb5475fab13f3c09c84c7feaf66f0c403cd3fb816ec

SHA512
64be9ecd1fc9daea195c76a7c5d5b49e581f34a46c54f19b6897f590dfd4428e75f407c107a30b5d3cb97bf8cd369d981025ed8f02c42329ecef751267c4bb68

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
471KB

MD5
d247ed5a2ecfdbfe45c28fe486ebd202

SHA1
e149b07b9df4a0567a6002efc5d56742d47d81ac

SHA256
7642e7a94c300d276dca0f8e502de9575598015c7d75bf3bdf081bd0160d1d50

SHA512
da76c4e999769b60e71d5c0adb770df99ae37a0994c41097dd77db7a6b4bab5d379c077311bbc48437bed8507136339509c8d0a496bea31824271ca1c181f129

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
Filesize
416KB

MD5
67f7d9b42ac72a0155db214fa8d3d91a

SHA1
7393b8a8255526ab315a5ea11f3214ea68732e12

SHA256
01388f5c83f4eaa3cdbe88a2e8fc5f33e529d37774bf0d59966a570e0f578369

SHA512
8f266209ec50dd99677209a999f85d0e798871ac7ec0ac05cc80b659236eee9c502a23b6b9cc6116397993062c4bef721e4602960ea1933115439100d7d3975f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
Filesize
620KB

MD5
2e97f288b6b7fd11e162609bce64f760

SHA1
6b39580456ac8b5d18ba238f86a0409c19fa5788

SHA256
9c5ddf5d8c18be99a473d759ed281369fe8c353cd2bf6a55b138209a56c5781f

SHA512
a920e5569860bb9080888dd81b1c3ad048001f5f1423dc14976d5b2cc7bcb297680bd8b93878d505311fa47fdfc04095d7616775b33c32c221c2cf522f7956ce

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe
Filesize
295KB

MD5
58bed5862995c0e6336601f08ee79057

SHA1
03aeba069d51182a6917bb36501f07575fda0994

SHA256
b13dfeba539f3feb7e6d81b71449bb78a648113e49e6990b4a91ae10dd05c058

SHA512
c843dcef857d29d9dc2e12b45e7647a1ac26e51f57d25c7f412f2e9af769191932c1a56c2adff00eb303ad6cb6f5c15db619116026c1450e96b10e198d3d5ca6

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
Filesize
1.2MB

MD5
d12f00f5b20e4fdf2fe2094aeea60fe9

SHA1
d230ece43da646b3386149b603f96d80777af9c7

SHA256
c905ea0588f21c23853b9d4e7f6eb72858d2ccce587467bf9aa750c51094384d

SHA512
460fe4e24573937f1563f113b6a992c9d248c95a2f6d698e9badb1911b20fb744ae78dad0ee0887a0dd37d77a8755cd3cf333892bedda7491b8f72996c15ff7b

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe
Filesize
626KB

MD5
2d68b37cdf71220b276dd9055600757b

SHA1
6c3294f80a9e3890ff2f805126570135b88af322

SHA256
5e361544ddec6884933d9e916b8367d4d1c8dcce0960751984e54f14a662022c

SHA512
cb48e24085f940c2f2c287282d3a2c51148176a55f6005b9cf13b193e430e303da440c69f84d6547306757cae2cc1c646b573e5812af0e770fe49a4ccbfaf117

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
370KB

MD5
97c4606ba53031599ef0d09fd1f65fed

SHA1
f1ef3b097ced52f577a9219767cd4791a1479147

SHA256
2be3c8b202f4283b71569063eb8bc0d3154d26fcae6ac07fae4faf0018283cab

SHA512
e84750e81ff37f0025afb90425b774c025d8974a0ea4bfae2016e6e60bd84ef711e51f4fed431c8ab7d27a095e35b4f42080e204914f59eab53d8b729a16e7ff

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
249KB

MD5
523c8c70967fc46fb971fd460b0239f4

SHA1
3d909a69788851652169cbe69c3d26af80af2020

SHA256
1fcbc433fb9ea1bdeea82e4b448e8d5613ebae1377061d8155a7c97619c5b949

SHA512
fd796d31e5101368a4c2b8f6412bce5d6c9ba6ee0580cd60359c19534ece2b1ccc6fe14cd9dc3bd449cfd0e6652e93b8c6fa4824498a75aa81cb7610a30d64e0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
503KB

MD5
53fe94d9eb3bd52f7d70bc292c21eba0

SHA1
38c70324be2958ce10ed0db94a4d93a4adbf8619

SHA256
bb7d89fc1fd269e95df1df6e8329e98b0c18c802a57170c022f16f3a8bc0b531

SHA512
23804abf9f29d5bbca2f36427cd22f2373cacb3eab7407f171582c67f917bb742a874443afd12871bbeeedae61311393660eb93f2a937a498fa78f9db02a4be2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
573KB

MD5
24bae0f8becdcf2988eb9290ce80560c

SHA1
de7388504390351bf3da882e5039d6a8ba5b6508

SHA256
568e0181bfca1f0ce19d4599d32b8f05e198dd5406514afc408b3cb7610a5c14

SHA512
ff87f73063d44a188fb93f8480cef7975cb831abde2f1549892195c57cb7377c64fb5844f777d93e3b08dc36ab27859184a0d5c0f23df4b7a873c9fcebf43da6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
313KB

MD5
d017301f5e29e4156e968c94183ce933

SHA1
5d0cd3bd36a9535009bc6e737ee0fb1cfe6a3da4

SHA256
e5b4c9dbb76994fdc6bdccda709011ea822ce765df2e0adbd189ca1936f06a1c

SHA512
5229fd1195791a694d94501fc2909663cf6a81d0f02dd4ea32c18f4d5673257e48b99e5054c30f3792e3a355fd5cd6959fcaf6fcdd392b173b3b25de5adb8394

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
368KB

MD5
0329283006acf530a3aa106a522de66f

SHA1
8086d6020ae98b4c594b7c54b7fd3775e63c0505

SHA256
e7cd81ec42b3b235275af3d7cf77d41374c6e889049db9fb273a42caa693479b

SHA512
72b6b054e0f85a77f6358f8ae4e49b61d3899aaad21a1176d84891cc471739a0d58fed513da565dc41d41eaaf0b77e3b4a9a6fe1b9566c5cbd0ae5fb779a8dc6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
263KB

MD5
c638081281f5453a756624e36fc290ee

SHA1
55b646e1647c92cf4e8772cc37ca9104e98e95d3

SHA256
1bc4a17c8e850f7f46392cdf6f788765a94e64a3b7784ab4e7217db38bff649b

SHA512
e82594849e099d6b18baed0bf7c0826db187f74a4f3a756d7de0f363639f366cec2f5b17e4dc0ca81c093f0b682ad82e103db4d55af8dc622bf46c63ab799be6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
513KB

MD5
630f3c97bf87a18f6bd7817a36a770c0

SHA1
193b7989051e55979b87cfe92bbc6a4a3c7e3995

SHA256
f8913443b00320538ddf9180bbf1bf70b49946aa7617a1eea439be60b79e9099

SHA512
5667f8c6514a259181cc06a685917c24fd8543ffa3d97220209b6d53912e06093541ca3e7608f7b0018c88b4afeb03cb5ba1025401b323665eadf52f97531f34

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
458KB

MD5
61a088eafa220734605c49516d2fd827

SHA1
838222701eef80421904184798484018d1bf8795

SHA256
dca7b2ce23e22a30f54477900451894aaa78895537a9eee172b1552e06163583

SHA512
0eed8c2361f0386958d1fdabe49ef8537361c5d6a90d80bbff7bc2b7c00542dfc807f187669c0f2d4f52bfa3e52690a8f2c5d2e6b1469a7894e42ff81ba918ac

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
412KB

MD5
064cb34c1f29762f9a531fd252946056

SHA1
509ffa05606540666cb22b935df1971009006ec5

SHA256
551d4cef6ccccc99a4d91308d72ddf05ea04583556f7208bfb7ee7e7f6208fcb

SHA512
bfc0d33f078854f5837bc88fb4b0be58f8d55ba4e185173a857f86b44aab4bec4dd58dc450cfa813f631051a96d455fb6bcc8e28e5d88d7f3717708284f7e977

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
143KB

MD5
cd1f8f45661235f5b80150d6dd0ac3c5

SHA1
a48093fb4fc17f6431972f302fb2fb60b7952181

SHA256
228685bff5323e2cc1b43fbf8a1b57249d8905febeb3fbb70db77106c586f43a

SHA512
0cae58cef3382d36ecd0db099d42a7e8969bf2fdc2b659bb800c0f5c3243ad4494805c786620d0af6a18e3416d32515c5abc362557fc6c4b60a4e6ffb09a615e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
133KB

MD5
26c9d41f7d77bf9d9aa583b84975d1f7

SHA1
ce4d30479d0fad09efd77d086f0c395a4d52a724

SHA256
0bebfbfc4c338724a4528ffabd8d33120e5b5b2a7dcc28cc7087058f3a9501f0

SHA512
3f3c464b6909767e4a80ee532bedadaaf969472d9109e21776ae4745dec837a21205eeb02dcbd484b45181def9cf47d2553270012e01d8fbc0260836a24d5dd8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
384KB

MD5
de9ad2ed7431585bc4dbb09f6c422901

SHA1
34104ffcda387ba854611087e001dec06d117de0

SHA256
5c77b3519c7f8fb72129b1dc4b7e44442ce6f6c62984fc0ee58fccd7c30f75d4

SHA512
7905a6d437f974c1177e42913f7b2304c64e4a5c8196e79eb50d5fa9f623ce6e0eaa915402695567bcb93ed26585bdfaca2131d2fb7139288ec249e59c3bf7cf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
319KB

MD5
2dc088dcf3a6615a5c225c98f40c556a

SHA1
9157c360c22b2170a5d9dbf1bc723964789ede7f

SHA256
e08cc46074fafe0cbd19db52cbfd986af1ede34689c855311d95427df7819806

SHA512
89dc93e02d4736252ecbf9ced5942105cc454c614f36685b0249e6ab6198a04aa5f29432afc73b0f132a7c326c43667656efdc02649e5fd2896039737866eae8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
162KB

MD5
b3a04bad93b6ff7076e77cdc483d3774

SHA1
df2a16281820f6ab3275bca1e5594f17d908485c

SHA256
c07b29ae0a5cf7df3743104e155deb70ad30c1917fd3607039ec8452caa56d03

SHA512
6d3f0f4433cd6148723b13922e46821cbcc97004ddd8c04be7cf5f416897ec7fb2951fb6813a282bed43bc8ac1e54f847153afc2dabcb5648ed9d5615f037c91

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
137KB

MD5
ec083ee4382fd7b09c5aa33df3ee1418

SHA1
65c85c8861d74f682a5b5fb282a0a77304c7ebd8

SHA256
fd8b987e4fbb4c71809b89d42a00083eadcc8526c0fbf7b6a0faee753e2b7ef2

SHA512
f149230ab9bb19c9ec76f4d447ac69c5e62ce4b41008f8f7f27eb63cf1cfea45f57c1290713abd1e2dce55191b7343c24115f0dc75519baf7f3e23e0945d5cd3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
222KB

MD5
0e60bbb13d69d2ce212b7bc849d4f4ab

SHA1
661de02e7ae94c96ec3b6bc9eae46453d8bbdc46

SHA256
604ac639196671edfaeeb44acd6c6b5b432a7094f6a0b3bbd4664b46d5410fe0

SHA512
11f341aeb48c18e5491bac092597f02b1cd52fb685b628c28daf285913bb8634fcdeb710b750e70e954609dea15597b904c48bbcaf6e849d8a64c937bee3d24f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
856KB

MD5
37a8f517bc74606bfcb68326166ff06e

SHA1
de9f3a35250cf2efd8ca215532fe4e82917b8988

SHA256
abe26160d7e62628070b088f8230cfb19f9a9607df3cc4a69b2687559adfa8bb

SHA512
7e2c5118bd02b28a3e8a1c0b7c9fc673de70f443932c15da9c3aabf9533bf525bf37deb49483bf5e50af5fc306e5a08d593a768a3b938511c09eb74d94828828

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
427KB

MD5
e8f8fc151df8bc51cd265012e3cda8a6

SHA1
dfd8c6ee32eb1c7f7a6429290371c99b1f93d4c6

SHA256
2161a09402cdf8efb238724d4877cf73e373be60c11113a28b8f264aa4104503

SHA512
5c8e13913dfe556c6f64b752c78d6a4f21c7fe2e4b64b4d795f6e876862004a940854c708cf1d17850d657272f2e030819c1d5c51e1e5191003d2061b50fb1f0

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
7aae1d93541efae7c8b13d1c3cb2db8f

SHA1
8540cd792f75a15d6eeb59a105517b9fcb5edbee

SHA256
0e1c1e65a7e00b9dfcb3551c0f2bef3c9f9db9dfe26cd65ee146d5f11ef7b360

SHA512
55dce10941bd12d10286aef40416cdbd5b6cd4b8749d96fcdc3777603c404f88ea74a8d26413a0a6f457f955c250546b70c9230ddd50357d9084d7ecf2de8805

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
294KB

MD5
12de0f2c671cc107450fc5e09a587a3a

SHA1
680079b1dc66d9e1d63f49fc23c3f90d1f1618ea

SHA256
45bbd243031fe2009562430df203ff4b2c95d2d46eb9c58eaef8c968cdb335af

SHA512
551db3d6855d48a11b0098ddc20951389e587949440c3c609e1567860518260b393ff2ac15955756dd758dc440dfc84faef7e87cec4dc100fc2eeec8e1144044

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
25KB

MD5
029f82212bdbb8e7a9ed1616a9a084fc

SHA1
7a9ed4ff451f154a9c388382f9236f962e8b535c

SHA256
abd71bd02ca0a1dce750da3a1086839e946261857d9374be764d86113ca6d9d0

SHA512
04a85cba716d0c25ef9f9573c067820476e5b9f5e6eb8562116190e97a68aa6534ccdbcbbea45e6446f06524e9906fd50faa7de1e8872c8e11352a55a489f5a9

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
8e34aa24c6d82742db3a4cfb99a002a3

SHA1
2e70df4bb8a087cacbe42072c1d880ce7417f4b5

SHA256
79c986c587e56db71658669f4976e12b0092e9478f3f5f8ef46eae7486dc4226

SHA512
f76afd0d04da895f7b00c316548b6d23f348de6333a91f9fb61893e653a2ca31caf78b5bcb1857a598ce2cf9574b69e160a14f9a5748cff78bcb7d1a6c1bf7a6

Download Submit
C:\Windows\System32\Locator.exe
Filesize
112KB

MD5
068f67c55db7dca0431d7929474c5443

SHA1
bd06cef2ae5be29fe4cacf0e6553d643a97175ac

SHA256
bb0d49d0c556dcc8968e7e81c15b50571d4400ff0d333c30df4979c8cc8e2e82

SHA512
13280f0cfdb63f4889c51b449ebc32bc8e260fc84ee4b1b2e88d1d5594579fe04305ed9abf36141113d25562788db58ec0b2e930c83a8c21645d7231d34095d4

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
255KB

MD5
d9b5d5c8227d64690b11eeb89a3c72a0

SHA1
9f679d29795ae73892537523fcdbb9be30d9bda0

SHA256
07dba1d3ec7e310f655cda30afcdbdc3b1eb0ad4d13b9f3073f983d6fe2b7261

SHA512
d190f32038e96f300f6a6eee97fb5d4821f6ebc56d55338206a4414ad531fd29a8ab97e35bb77aa15363d12f17df80ccc12a0f507a9f8c3db5f6aeeeb1484cfa

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
321KB

MD5
56074279aa7290160b292b8a69341a8e

SHA1
4e23a6085da110ac90c190caa96c43b4e88be646

SHA256
e276538e96bfe60e03edfbafc7da6959e7b1d3e74a6a84594c70f91959675ca0

SHA512
1612cfbfb5b4e65c001e1ff644701823788619875a44ece40a154f82a36e976ca93db90864cffa47d19c58ac31c8d660c2636cebb0ef1aa726cb872dcfa2700b

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
272KB

MD5
4add31e869cda64659d01cc4cc924729

SHA1
1b629bc65b0cc694efe60390431785615bf4edfb

SHA256
7de7fe7925f87877b5b7cf3c17cb49144dacdacc37aace1d27a0417714805092

SHA512
ec6dfde77ec89b9c3a1e871d992185d245573345e4c295ac2146c6bd4e3f427e8121114de190e466eabdb038c6d22acf7bcaaa060e4eef4419839f4672028daa

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
329KB

MD5
aceeb76c991b90d74e621089cf365f35

SHA1
521a466793b9d211d5707f9aa2bc8a2810c03b71

SHA256
e434dc7e6030a309bca9a3e8d5ea7a16a3524dfd01565f92c7729ee0f2b03941

SHA512
454e9a85e4a2993d3534a1c4f5290fc21d612a58a9c9a1de28f90531b38067aada3757075751d6d4484b11d2554cbe5c0905acfad369bcc1f6e745a381c05903

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
313KB

MD5
4f2542924835780ba62839a69f08374f

SHA1
cc3c2a8a43c13b5209fe70230a1771bfc95e0f55

SHA256
d40f4d03743933a83f1e49ab369968ce152b78450319e02c7f254b5ee8aa49c0

SHA512
fb1be9a04f52c0deabcb87759faf964ba4d31fd9b39da9b98a5a71f44df2db9f5e65e4c7b0738a9f66f649e80ce44ce953b29f41df00efc604e0d743d48ed310

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
11KB

MD5
8f37c4b62815f88bde16c266c054b1e7

SHA1
b30d3c4657dfe66f060b1a149985674450973e31

SHA256
990f0cf72901349069ba15e05f43cb290509ae096394a8a96b8b2404e8b58f18

SHA512
4658a12fbe983167a426e7e08bd05bbf7165ac738dd256c155d09aa00a5dd68df420aad8864f33bad8cd8bd997449576aaca19cb6e9498dc853430a21f601697

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
245KB

MD5
aba36ac15e7fdba0048efc1e1ae5f203

SHA1
8eae410cd96e7b9a825d279d597ea473c6002286

SHA256
447b293d3f41a11093abf5af45e79078d91b9aa9b87a1ba055eba8ad467a1587

SHA512
f37ba08cc0fb9f44615779d394017757feed953e9036c5603fc63a8a99edb833c20019ebcd1e5ac9590397b45ab120e0ec6d25ec6b78307bacefa5c791f7dcaa

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
176KB

MD5
76ac63f66e2ccc7597dcfb175c7449e8

SHA1
d422498f3e6a06fe3312497c41a2599be8b78474

SHA256
dd176d8f4cb2edc5c7a060471ee4e1f02ce3db65247a1b58861f136b4a171bac

SHA512
40bf0a90c5f8ab40091c4e27d72f02cbdb6b8e3ec6be76461ab84095f3ccc92ed6aa6fc251cbabe2c99acfea51a2c645822fcc1e26f26b4d214af7c91c9a44a1

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
c80a4c3ea69d2bf96cdfc8e442a5f018

SHA1
0cb5a3106e12df4494c2042adb36124c6b968753

SHA256
25d6d0c44710f8066fff86bca7a925c3cd530c09f71326b96fcaf5372000d90c

SHA512
a3078310d726d1c2a93578f67625c208cb6f80d5f4ee05b6738a21e6a1d5496614f0de812483ed6a1dbb7e7b377891cdd4d2c2cb68631efe30592bcb5c652c43

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
493KB

MD5
3db22508dc33782b4093910ad6c8e402

SHA1
e8166e4b3d905633253330a1797b98cf4b91b664

SHA256
b14759e75facbcb0c53dd92fdba568f0c48b36c8dd5b2d247e63042ca4c062e1

SHA512
183c9be835cc20d1add54e2a0e2b17e6c1abd74496bb5146985251b999fd51372bef9a75d182405f64c9ffca92f8c84af6418dd6f434f3590271d86b2d6204a6

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
20KB

MD5
e5ee5596bbb8ab3e8815054fb95f915c

SHA1
ac4feab4748e9d7150b546c13f9a34c78e88a890

SHA256
00692e969736f1b39007c6b4ab2f6769410aabdfe0495ab09bee0d03c89a4ef0

SHA512
74f3dfa02a8afb8c15d033b2e2e3469e8c2bba582f6faa5b17647583723db1a96bd626893f85f288421067cbe9f81ba006bb85e51b38b53e8aba32ff652401ca

Download Submit
C:\Windows\System32\vds.exe
Filesize
79KB

MD5
99f531e5c374c83d32142d87e5f9c615

SHA1
a5e859af828dd938f8d6373d7d02c5fcd534ff47

SHA256
79d5ca40f234f0c0e5a58a760387d96ab4fe046ee24fb151c8eb68929301fdeb

SHA512
d857c897c45ca53f6af59662d008efb1c5de03a5fc1a4d655f8c92a45cee9be020cc1dcecddbe56dfe34cdc6b48c3b39fc996ef5073dae5b473eaea1589fbb37

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
d74f4ac7c0f174d2ca8fab0c0c3460bf

SHA1
87a20ec92548957c58f7ec8784928922a30d64ef

SHA256
28ad71322efc750b4782352960dca99ba51f05b5c9f805f988af36fcd36132f3

SHA512
dae38af45180be7dd0028499bc5661a954a23a1211648c0acbe6054ecc09cea64eb1522259ad32249b58fc32d44b79072773d363c332b9afc337c6d069071f39

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
37KB

MD5
fb492967f48de80384c1590ba3b2bae6

SHA1
edb2a07b1f9feee4f99d9e015f35c91b73896ce2

SHA256
2471737772364c7ba9db38ef69664c2d0b385f7f3f2e389c5426bb75eaf18e51

SHA512
083ca8c1eb54434a913e4609b7dac43cada6afec5cbaa69cd6357b4b549007756dc83e90f1e8ba86be8ece572fb2e0a649c1a958476501e534d303ead84a6391

Download Submit
C:\Windows\system32\AgentService.exe
Filesize
532KB

MD5
e716c81283f88b8c782100db5e165248

SHA1
6242ede383c59bb0eb113ac68ec6794c9bb3addc

SHA256
995ee830f1612359b37028dd3446272744621478723afacf559e49cdefcbe528

SHA512
b5799622161c04767bfffe299555a609acfa117a2c770145ba1ab6ca4abf6e7529a1bec269815d99abeed7b174be2d514bcfb9236e827b00445a3f3bd37e5275

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
870KB

MD5
2bc3fd10a340a6c8a4b09c18915f084c

SHA1
22ef3f43350082409af5a926c9b18c7130a88715

SHA256
8267a34d9862f5a9ff57618322fd3e15486f91ab64ea9d070518445684b80adf

SHA512
7ef7250803e4d81ecac809c3b788a0c738ba36fc94cb55d8346e3eb498daec2e06887e5557a0c2db82be05598e7da19f16bd69b11263ccd14b05200a4048f4a9

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
752KB

MD5
80d696a794dbd367ca57b8e186b030cb

SHA1
73120010911a0c3c96e2ae5904683f05585b385e

SHA256
303bf800cf68d1a4728ac80e6aa7672562484a9421df86560aa721f995c15ae7

SHA512
18b86b9a1327921987465c68fe9054b6dc1283bb2af1aa331090cf63f134490e7c481ce79a7a3cdbabaf9370ba5bbf530dd00c7f0a24cfa2e7fa073a3c0464bf

Download Submit
C:\Windows\system32\fxssvc.exe
Filesize
797KB

MD5
87b612bcc2b130fc88ee6b15e946275d

SHA1
71f874a2d2e33f95e1b3883fb42c96e769e53f22

SHA256
41efe68416178623c33e5355194596c9d7f888e1e2d61eaa9ae138fe995a30bb

SHA512
bd35b2e0dc16e19360c494e53f9dc032a764edd503b5df94504791f0770935759853050a89d6ec596043797b272ea34bd1653a5977c1281ba630b2d3c3f0650e

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
e62208ea7cd03df80d97ae653cde88b7

SHA1
111f30c69849e378e623745022c8655ea7cd5917

SHA256
f9cae0b54a680b46459924c1a429d635ffde84192aec2390b1512abe27c68ac2

SHA512
76613330afc2983deb2726ec1db5fbd9398e4a74ec86d6d92460b6d8345955adc317e8f4290e6b55d314296f6dce40c80e3ec14e042b95bf981616a8d8a53cb9

Download Submit
C:\odt\office2016setup.exe
Filesize
694KB

MD5
b060719a7f65969990e49fc1a9e0b753

SHA1
f01d59bfb6b34996dace68d8b02ec58060e458a8

SHA256
364c13a773873c60be0922e2c72511cfee7c36454a85668009dca226659d9777

SHA512
efa4f464c2d9b48fdef5bbc1b082f53d86b52b05ba9fbdbfc20bf77a76630f23aecdd6693ab23a0659eb605ac5838fd9c542cdbf2ab97917d3558356e1d179e3

Download Submit
memory/664-239-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/664-172-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/664-180-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/784-159-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/784-95-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/784-94-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/784-101-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1784-7-0x00000000006D0000-0x0000000000737000-memory.dmp

Filesize
412KB

Download
memory/1784-1-0x00000000006D0000-0x0000000000737000-memory.dmp

Filesize
412KB

Download
memory/1784-0-0x0000000000400000-0x00000000005E8000-memory.dmp

Filesize
1.9MB

Download
memory/1784-131-0x0000000000400000-0x00000000005E8000-memory.dmp

Filesize
1.9MB

Download
memory/1784-6-0x00000000006D0000-0x0000000000737000-memory.dmp

Filesize
412KB

Download
memory/1784-610-0x0000000000400000-0x00000000005E8000-memory.dmp

Filesize
1.9MB

Download
memory/1844-676-0x000001FCC16A0000-0x000001FCC16B0000-memory.dmp

Filesize
64KB

Download
memory/1888-106-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/1888-124-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1888-120-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/1888-112-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/1888-105-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2056-301-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2056-231-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2056-241-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2216-363-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/2216-356-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2268-345-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2268-352-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2276-205-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2276-213-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/2276-271-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2812-325-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/2812-315-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2928-651-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2928-303-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2928-311-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/2936-259-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2936-328-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2936-267-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/3164-187-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3164-117-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3164-116-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3164-126-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3240-138-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3240-130-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3240-200-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3240-132-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3264-145-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3264-12-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/3264-13-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3264-63-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/3284-337-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/3284-330-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3596-314-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3596-251-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/3596-245-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3596-324-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/3684-286-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3684-299-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/3684-294-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/3684-298-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3740-272-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3740-281-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/3740-343-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4080-150-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/4080-143-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/4080-156-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/4080-142-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/4080-153-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/4356-201-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4356-265-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4624-250-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4624-257-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4624-195-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4624-190-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4680-158-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4680-160-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/4680-167-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/4680-225-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/5088-217-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5088-227-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/5088-284-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download