kinsing | 8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 15:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
Size

1.1MB
MD5

4f24bc0ef40dedf3a245a108ad2590f5
SHA1

1b22e19df2138cbf5f628d2d04071640f7b276b5
SHA256

8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0
SHA512

3db0bfd398b7849676c1bbb11732e1cd3c02ff6ca447e631fdb39100cff11614d26d54f568b564de268259eacdb85d59050953ce30a291a61ef876b1ad4018d1
SSDEEP

24576:vsYN33VA33333V3333333A333333333333+1SF+5JwXgb1081v3iYYKLJxNk:vTF+bmgb1+cxC

Score

10^/10

kinsing loader spyware stealer

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
1444	alg.exe
708	DiagnosticsHub.StandardCollector.Service.exe
3416	fxssvc.exe
1544	elevation_service.exe
4604	elevation_service.exe
4592	maintenanceservice.exe
3504	msdtc.exe
3976	OSE.EXE
4880	PerceptionSimulationService.exe
2056	perfhost.exe
3944	locator.exe
3428	SensorDataService.exe
3596	snmptrap.exe
3500	spectrum.exe
2364	ssh-agent.exe
4964	TieringEngineService.exe
3860	AgentService.exe
1956	vds.exe
1740	vssvc.exe
5000	wbengine.exe
400	WmiApSrv.exe
4472	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\AppVClient.exe	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
File opened for modification	C:\Windows\system32\vssvc.exe	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\vds.exe	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b460d266c92b1ccd.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
File opened for modification	C:\Windows\system32\wbengine.exe	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
File opened for modification	C:\Windows\system32\locator.exe	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
File opened for modification	C:\Windows\System32\msdtc.exe	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
File opened for modification	C:\Windows\system32\spectrum.exe	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
File opened for modification	C:\Windows\system32\AgentService.exe	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe

Drops file in Program Files directory 64 IoCs

Processes:

8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_127968\javaws.exe	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_127968\java.exe	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe

Drops file in Windows directory 3 IoCs

Processes:

8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exemsdtc.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchIndexer.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c64b8beca34fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f5d4c1e7a34fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000073b768e8a34fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d0accbe4a34fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000e9ea4e5a34fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004289fce8a34fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000008673eeaa34fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

Processes:

8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exeDiagnosticsHub.StandardCollector.Service.exe

pid	process
3456	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
3456	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
3456	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
3456	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
3456	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
3456	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
3456	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
3456	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
3456	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
3456	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
3456	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
3456	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
3456	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
3456	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
3456	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
3456	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
3456	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
3456	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
3456	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
3456	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
3456	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
3456	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
3456	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
3456	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
3456	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
3456	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
3456	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
3456	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
3456	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
3456	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
3456	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
3456	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
3456	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
3456	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
3456	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
708	DiagnosticsHub.StandardCollector.Service.exe
708	DiagnosticsHub.StandardCollector.Service.exe
708	DiagnosticsHub.StandardCollector.Service.exe
708	DiagnosticsHub.StandardCollector.Service.exe
708	DiagnosticsHub.StandardCollector.Service.exe
708	DiagnosticsHub.StandardCollector.Service.exe
708	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

664
664

pid	process
664
664

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exefxssvc.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3456	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
Token: SeAuditPrivilege	3416	fxssvc.exe
Token: SeAssignPrimaryTokenPrivilege	3860	AgentService.exe
Token: SeBackupPrivilege	1740	vssvc.exe
Token: SeRestorePrivilege	1740	vssvc.exe
Token: SeAuditPrivilege	1740	vssvc.exe
Token: SeBackupPrivilege	5000	wbengine.exe
Token: SeRestorePrivilege	5000	wbengine.exe
Token: SeSecurityPrivilege	5000	wbengine.exe
Token: 33	4472	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4472	SearchIndexer.exe
Token: SeDebugPrivilege	3456	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
Token: SeDebugPrivilege	3456	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
Token: SeDebugPrivilege	3456	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
Token: SeDebugPrivilege	3456	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
Token: SeDebugPrivilege	3456	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
Token: SeDebugPrivilege	708	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe

pid	process
3456	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
3456	8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 4472 wrote to memory of 1372	4472	SearchIndexer.exe	SearchProtocolHost.exe
PID 4472 wrote to memory of 1372	4472	SearchIndexer.exe	SearchProtocolHost.exe
PID 4472 wrote to memory of 2216	4472	SearchIndexer.exe	SearchFilterHost.exe
PID 4472 wrote to memory of 2216	4472	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe
"C:\Users\Admin\AppData\Local\Temp\8c08664fb9af79a680492e58542443877f9babb764c66e59d36c32bbff5806d0.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3456

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1444

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:708

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1588

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3416

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1544

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4604

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4592

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3504

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3976

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4880

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2056

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3944

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3428

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3596

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3500

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4564

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:4964

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3860

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1956

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1740

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5000

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:400

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4472

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:1372

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 788
2⤵
- Modifies data under HKEY_USERS
PID:2216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
b5512811b6b285a42716dc152a066ee4

SHA1
6fbd87d12d79f454f7f4e5940f715e3301ca7cfd

SHA256
f243c4cb3d78f0173ad03cee33e2696dd4e45efd4ed3b55e252a6a34545ee422

SHA512
23ab2a0b81c80b0528c36da262a8f2c85df3736255c70b5a1c33e3d9c146fa0e67ebcb212f3209339ec3120e02bfba2fb9738a47b5015a9f911de7fb28600a09

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
781KB

MD5
1a2ba77da0a2d4fa4d8e93fb0629493e

SHA1
12fc2a3a4ea6d49198f55458c15dd0b54d74e935

SHA256
9520de313c114472cb5355d714964668f806f5e1823fb64c8857973c01bcac5f

SHA512
c564aca4dde1ee72eaf6634f3a7fff37144bb9bc1ca397893fd6dc4acf69bb831fb019f369e2c84ca8a769b3416e7d9f83a432b148d38d32d058a783271a6bb3

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
832KB

MD5
6be27be273d2ecb723d97ed7487f7c7d

SHA1
00e1c077277e7719399c4d1a126402136cd8f093

SHA256
ba2ee86c135ffe9c8b9b871012e0bba46293e976f5223d3a1a19f589bb0951c6

SHA512
27810881426e36b7f767249bea49b142fe9939dc599a4d3ab6b00811b726094e776aed7892185b615bd92e5de38e8c6f0ada0157992fd2946b78f273dfac3e52

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
924380a96031519a282e79ca5d6f2500

SHA1
27894d8a6f641ef79937ca1bb05b44437dfc136b

SHA256
94fc9f0f490998064ed4e26536625be2b2c6276d7ef71efb61566a30a354e87d

SHA512
6d7192706c92bf0ecaa51c018d8cbec6d8d8353544b633b27bee0d28abd3d60dda5a1184e811eaeec92e24b9336fed3b0725d6a69f03b087d12817427d988f11

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
eb79aa7694cfdedf9ca868f4c0b33efb

SHA1
4282ca84feaceb097a0e35330bcd2d3765e07cd4

SHA256
41353a9c9cf73738acf3d67735b14698beecb2c0378788eebc45dc0c67eb51dd

SHA512
2dca9442a38dafb02cebaa467e63f9c69893605054509e5c9462b74893150797f286770a850bc0fb967f41ce6c548a8875e97cd1c48a5f818800e3047bbb32bc

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
6a39fc7e01ead968cb56695f6a27f43e

SHA1
57d4de774e1862619edf9f1f6fa2c3c1143ac44d

SHA256
b78f6d60d81cd4dd6bc61aedd3b9a591b26331e689b35f2069daf5730c0e3892

SHA512
17d615118823ecb93c2157db030e78e6b7f8c89d7501e308d91f181703ae535166d070c56bd38594bc90deec45a71f5ba24396087b6c9d9926a0b7c836e47543

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
b84147538332826be49a79cb6abb371c

SHA1
c928f1dfa4f50f70fe13536a61a18b4752c97055

SHA256
147d16f0ee62e9901beb5cae86776e7537683fdc16b25b5428c9fadaf34c7f04

SHA512
9307b078e9eb6814389a2af2e35894da7212df18d1ef5daafe4a36b18d59c463f700e30ee30d796b8728f264d4283d5f58810d6eaeb7869531828daf644ada3e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
2.1MB

MD5
0825aa1e48234a34cfb4992523268001

SHA1
e2aa70d76f90636401d768c9a618dffe5a2e6796

SHA256
46906b668487f704f6dcf83d39a2fcef82e431e840cc2e804686e71c17704e89

SHA512
15158bdf1a8f98718d82c740074648094e17674483a93179b802bcb339636c0b5b134e9f12a16967d3b501e3637c4f5631cd6af11a3467edab0a573543f49b73

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
c1ace50867dea4bce13d6ea9f93e9b1c

SHA1
3dcaeab86f409a091ba4c8c5c6552c221ba20a70

SHA256
d88e8d08c9cdda6871768e32c73a8f0b14cc1df3de40284f905b0767e4d2473a

SHA512
75fd5e26f29ab5d83e8a14f754db9252de48ee84fca88031872efd6918667c2610a21bea2abae2822b81e19c55c621a28fb331aa86fe8d734d35056e319aa253

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
14KB

MD5
609347c4588090dd7cb2336c567a1096

SHA1
4d03c6d6bb5164181839036a9745251650403693

SHA256
bbfc0b50953f34daad759740f246a8e9780e3e2f5f7898803294e053b486b3ae

SHA512
73a848f7ca7297df554f1ed7667a9b7fa968091eab7123b497afb54713b1617a190ed28075d8cc9e54c394a40fd2de35a02be851ba5b9dde5f6b7a64013c36ca

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
df9888e46dd2166a7ac746c3733d3eee

SHA1
a8babb15ec4748a21d83510abd8fd3beec8c8c02

SHA256
495f2e8105bc19619b61ebb6a9b0645e388da1a69ce80c1fadcdf5dad176f9be

SHA512
a980b7392b2fb451ce91d6d841fa74ff8aea07c4fc54a2690eb04cf6ac6f6d9fa996c55063388bbb4f63bbbbf762c4960147d13564734ac8b69ba115c21e6c7c

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
c791f380dacbcff3ec4d574f6e75d669

SHA1
789717a0860af2771616b98f3cbaab96f0d95db9

SHA256
9b833251ec52c4800f5013c869c99497ebd38fbab10a2e5a19dd8b5af3c07e4a

SHA512
218b0c00c3151a9ba752f7fa4cb80a95263109c95c36f3d4ef9d2bc3d91b8ee44f6d64268d7dc7e1999fdaee566b3f53411376e2c3f4b7de314ea06aae928ff1

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
e2a175a8623d3adb0eea0afb66e04bce

SHA1
c528a376a70f9bfde113023d03d9b746eb79e805

SHA256
31c873d31417109e8202a9a25afb79a285498b9bfb73f70fd632d052df32a59b

SHA512
18f2be9503d326019f7d573cd98960aa6a687e9c4f32993900d1d8eb58bb8e19af220a0c4088fc705b1639c95767cb8075fc4e758c21b879c9227fe5287afcb4

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
f9d634c55852f4d1107fb384c7886bf8

SHA1
246559949da562be45b65b49ca6ef03149046dc7

SHA256
b32bd0e8ed654be799c4222fdfea7579d2e706ab88ad07f152bcb3dfa45e591e

SHA512
08e94cd07275a91d059ed25a347b7f0d3825470e22aebb8d131444283f25f3c5f2438ec598656390255004d584eb7fa4dbbc7a3bf2f758da51dd06312ef501b1

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
Filesize
1.1MB

MD5
02bdf9071c9bf522527a5823ec717138

SHA1
15b2ae45df35c46442349fbc16f3ad6b01be118b

SHA256
7e4d5e9b3ca41bef35be587bd73df0da6bc11486be5543d7d25439d3fed7000b

SHA512
2b8952c16f04eb5803926fcd834de9bb2ba7b242e9d9007d44b725343a928f109083da723d53cb0c692b2d6c98d9dd6afc0fdf5ff839146e298f89df70e59d35

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
Filesize
1024KB

MD5
ce145b908b3e74b325a80ca7d2875259

SHA1
71f14e85dedfe43fae2c0e2e1686f326b6ee4122

SHA256
f07ed77e2798ea2db70d500c7e4293c8903a1922492e98e70c5815210f82708e

SHA512
8549ebd13f492ab29e5b4ad61a06788e39225e4adac04d2d9785e97b9863f282cf4cf5417dccc9f0706ca057ae65fb59d5c041837c9683ec1e4ded1d3af3ceca

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe
Filesize
1.1MB

MD5
313dc0ccaa63375624f6c6360059db64

SHA1
e256ec169fff93cdc42de371511342d41e505931

SHA256
d306bac6fc0bb2056d985b85e20faca6e15842a82739bdb12c8f86e160be80da

SHA512
aa1fbc085703b3eead2752780d397bd8a5efd009954aa18efd848ecc9e26722c01335679633138762656e18dfaad6b06e51535e4d013e126a0c37249987cb91d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
Filesize
256KB

MD5
66b7c7c7ad497692e6a3ef15c1c13281

SHA1
867e86ef08bf1b870f06bdb1eab16fa41f54ebba

SHA256
96ca6d59712b7d2f3604a426ad4ccc29fd5a8e199ef23ba0ab9ddd2d8b619d75

SHA512
fb31db857ae42b006181ed08781a6d95e6828fc495a55f875733ae5baa5a28c6d1b006764ed4650b780dbdc097ecb61d0ee34b05b0572b5972e2273d6db7c539

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
896KB

MD5
4e36a7b3623323fb297dfa271137d27b

SHA1
3f7ec8e268036f038591cd980fc7450c7a5612ab

SHA256
25a9bb2448a3ad9a2d01a6f30580fb0ecd33c12e20de4f6ec6130032689f3b49

SHA512
070e9e0c580d9fa50cbc757fa55e2ccaca9940622676d679fcace2e613a168526162b7bee5b8be16fe37e14ea5f1e4af5f156bae784031f59138696562d60e6c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
974ed2777ae03164a70be3d7c56a6a4e

SHA1
4d549a89332e7fd7c36deeee7b73c14a3a9b7618

SHA256
c1fc4ae725ba4725b7b1d71dc54ee389f0ce90b538491d23290c2ce5acfec736

SHA512
9ee78aaa9199fee9e42f88a93bf7dd994114e2a574852dd80f5870579d824340e425a8b4d5369ab4f42673fa5bde2b5dcbb9c74d65687f475a39755dbfb9fe1f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
688b2e1381006012493316eb3ceb3e16

SHA1
5ea0d011326526390228fbc12088258b691b2a6e

SHA256
ec50e88e6e3b2513fb51444e15dc99cc0a73ba95b36088d79f5dac2d03b720bd

SHA512
ced60c78851f62d154e3c746bb8920565ced1c2e2b9dd24bb0ea2c0daf42d657f1a3521ff39d9c9ca359ea0d6a7ebb9a7cd792faa81f70b358f94c0ce6a971dc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
d9583546952f443b938659ff2d263109

SHA1
1840c22ccd0ff9e1872f1a8b5e4bff80ad6ca16d

SHA256
5bde51e19ca9838a944dcd37682abf1dac68fb0ade880480bcb6295ca6bdfcc0

SHA512
adbe239636f6ec75d3fc005c23c377c0cbc78d1e819cd62f4f6934a1d16f43ea8ed7c5c8d828d05f5436c22c83ef960764ada886b9f1e80fb8519c0869ae41e8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
f2d6d1614045d96dc5581bb3729fe960

SHA1
90b601a262feb6ed1b554de1cebf93425911294d

SHA256
1f7ca2391b70315c96ba6e1f4153025e16024a98472bfe0a2ac1f0344deccf88

SHA512
a76af3d2c275bb21dd8f33e7fbf5af1a5f12d482127a90d4b994fcc05afd2bae4d2cdf41dbe7cc233c24bf02fcae250ab4cbf9afbcf871647641fa3bbefcda27

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
c9be4891e4a720ab9ebbecf9723c1a49

SHA1
70fae1f29606dc5e451334f9f512696b42e02015

SHA256
a96588e0c0f81db5803f1f7bc6f182951a96564ab4a73954a9265d0517528d51

SHA512
da2c746876efdd37f9ed9f8917295c837a3b061e1a3c27843192c94feb1842cbd53b7c454b87078aa24c74f4bde668f2334a2ed5e4d1bab3b8c716e1db96ff13

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
576KB

MD5
9b00fbd5ed5fd4a81d4b718ce9c83ff0

SHA1
0919afb52212b24d3a0eeb974148b19b1f343b26

SHA256
bca72630bdfe985278c315b2a30df4d5a117818d9305aafa1acdb33b3576fb52

SHA512
f5689a921f587e7667960947f94324f9ec1e4b78bfee291537a2976344570b52742cb1e665f36820df0fe55c515d87e97c521370f8984937f4f3a65acbc849cb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
576KB

MD5
221b43740e52e1c1922bc2d233d89598

SHA1
3ba62fd7750767e0f5e719e1006924dcb403d62d

SHA256
435b25fd827e15c97e021b656dfd05a207bbf14d193af123671812b380d41a62

SHA512
fc88f88e906c0c01b200c93356a9257c7c8df0786d545a183008826ca835ab2011570897c73a0d1b2d1fff2b721c70bfa0df6e4560cb21360aa873ac75484915

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
576KB

MD5
6575f233b2fa9e2fbe5ec5b5100ad0e1

SHA1
8ea88b747b5e6927f106707704f1e78d13202a6a

SHA256
7186fed70b4d2e947c472570fca22518cc8f18d7df17c4b7b8bf6b33bfdb7bbe

SHA512
8412b589904e7e9ce04a77f4ab60c69744deafec62b84f442b2de995bb6878878882a8c5f297a43271e5de0c5f4bda4e2587da29708a8cd8afbda73f149e9efc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
512KB

MD5
b0eac0570bb6632f731c5f00af635c1f

SHA1
d2f07eda12c157f1d1b68511bef1b52736439085

SHA256
38fc19169fb3d63848b471815472a9819df9ead745b2f91e4b04c5e40566bbeb

SHA512
30c77d482de2b75d7d49d0f7d4efb3b99335e93715ab88f46cf9b8e78e211c82b17bf80558e166549af667ebc1dc87ed74286cb751087439870b153678f9b9e3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
512KB

MD5
59940c60081fd5d34eeac42ad70edb03

SHA1
adb156fb92f6eb6e2a1d78dc0274ddb289d8f9a1

SHA256
5666a9ebfc250a7bff680640427c2f84a2949fe2cad2a1c4e526ac45cbafc0d4

SHA512
61fadf30dc6f92830ff08cd81ec15979225fcd4d34cbba1b8c5ec824c92ea225151fd8cbd1e6f0e931ad7362b9958728bbac58bbbc86a233ce1ceb7a2787d620

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
512KB

MD5
23fa94e1c886f8cac489db656a0891f1

SHA1
30bb63b35995eee6151a7328a0c60e7e0dd9cc96

SHA256
b98eed4961855aece9c527b7b97c323b4a0b590fbe4193cd5d1b5ce26f49b2d8

SHA512
03ab5d8d9451dfce3f2e4c8ebe8b78ff052049917391785241221bc713a997072935c73b0ec969999e00aeed45ed42fe774d8e5fff1ff96ed946230fb19fe767

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
448KB

MD5
e80245f59ca7fa16c4900fbfbf30796f

SHA1
3e22d6d49973dcab084095af2bbc3a905fb0165f

SHA256
9a915b40f83693d5e247f8d2920075fc46f25ebc8a682cf88f27b527a974be0c

SHA512
a7615e9236cd387d86e438bb05623e9b8ee3469a2a23b096a49451308d604dabfc0cea6a56ee166b34d74acc621b92e1a74535f59b4f60de14dc65982a907b9c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
448KB

MD5
5cc88d6ad644898b351cd43cead011b4

SHA1
0daac5fa00e04dd8556587d0162eb15e6af28332

SHA256
9efb0456cc9ecbc8f6b3104217809169cb73591058777ef9c7ba38474699401a

SHA512
fe82a02966402d16510c6ac19863da862b0a56506bc5200a64d5b3b005ebbc9efb3566c7573b7172693f00a04c4477d8d5ab11b0bd6f16b2e4b046b873e8b995

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
448KB

MD5
3a1b9127a70893f0bdb12ce21d14561d

SHA1
c64a707177ad1597515b007f1b0d3a964a5fe979

SHA256
949ae9560b2a19604c7ff290f2b7ab371956ca874d71ff33d3d9995eb7f662eb

SHA512
263b78c6e6e2e2d5fdd8b0a61c77549007e1535dd901904511902c9cd31a58311cc489ff9af401c91ee565083356de6a01f3fe64ad176d6c7c939b5b24726055

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
448KB

MD5
910f540625636d8aeb98511af322882a

SHA1
f52195e7b1a8a3efca7bd279530fd29bd2664b70

SHA256
e70a5f1a27def2af1f72494b5834c8a732296da0d8ac6681f7104958fec42969

SHA512
4c1ddc9e10c8872a393c76af2d5875d6f4e1c94466f29df1a15a972a96e29d66f6de27b44d6b5d8dbb0506cdc3d6f117e014b0cd5a063d901f2de2d29c0a05a2

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.4MB

MD5
f83b65b7e15ca6651ac4ea3ebdcf773e

SHA1
b979349b53cacb7df867b7d6a2e4703b416f0749

SHA256
0bb51fb86997f2e8162aacc4f878fda1cd4bead4409beb5cf3a6018a3b863407

SHA512
13f09374991e3259a194d3116b70b9645fe35eedd132bcfa14a57c5f8f0e383ada654434d25d6dae7a29ca6a1fc2bf84b0e5229646b988af40679600cbbe0fc8

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
696KB

MD5
4ce44f31ad42fbd48d60ee480d8c60dc

SHA1
2835f07dc606d27ed455ac3a7cd3e4a23696efc9

SHA256
196c1d5136a47f49b82872af49651d3d75ac6e7374d38dd40be11b4d04005be2

SHA512
ee75e4a5a22791978cfb408e7771afa8ed70d59bde5be44a8a7f8889728607b9c066062e6ee64732d6d2ac84ba3178eee0c044412d8eac4b1dc6840c93ee0789

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
9dc1147330cba9227572feef49e8a800

SHA1
d81e8056fa3f490d4403394667dc56f3ebb783d2

SHA256
ae28803a284c761a62603d6cf8b7a35eb7e3ae9e2d582796002a1864abf73bd1

SHA512
5b7865f84aeac69e1528171dff95cd62fe06e96663fe4d5d6f5ae9e7ad96fee3eddcc1d49eaf312ac5c1cd06ffeca8796e7620fe2971bd49fd8a1a06b3a61538

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
be10202f67cbaa2aed00059bd01dbc46

SHA1
3ca5742febe484bc96bc03bff7dd5a379f219094

SHA256
360fd37c825ae2719dab5e897b46f58d1ed76503bf514f7238ff96a3d8ae8976

SHA512
c9d1c7e15358f12b40c54efd4ab9aedb88a2525e6ae652de5d17f49a19a35be3c80edc7b6c22bf21a24fb4add73b53d55254f95e855c77662e18c4abf79bcf8f

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
611524becf1310a94890109c10e6c4e2

SHA1
6e1ac7106fa33c1f922070fad3b39999e39a9957

SHA256
bd924e75972bd226147e4f4e11ba815417a595517123ada04bba0000fb1369fa

SHA512
e100a2c036a0b06f9f23df9f99dacb8a5cdef982ca6a80d3d47832c3315f3420b15d6c3e4b6cb9ab651db003270cf8d2168075cdba5dbeac26f5b8472077133f

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
487dd8ebf2a986754060e997caebba16

SHA1
6fdcbf3d439f0148c06d17bf5c1bf8acf4dd508b

SHA256
379aa46ca9edae5c243a33ec02f82034843d25b2e345d54204fee4fdaa23c7e9

SHA512
737a6f28fe95622e3362724fee1a211f1bac702a9a3a60f0406d45eb442a4c43f5b31c4790b97177db5e3786d1f1adcab0a928ce20a66489986db057b42233e9

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
1026039eacbded4f73998dfe8d1e5e7c

SHA1
2d815c7f49f29c96ac9c76ff377291dd9bc6c26b

SHA256
421ed7e054ab0033109ae19a72644ddbcc34054e124a26eabe6a7e53041ac4a9

SHA512
5137d3ff1db6e81cbd841747579041ef7ed510ab53aa143d77f2a16179d498568dcccf736b158d178c4b673783247f67aa36ba032f370b93f1bb00b9ac0dc12e

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
9631adb1656a1e45e6dbf65b18c65f8d

SHA1
3070833ec51070676cd7bba846f4d529f23ae6a2

SHA256
094b435477511ad288caccc02206dc31303b7fc33382620bd128ed9ca4d86b10

SHA512
1d4d6f1d1c5caff2e1c57e3bfc6ac1225b99dc1d1dc2b3f09db7c71db5084435e5383a8b386435ea405d469908f679280b2645364a5e4eca42c8609b40dba883

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
d1986d27bca6fe50a57c3eb29840ca60

SHA1
650eed8d98b622162f040d5d1df4a5ee35d01a5a

SHA256
fdbfe964001835ece5f68d8929a696248222625d0dd00edacc7c8e3340edf0b1

SHA512
ec20d9c70075ba073d69c037964aaa856ab5d2af0eeaea0badeb9bf7b594773667aea945d0908a091c0b222a06cab7cb508702aaebdf1a8d2d6e65e0528e52da

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
150218f5d55933db8c3c9ec25fd113c7

SHA1
cd58dfba7ecb60059bc88c764d63716628512d28

SHA256
07518ca6de9dac1694c01b3e574002afe6648225f5da76d95d4b9cda39789b8f

SHA512
e1e42c80f84eb29ffb491beada3f9325cba16de70d54a1dd8a768260c48b1443d3188a6b8654e70d89eb207e059ce88df086d0cf8d4b70e742fff90559dabc88

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
e8e69524af7a4105a9f32ba2932e3fce

SHA1
85ad221e1d962fcb5ad887b0c552712848c1aed2

SHA256
9c29c66d2723034e4640366b74e32672940ef9671aa9b4695e0f1a18a7bf1e03

SHA512
4944a641b026edec15c5b02c5a41660edb8b753348d37f7f3198fcb958bedbe7833fe5429004d6ed3f6916d1c9225cc0bd417aa670abde4003684d4cb2de73b7

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
320KB

MD5
e99ead13673cf98deacf20c1fda74f3e

SHA1
423094e598c158bc25b35423395eb4a9fe87de28

SHA256
f6d097869e6d09677af42a332c1e5a090f653370a2b6c4539cc7eec5f908b1d3

SHA512
7728319a037023367878ed922c3f68fb142440d6db9ae53e25918a083d833b1bddd7c81a6adafde3f1de05901b8a2fdd10f2f06ce0af65030eb53c827e853ad6

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
19b4aa721703a25318992b2bfd67e3aa

SHA1
3d10f9ace5542e16dd74fbd7bcc01de3ab51e881

SHA256
fb763263f12d25fe73aa595171ff0f2825a14c88bd3e0e1579d97215775e57cd

SHA512
8c8417e1ffbface825321dd23f5e1ee65af8fa3aa9b57392ebc9591952fbd8001d5bf77f1a55edae27c17d349acb18ecf6123ad81ffc56d5d8a5173dc7de6c55

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
ed3cc090ad851ad6b0bf5d36a48e9ca8

SHA1
cde60f5cea76cdbe1eb486e4c7dab90a5946b8d4

SHA256
0e91bebe5857cc39a71cda32b8ac8f2334e1c00c7fa0a7e943c26e264e54bf41

SHA512
57f0e9fedf130c2bc119c6a2e80980ad85cc666f6c435c4214495e851844a9de3b2ac4d8b3f7381ebbdbff039f1babf88d5a77c8f7cfd9273078d86d17817075

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
0b8ad300d74a8adcad097dad74a9195b

SHA1
077c5346086eca672a8723d95f1935024bf68557

SHA256
eebc26bda0f405313508657d36d074b81ef818547be7f709da52a2bd9aae5a3c

SHA512
0732e9e0cb961903cce5da42e8d0c777713c3f3e55c42e01a163d613eddf9628a057534a33e65384c5d98b337086d2aa78b56dd5d0eb9d817c9c1cc4cb29b279

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
16ed62556b1809f32c03c37a443770ca

SHA1
93341d23364c77e6411d09d6de7d41f1402e115d

SHA256
7e88a5fb74701c43d8aa25a95d3076a7698e0841663d0e4d1a8a37465bdd498c

SHA512
f74572b854cb56d703e8b2aebc40a84addcc89cdaf2e8e9646df6d86ebdca6a1a10f5efec99ea96ac860ca33f523f9eef85342b4e88539b98903b5277d8aa52f

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
c4ff3408bc3a8cacf3ffca75fb7d44aa

SHA1
0dbeac49f4f18ec68ca65c916e5053c312b2ef0b

SHA256
ce9f9ac3acbde0ddc75c54697ee4b868e9402fa8df1bd8cfca6a90025c40a8c8

SHA512
b3fa4298dd788873a4f48c1fc9a59f1c4f79750dcd5752e599a544b26b1e6c15f398a5245721d1a981448eca6a3b6d445335cffdd55c850f4192af77738aa429

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
d40444b155cb92911a0e6620eaaf31cb

SHA1
2e8d3f38bcf816924bdd4e192e1ad2eddbeb0377

SHA256
6fd9e3ea6a7ef430bc3436e4e86c414ae845599afb496a45e897c7bda924f869

SHA512
1156c5b4fb846a9fe802159ef0106edd121459fa826b8f87701af7754315ab5c9504bd68a26e60c7bdebbf239079e03d374ca6877d265c2523561a462e274d4f

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
c356ae26698f0d3bc03278d9f1fc97f9

SHA1
7c9453129626ee31652b45415f1a31b7785c65d5

SHA256
66e78bcce790a4f9d43a6ae29e9baf185b8d9a8dfd3338fd35de54e191c2150f

SHA512
41ee741d2380846fab49b67a67af267efb94453c51757803a9352f389cef56ae4b7a891367f1b621de9870e2ad2fdb5eaf51a1c034990edca4aab73b4927c394

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
52c5c0751122249e34242e46c9e11824

SHA1
108acc7bc678280f8933b955bd6fe299e7232c2d

SHA256
1982088abd78fa0facfedc5c095fbb3733b826ad224886d9bc40ae013d9c4e2b

SHA512
8becf7c5d21c6eb8458dbbf5d50687ed3f41c490eeb7fd8b0e934ad465a8a2033447184243015208687719347c9c43050fe5a376093c4c65fe700535b3ccc9e5

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
b475d821a0da58e2128cf6fa364368a3

SHA1
0ff3ca3c84b078e7660c92ee4e28d5650c7313bd

SHA256
5991a1c2fde93e05ea00c74f572825bdd1dd05a733faf30a5174105fced2fca4

SHA512
8bf60c8a9af0627161021537995f1ff38705de48d830ac93faf7cd3aab48577508138d7324e2e3eefaac85a5edbd5066d90adf2697d3b14d110ce2a670e57a99

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
8ee6b77a04a7ca7c48ec4a144553aaac

SHA1
f104d2846dad64bd778ed2a3fa8a894277a78ea5

SHA256
5f242d9f3bd2a81f895007357dbb2147795aa953eaa16b0eb8a9803f8e950728

SHA512
146c2d2e0d37023ba82de0cdc1f54fd9201cfb0380aa50705cd1b0c78fb838ae3e3565ab120962669e07127fd6b24728fb40a00909ab5a425d0ede0c08906c26

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
0d7f9228ba5b20350bcf6f44e4516c3a

SHA1
aa66c04d6eefa46927f1c1cf1e9d5764b56fbea8

SHA256
a25d99253a2810571863591788042f131960319dc49fd244b980534e2e15ce2d

SHA512
bdf59be1a83a4ad15932e8dac81db9785d3f9abd509d593df9320796c39789dceee2c2dd4f08f91c6dc2247eadfa409c986f0e23253ab5d71115628012bf1b46

Download Submit
C:\odt\office2016setup.exe
Filesize
192KB

MD5
0304fe9b17c6a68f35c094553e120c25

SHA1
b49e80fb0ebfb834e664df3eea7a866a4834072f

SHA256
f81014496dd673ffe1131c5b35bcadeb408623b87064c5c81d5c58e14c14ebb6

SHA512
12c9696b93ee95dfaa475c69ab5be555afc304d3b3a1ccfc144859e27824664725bf57372171113cd2161e593837faec79f5cd45240b0ba9dec683421c0c7e6e

Download Submit
memory/400-175-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/400-376-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/708-77-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/708-23-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/708-17-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/708-16-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1444-72-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1444-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1544-39-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/1544-102-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1544-32-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1544-31-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/1740-167-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1740-374-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1956-163-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1956-354-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2056-105-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2056-106-0x00000000007A0000-0x0000000000807000-memory.dmp

Filesize
412KB

Download
memory/2056-158-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2056-112-0x00000000007A0000-0x0000000000807000-memory.dmp

Filesize
412KB

Download
memory/2056-113-0x00000000007A0000-0x0000000000807000-memory.dmp

Filesize
412KB

Download
memory/2216-418-0x00000263AD2A0000-0x00000263AD2B0000-memory.dmp

Filesize
64KB

Download
memory/2216-394-0x00000263AD2A0000-0x00000263AD2B0000-memory.dmp

Filesize
64KB

Download
memory/2216-428-0x00000263AD2A0000-0x00000263AD2B0000-memory.dmp

Filesize
64KB

Download
memory/2216-423-0x00000263AD2E0000-0x00000263AD2F0000-memory.dmp

Filesize
64KB

Download
memory/2216-415-0x00000263AD2A0000-0x00000263AD2B0000-memory.dmp

Filesize
64KB

Download
memory/2216-414-0x00000263AD2A0000-0x00000263AD2B0000-memory.dmp

Filesize
64KB

Download
memory/2216-407-0x00000263AD2E0000-0x00000263AD2F0000-memory.dmp

Filesize
64KB

Download
memory/2216-406-0x00000263AD2A0000-0x00000263AD2B0000-memory.dmp

Filesize
64KB

Download
memory/2216-399-0x00000263AD2A0000-0x00000263AD2B0000-memory.dmp

Filesize
64KB

Download
memory/2216-389-0x00000263AD2B0000-0x00000263AD2C0000-memory.dmp

Filesize
64KB

Download
memory/2216-388-0x00000263AD2A0000-0x00000263AD2B0000-memory.dmp

Filesize
64KB

Download
memory/2364-152-0x0000000000940000-0x00000000009A0000-memory.dmp

Filesize
384KB

Download
memory/2364-236-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2364-142-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3416-33-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3416-28-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3428-170-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3428-120-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3428-225-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3456-7-0x0000000002100000-0x0000000002160000-memory.dmp

Filesize
384KB

Download
memory/3456-56-0x0000000140000000-0x0000000140117000-memory.dmp

Filesize
1.1MB

Download
memory/3456-1-0x0000000002100000-0x0000000002160000-memory.dmp

Filesize
384KB

Download
memory/3456-0-0x0000000140000000-0x0000000140117000-memory.dmp

Filesize
1.1MB

Download
memory/3500-138-0x0000000000560000-0x00000000005C0000-memory.dmp

Filesize
384KB

Download
memory/3500-128-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3500-179-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3504-127-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3504-73-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3596-124-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3596-174-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3860-159-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3860-161-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3944-117-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3944-166-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3976-79-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3976-78-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/3976-86-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/3976-137-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4472-379-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4472-180-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4592-69-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/4592-67-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4592-64-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4592-58-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/4592-55-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4604-51-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4604-43-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4604-44-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4604-111-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4880-90-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4880-91-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/4880-99-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/4880-151-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4964-155-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4964-336-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5000-171-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5000-375-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download