kinsing | 26d4800081efd88d96cb564dc2cbca3ecf40aa357302b152efec8fd3d3cbadd8

Analysis

max time kernel
148s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 16:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26d4800081efd88d96cb564dc2cbca3ecf40aa357302b152efec8fd3d3cbadd8.exe
Size

598KB
MD5

c3b5d72db79281a010c211e101e00984
SHA1

f8f583a3ba99f851d1b741bebdbd2cfb5d67b9d7
SHA256

26d4800081efd88d96cb564dc2cbca3ecf40aa357302b152efec8fd3d3cbadd8
SHA512

fa9c3605fe7d0341d6a250bebee692159bc19d8381f91e999f20ee03e96a5cbd5dfe6edc5c482b5903155fd17918da330b008ac508a872fc455d505f9c638e1b
SSDEEP

12288:HV+iSF+5v9vsb+zpwYcUutCDb4QK608Badqv31NUdYYKYAJxgy+Hwjq:HnSF+5JwXgb1081v3iYYKLJxNk

Score

10^/10

kinsing loader spyware stealer

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEfxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
4044	alg.exe
2484	DiagnosticsHub.StandardCollector.Service.exe
2288	elevation_service.exe
2672	elevation_service.exe
2292	maintenanceservice.exe
1112	OSE.EXE
4928	fxssvc.exe
512	msdtc.exe
3884	PerceptionSimulationService.exe
1372	perfhost.exe
1200	locator.exe
3216	SensorDataService.exe
2372	snmptrap.exe
3540	spectrum.exe
1780	ssh-agent.exe
4544	TieringEngineService.exe
4964	AgentService.exe
3720	vds.exe
5084	vssvc.exe
5028	wbengine.exe
4688	WmiApSrv.exe
1468	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 28 IoCs

Processes:

elevation_service.exe26d4800081efd88d96cb564dc2cbca3ecf40aa357302b152efec8fd3d3cbadd8.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	26d4800081efd88d96cb564dc2cbca3ecf40aa357302b152efec8fd3d3cbadd8.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	26d4800081efd88d96cb564dc2cbca3ecf40aa357302b152efec8fd3d3cbadd8.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f4b146b24d74bb6b.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	26d4800081efd88d96cb564dc2cbca3ecf40aa357302b152efec8fd3d3cbadd8.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	26d4800081efd88d96cb564dc2cbca3ecf40aa357302b152efec8fd3d3cbadd8.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_85453\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 2 IoCs

Processes:

elevation_service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchIndexer.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009509ab3fa84fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000025b7f93fa84fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f1dfe13fa84fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c541e43fa84fda01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

pid	process
2484	DiagnosticsHub.StandardCollector.Service.exe
2484	DiagnosticsHub.StandardCollector.Service.exe
2484	DiagnosticsHub.StandardCollector.Service.exe
2484	DiagnosticsHub.StandardCollector.Service.exe
2484	DiagnosticsHub.StandardCollector.Service.exe
2484	DiagnosticsHub.StandardCollector.Service.exe
2288	elevation_service.exe
2288	elevation_service.exe
2288	elevation_service.exe
2288	elevation_service.exe
2288	elevation_service.exe
2288	elevation_service.exe
2288	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 40 IoCs

Processes:

26d4800081efd88d96cb564dc2cbca3ecf40aa357302b152efec8fd3d3cbadd8.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1332	26d4800081efd88d96cb564dc2cbca3ecf40aa357302b152efec8fd3d3cbadd8.exe
Token: SeDebugPrivilege	2484	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	2288	elevation_service.exe
Token: SeAuditPrivilege	4928	fxssvc.exe
Token: SeRestorePrivilege	4544	TieringEngineService.exe
Token: SeManageVolumePrivilege	4544	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4964	AgentService.exe
Token: SeBackupPrivilege	5084	vssvc.exe
Token: SeRestorePrivilege	5084	vssvc.exe
Token: SeAuditPrivilege	5084	vssvc.exe
Token: SeBackupPrivilege	5028	wbengine.exe
Token: SeRestorePrivilege	5028	wbengine.exe
Token: SeSecurityPrivilege	5028	wbengine.exe
Token: 33	1468	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1468	SearchIndexer.exe
Token: SeDebugPrivilege	2288	elevation_service.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

26d4800081efd88d96cb564dc2cbca3ecf40aa357302b152efec8fd3d3cbadd8.exe

pid	process
1332	26d4800081efd88d96cb564dc2cbca3ecf40aa357302b152efec8fd3d3cbadd8.exe
1332	26d4800081efd88d96cb564dc2cbca3ecf40aa357302b152efec8fd3d3cbadd8.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 1468 wrote to memory of 4420	1468	SearchIndexer.exe	SearchProtocolHost.exe
PID 1468 wrote to memory of 4420	1468	SearchIndexer.exe	SearchProtocolHost.exe
PID 1468 wrote to memory of 220	1468	SearchIndexer.exe	SearchFilterHost.exe
PID 1468 wrote to memory of 220	1468	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\26d4800081efd88d96cb564dc2cbca3ecf40aa357302b152efec8fd3d3cbadd8.exe
"C:\Users\Admin\AppData\Local\Temp\26d4800081efd88d96cb564dc2cbca3ecf40aa357302b152efec8fd3d3cbadd8.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1332

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4044

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2484

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2288

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2672

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2292

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1112

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4528

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4928

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:512

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3884

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1372

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2372

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3540

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1780

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3216

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1200

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5104

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4544

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4964

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3720

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5084

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5028

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
1⤵
- Modifies data under HKEY_USERS
PID:4420

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 788
1⤵
- Modifies data under HKEY_USERS
PID:220

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1468

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
149KB

MD5
f073820dabe43328dc1ab247c665c53f

SHA1
095139d00146727e1b30c9c1a7672ed2664e56f5

SHA256
a0055a99e67978424eed89351509c698ec43c9599e12380f2b8b5d4ecc2a8d85

SHA512
4d5b141036e79b315b4eb97998ed196e52fd3e3c872a1e9470400a4af9d307cab07254d389fce5b00457c0729372565e9c7a06378d87c7dbfb4cd73e4e495221

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
781KB

MD5
91a4beb450ff170070a2ee7e3b18fe7f

SHA1
3b9a055bb3a6aba63e552eed764c9abebd78ad93

SHA256
6bca73e69ee377c5409a16ac2831306c7c2b6bb90e6bb3c66d92bc2db687f7d2

SHA512
b419bdeda0f7b5dfe79fcbb89996d6c4cc295eb818133576d1356298d45011ffcc068894bc7360d858adc2ed492be1d8c314e03e927ab5ed3fdbf856b533d0b3

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
219KB

MD5
1c1e3e1da357fd640a21154c4b5323b9

SHA1
3c07ae2db58ad1e158b00a35766e2ae0351a17b2

SHA256
872cd3de3da1cdb26241d798e30bda0f4fb4e995b8762e5ac9add8d1796ef2a9

SHA512
90c178fcf4bddc3f95051cf15a694a3cc81a4c8a0bb673b8f5af2ed75f9c8fd3e3e5359abb92fbc0471eee5e87aecd73cf59ac71adf07c0762529834b61f55f3

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
532KB

MD5
26bc389a192cf59102adfd0d0a61b547

SHA1
75e3bed83f24bd80c58c2173a7e295d173cfe24e

SHA256
f42cebb46725992029f3a2fdab1918f32d3d026a37d87ae0eac6e0bcf574653b

SHA512
f9e8700f03a5659dab9c65daf468a810dc02e2414e10d6d4fb6b1b71b918f8e8dbaca11828a5b5159277753ea2fa9644cc998d49df5799a25bad89c2ae015e8a

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
587KB

MD5
d9ab82e537eddbd28fbf2adf5c220380

SHA1
7de5f3e9891ff42b77e476c1002527eca1b0b4d3

SHA256
66a54e424145a62d66c6433c748d99d0046079730ca7bb337453d81de69ce91a

SHA512
882d301faa605fbe4eb32c3e41b4bf07b444bba616f2da8d376abc7b3c12224ced5c59f0ed1c7769340da1b13051d01b9ecd340e705fc2551ddb73492d6954f4

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
204KB

MD5
d47433280f53758ab87d70bfde98b43e

SHA1
ba5e474eaf6b54ce880942a1a9160a3646e13ae9

SHA256
1a9d5cc49524f682ae5dd6b8d13a3c0573466727d6dcd0ddb6809b70b537a14a

SHA512
24edb21f7e9c0a86d401772577b7f7e453a8faaba7ed6e886e2c584138ebaaa3b504813bb339291806e8ed01c50d6fd9dee3addbfbaf94a9d15f33fe73895831

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
517KB

MD5
407ed449640ed0fc9284cc9f0594aa59

SHA1
37d5f9ad0b7b8b5570ea30ac227e48588da9ed18

SHA256
20db8c8df79655b5ed4471e3e4b1beca9fdec6586e2d4a123988a3e60b3e0b8d

SHA512
c23c1870a9af5a943283cd965cf21d29b5eddf69b99e25fd2e35829c51e826a05c09045cc83996ff2765b9f2a5e5622e4f983d969122236bd4354898ff23b2a0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
373KB

MD5
cfc5b3d00e39c56ee2cc26049f0d413b

SHA1
c24b08bfcaaca83cc45272b0c3a36163a671cd11

SHA256
cfe9d0cff644f7532b21879c81205d3914aa262764ab226972b32a11f5f4d951

SHA512
4e7cde33976fee8a74e5be80f64c0d4a5090379b63fefd7b001462765db051ed132f7f29fdc546a56a445d28c42f43283fb33b07a94f2a5a43c171051db3d84c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
503KB

MD5
d6278e214535a708732d73c0c0b3c238

SHA1
a4c47108c39432645b57dd6b1298f9ca997a6758

SHA256
7670382896989e935005f37644e4bc66c0aa94d316f7a57b50f2a7f8ea929372

SHA512
f53569cf5a940aba4eaad48dd2d37791c8c1608e1c65003265de3adcb8c33efb25f87a94911a277c773ad9e8c1c207e04504fa20f37f2671cd692a0690b3d0df

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
655KB

MD5
563a547a88719de0cd55510660309b79

SHA1
7cc5060aca1708c4b3f322c30d5a825813387814

SHA256
afe42765ea7875c26730fe909b4dc5246c6402140c3e333ff4c8a58b27c0804b

SHA512
a410d5d9221decb5a4b8dddb541e80fe03dd5c339779e7e11cc0c2db04b73d264fbade2b26898c6187efa1e72fb7c70bf28589bf5a9e15aaca0b356fc1b2f8f3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
373KB

MD5
03e2abceb98c079310e537135a0c7cbf

SHA1
9e75c25d74fa41d6c337a5b85ae1a4119a8ca404

SHA256
57c54537fcf7dbb93e8ea6d4b237a01adf14ae5d8a3ef6236f09928117914834

SHA512
7653f74baaef0783a1df5189a2fb4bdf43865ab1cbc5bd542994739a0d58c7b6eba31b0320225850538f32ad63c2f065b47e81b58278900aaa3ecf54ab026a07

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
583KB

MD5
ec7f4f32a77c6fe8181d0a490376fb9f

SHA1
176c8bbff7f85b96c8b0426f473c4b0d34ee8bfb

SHA256
6498885ad192a269586a85438852608fbe9b85f2637a4957e720d31ed4f7b2e4

SHA512
f6de670b71f3e680612001d2b6911ed225363c776374cf8e90b2d285b4a91890ad249dbdcf9c13ff73efbb7ae3d79d9060d46956cfba02806cdfde176168b089

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
430KB

MD5
c130a64a70a9b0f6cd0c3337d3d800df

SHA1
31d9495ea263149228f0bf598e078af0b331e760

SHA256
d54cfd48c6cf547dd791ada1c7413aa8cc649e8b8462745dfc2f20eda2279a62

SHA512
908068b06607ef4573105d9740350614720351be504b2289991c5601865d373cef3f0d6d2c5101a018191e9f462f83f44f9facb709e96f59f90a9475763c359f

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
151KB

MD5
49a80b2c759ba36c26791167904b5246

SHA1
f0e229d3a2cf34326df791154fad981fdfe738e3

SHA256
3b9483c3a9052bc5bb3730f0b327b8476d40b5f83f01219fae312416b560e432

SHA512
a5060eb096627f846a9d438bf7f20116e1819bf65a54e5227ba8cf1084716e28970f8a34dc63f0beb5a188f7c5b847d448a2185bca83c7f1c48786e775bdac3a

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
376KB

MD5
59c77d883411e5483c7cdd3c180490e7

SHA1
f722bbac3f776d19377592cd8799cf70f14a2cfe

SHA256
96591d305ea54e7cdb0f7ff750d231f092068495e9d768aa0260093d54b6bbc2

SHA512
dde84d6101871e1b6a2f8311ed8495f8c5d87b12e976c32172b823c75150e0b54126ccd34ac18b14f450399b4d12f4a6ca3064168081b2b6954929eabac60e9d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
Filesize
415KB

MD5
2da98ad306ddeb9280261ae850b300ae

SHA1
6b535eb1a695ca1f3136fd9e30ace8848dc966ba

SHA256
542f77b1a7cf41e9ef162f80bc9185d7227bf10706d4d1d2cf5aab340c3cc251

SHA512
3b06f1775afc399854aee051c3fc913b0de1de04169e2c04cb66b782e9d35d53eb3ae3a1b298a8d57d342308083c89e0bedb25ebeaba74603d313243a53428fc

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
Filesize
567KB

MD5
aa8c42b456e05408b4c553919001e781

SHA1
a61e2e2851a68a95831499891ec84ebf6261e18f

SHA256
4fba99cb57faf65c3dd4be9d9af37c6a88f714891e667a945295d7f43484c1e2

SHA512
53b195bc9ab8e129ddcdbe95f5c0d9a1fde55a7e00cd0fdfdf261082ee56a56829a78da60bcafa260844272f5434563002f4217167bd0e1da6c21bcb50486994

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe
Filesize
488KB

MD5
8d9778d71e7311dac1abda7a2a1ee094

SHA1
55337d31f283d8a2428fe63c36987b600eab3781

SHA256
dc0016b5bb2f3880d174a243afa65215bf0eb742032c40074b443aeed96cea8b

SHA512
51673331f314c6d3164d8b9705c2b877e583366676add093ae9a10bdd2a1a2af7d0ff28318cc1ae08593c21a0a7519e2a1b861a735f3900ff219d1cc9a064fe9

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
Filesize
286KB

MD5
c87a2da91d6b91cdf5069a41f387c830

SHA1
f20017c651761c99c857cbe4d82bbea95702cea9

SHA256
bccfb68ddbfa3556d9b1ea540faecffaf67b374b96ba2829cd949a0fec5a43f7

SHA512
872fd1a5029ee97958e32abe93aa222e8af69df4a9a8af5786e5653536539cda3be88abbff85c4f2ab49e85ed882d8638843c174d5088ca7f159ed1a29593111

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe
Filesize
295KB

MD5
eebaaebc3a88469f7c44c02f1910f36b

SHA1
dc5fdfb3562c637aea03721386a0fba0714a7e7c

SHA256
30749d169c2db67aeaa2ff3f2a7a1d0bf86ce312bd4400680cc8b29d8619d943

SHA512
76c9ff1f036f034a3bc9b41c441ff64da7ab147b8510ae28118db675f2906adfd21c4fd591ae9e67a0dfa42a90bfa577263cafe9dffc9903bd9c9fe581cc5369

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
505KB

MD5
35f44e7e0ca4f8412fd60137ad05f2bf

SHA1
988b98d7d4eeb5854d144d52ef0affdbeab393d1

SHA256
352bd2040f374eb4e011862045fa159bcf15d149214dbe4f96100b7da3789992

SHA512
61d4a842f0fd47f635b88abf41d76ee817d9671bf130ed3c2c05e3b6b964530eed9727cf13d55a7f3a7e2d1120364c6214b7461f8e839e1c953f9fcd1a163fe8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
387KB

MD5
40f63f08f560b357a3965402ec3ec0e8

SHA1
295655335789de92c80bf884b58654be5d2244c3

SHA256
862f064314d2b9ad98d980b637cfedf487f93f1a00e919e91c9f7e1759ce9489

SHA512
18da604e33e1a37bbc509d208ec6bc49fa7c3847f9119df75553723f002f328fabe4d94f4ab3f93a6cbd6a47ec28cab120a21fe65f3a3e074d0b181210cf2bfc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
374KB

MD5
c52288d733ad4f608fa8ea51b2c126e3

SHA1
8487234f985053857895762aeecaadcd9116740f

SHA256
c35565ebf71018dd79386dbdfcdd1c53754a05b2277ce44157eb27791eb651db

SHA512
9f9a97dca91efc1fff81034b5f418f9f7e00e782fed54e47ec4918471a3ea62929f4bb7a18634fdce8d36104f37cc0b9f67fd8659ab6e7c6a272a8a01b9d5f44

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
365KB

MD5
e0be58ae6f413fc815101a1daba15096

SHA1
fda4091f0b0d69d2204b32a2578e8fce30289f19

SHA256
b6ba002bb152fa8c8a944c5411726b36174a69a7dc7204454c4c01c74a30fbf3

SHA512
b248e9504265d1323d4d0c2d820c933f875f84f22983957b5168656fe70f24904647eed6284771ea04edd75a53456d9aa7db635fcfad2f8eefc645c80a7e3659

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
390KB

MD5
35d9f658d5434df7fa0c806e74e77837

SHA1
33f0267e5715a11eaf5696549224f43d95ccba34

SHA256
fc07adcf1205d97e20e9fad8887f8cc486d6ba78220993ad78b6c3b297ced7c6

SHA512
5257416ae5ab5fb8355feb1eb86e59fd7c6b0a33c88e2ec9016038fc64f1890f6f26a3f2fae7fb16e86dc1c34e5ccb80bac99f3ed50135bd48dd75bd2d03a949

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
321KB

MD5
5c2a64663b726b8108ea3483ff4f9b3c

SHA1
6f8825583d1038116530381f18aa3f5929ddb70b

SHA256
d53ff8970975b7e2e51750c5d1a00618c76affdba39b366ab6fcbc414c8af736

SHA512
40f7efe901f92cc3a9d4cc47c599f75fed9f8350bea093787447cca0845f250d43b3e43a4424542f0838807d8b0226af4ed26809a6663e41b2a39769f5f3e60b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
236KB

MD5
002c22972a9201803d682c6c1232644e

SHA1
b4db0e75c3c60be8b98c00e4aa9d8715d30cef0a

SHA256
f9827dd628887616dca1e493d87c05feef869e866b348639bdd23ba363acfaa5

SHA512
9d425155555902bf27f7a4ff86b38a9a6d5b620e088f99ebd4f2fd2e1f0679def006f54ba56ce54fefbcbd3b95c821771d94917f8fdc16807a896800405b3c07

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
375KB

MD5
6601a9793a9f323e885ea888a0082868

SHA1
ec987343598a3f26bbf659f0f07b0438e20d857c

SHA256
b57ca897639e6795178fb0807d981a2195e7b34b9bb61f320c14826102b1eae1

SHA512
3e2e9cdb89ad9df9deae93eaf0b983e70568918a8455062002344a569274a23c5d19bd4bf4fd5a16b085d7329d801e3be0e31c83cdb82374667cc7ba616b6717

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
415KB

MD5
6fdedc28f86243a976002b421ac0e96e

SHA1
d04edcc2976898fe80c32700ea2b260efcefe443

SHA256
18bd6d9556d42d71587ef4d3edb9ddb230983cf1146f526880241b65de95cbb7

SHA512
15d6dfb53e11b4fa9d1813430175d847b91f048a2b7dc865bdd3dd36c6b2e08675f3988b1b9bb60c1e73a96a1b2bfea6473d6c993492212f7de5246484d541e6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
188KB

MD5
6b3ef61f5b0776766b0b69350511e521

SHA1
a485b7c6c5dd1073bc3da272624eb2311405bbdc

SHA256
f99e1a9986ca595522f2820498d9af7bfd10f8ad89d3a368661a71b3e03487ea

SHA512
68a64c0d9ea4573326f298ad7fbd2760b954369d41de53222701cd1aec1cff384ef985cd480c8d5370ad0d38dc56bc538ee6d43c058ef35568816f644812fedc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
225KB

MD5
14a186d5d0f53b6641c9a7dada26aec4

SHA1
3fb7df1c0dbd5b103b78fb88698dd7076bbb7e58

SHA256
1aac61f693171b30d0e08b5827c847e75fb3e33772ea1bd5899fc70f19cfb63f

SHA512
b19234a956a0bbcb3ceb92fdb56107dc96fa1189eba4f95c421cb5aa59a41149d328dfd133062907b520c7e5c75e1d9f99e9058ccea10af1cebbce7cd223ff83

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
364KB

MD5
60708264b2438ef7c695bbf27882a65b

SHA1
8dd4f5315fcc6de2e4d75efc2724743196e3ad89

SHA256
57c7123e635013f565ef4bfdf04fa98535c36c258e0becd471eb7a98305eb1db

SHA512
3176e1779713280c1bb9de69af9281f35e1881c1fceb505bfc7816d043088d69b9219c23152dd1bed00f7f0c6923a855ff3d7b9c0fb7e80592f0de8ec7c97933

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
420KB

MD5
9590f9bab6b09f1d3885a39f0ecb8d3e

SHA1
62c2109b73a71448b0a4b72d219deb453dca1f38

SHA256
3eeef62281e126eef510cb160818f06c24ac28d7bb931ff03ac26b72176dcbba

SHA512
42e7336f6321b2a076cee0241b3238db0b63fd0ab6bdfa442994db4dfeceec955baaa345bdaa2b8164a9525c23c23a778566e3061535bd4fc29fdac6665535c2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
213KB

MD5
fe415779d3423d1833186049eb915976

SHA1
5b2e625e7089ba23c662ef1f29b1d1c7a731240a

SHA256
9c023774858caf74abdbfeeda1be61ecc406f527597d5995e49c8bdb4ac71a36

SHA512
3bf276a6a962c6dfbaa6b16e488ebf8b264cc58a8b9345b28cab35701adc291426a2892b41308c0d3027cd2486678097802b5f55fab7b4ff72fef52f327aa561

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
364KB

MD5
ba3962c81b7c20c66e699442e31da519

SHA1
96182d84bb4c9c4bd8151d260525a3fed87e82c7

SHA256
94f72b57d0ab812d924adc1085b9a7d7175a0fd05d6254b4cd5bdf28b4971d4a

SHA512
811e861eb00cf420aac3554b8d698f020fed9d2e9b382ffde4ae33a28b599b050c88e34701aa6a7efdc8e44fd9f8e7f6493f01debb3d1ff991a7388dce3d9f97

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
290KB

MD5
ada5c43cb27975d630cd70342de7c88f

SHA1
fb2957211232871556ed12bbe13d6cc10a84f9c6

SHA256
bccc1c3370ef99d6c051e158a7517ba721a65bc04acc941633b25d9069abbd9d

SHA512
e0498d97e21ef7ddc6a61aeb6be7ba1a5d8d6258aed8acf3738df24a04f8ffb1432f082f5db1ed298c241300a1eaa3a0cb932866784d50e21aec870634225a0b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
194KB

MD5
7a443bf2d4a5e7dc5ca5a5a3a37c6ae0

SHA1
015472ef240cc3fa483db5d097ad6aeecd88ff3b

SHA256
37616c7b3e7eddfaca6d184c4d918d526bfb42385ae9c7581ca755f353d88fd2

SHA512
dd8baa60791327e8bb3f667a1efe60ea8cba59d1b62c23eecd5083148f81b410852a931a35d6a1f4f889ccb534d652ae9b6c51cfb19f1e5d8a8b521818489b88

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
209KB

MD5
35edf7ae34fc74b59f2fe983751de25c

SHA1
98ab9424e8a99652832b0d9146ee04a2dc6a1f30

SHA256
6fba38d10b6f961579b81371e7e746f84eeb62d620ef6ffa83ecb64d87b2d741

SHA512
aedd76b12d5c804baaaf0fbfa925f672c5ff7e0ce276ffa04d50034c8ea3eb03bc818d45357460fd229de4e1460692d2ca2a108b1938740f80065a6c1d524374

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe
Filesize
283KB

MD5
84e3d92e9d6540aeac52b03ceb9e54a5

SHA1
4f2de094973dc8d74b490b4731ee10db077ca5df

SHA256
234e00dbde8ae67729974e4722963631b2ab8f3b2c8319e4bbb29afd2f113983

SHA512
bcde70beca686edb15f1df817da386911c6660caa469507f20354971ce9384cb68b32bb53acbc61e91b8f63dff85a333a469254a0212da059444c3ba8498aad7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe
Filesize
296KB

MD5
214069a5b45e06546a0e777c18438ad2

SHA1
1d3f34b1e222b38702a0231c3db9e5e0380e5197

SHA256
06ce4ac1dd216195ec838e3a583e522f4c1f396298cbe6287058cd7d95854af6

SHA512
8bd5c4d5d74ec58ef1cc2623db4d1e082a302816dd85ca83e8fceca361e98aafaf353a112e98a6babe9b9d6aee57040e56b989c6ab7d2a6274d2548b7be9bff7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe
Filesize
291KB

MD5
a0962385d1828ddb1019670c211898e9

SHA1
2293b0123d4c8c1200286d033ac3d86f9ae30bbc

SHA256
31fb36a28d3e832b52143d91c96bbcc0417a7bcdccc34a04e368092f5612cb89

SHA512
f3706ceb1c270c789b02d188b2fa90eac7a382d1decef72d186c8d8941207f67dad3b5452555cb651abd25f8124e07ca133291f0a318d902c11d36759daedab0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe
Filesize
257KB

MD5
711c474ae79b5044955de9cd9e56e092

SHA1
4d6adadc961b8cf78153479a60548280adf3179b

SHA256
304d3ec0d2a29d130cd39d02cc7bd5ce8cef178fcf10dd3aa72dc74f07d98dfd

SHA512
36ae7479fc777a84430044c59b5ff83cbbf1cd3b053cfc5d3d2852964c06f6a994127265002630a102f13943561b029364b3b5c04d9506846eafab7bbd704a4e

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
557KB

MD5
e5570a47127e1043d293d433c27d65d7

SHA1
8bfc001043f535ec352b7f56119c35a86791bc0b

SHA256
fbdd120c876cc2bee2739920562f1e4c7a2b54589f75c3b8b4884d7a5a4129d5

SHA512
e3e2c2e93f8333764fa1ca902bcb02eb60399f95f0238c77b2e5dfd05a3305694691316cdd0d332386ae4f8b957fafff3eb8b55c1d8e1627a21aa3d3428a4d04

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
65496302fe2c510d2619d2acadf560ad

SHA1
d7aedddc50cda847ad83f6633c775a7f9f3ab2ad

SHA256
b638a7653c74c0bbc0177df58122455a0cf98fe6421c6cbdb200e8fec8c9e813

SHA512
2422ea1fe035927b90e3c0aeae43a40b4b90be20de0ad52e9c185c7d594da9816ad2676c2c79ed10219c168efdef2df3a25bd8c290ec5f2f39df8036eaf3895d

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
495KB

MD5
0c96a91672dac9b3d1a014c36478bba9

SHA1
cb634c1d99f1ba3f1aacc600bffa5bc6cec1ca3d

SHA256
c852a0bc354a41d65f7041ecbc523aa5669bff5055bba5d5dd85159806d89771

SHA512
02a1fab58fce22eba902da61e62fd8dc0c5343ba30c4a08a5ab2c0af1510ee5cbe7633c053d66cc2be75ee013b3309907d46c358f3aabfe59c2f5513569f2ceb

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
263KB

MD5
3d2158d0529a38e5171ce77fcbbcc5af

SHA1
79ede8eeff3e281a70cfd972f23e9059ab9e718b

SHA256
6a6240f4faad9ace8794ebc5539e75d9f51d0c271314c22d02fb8671107692bd

SHA512
05c7ecf67f206ae716269584b64d1aa96cdc8879f959f13dcd40ea2c84d4af919fb7ae2ee3711fdc8819f341384b95cae4cb79ca2ac357f3be782ad94bbe0f2b

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
9bf8c731c4e1b9fab94f9f4022c1e8cb

SHA1
b07f2348e28ffbc328aed1d29e13df72bcb951bf

SHA256
f3fefb12902c78b6caf17fdbe5965e5de5011dbebab9ae1b9bd6c490296bf9e2

SHA512
418c958e98b4e5dbfedd67a6d7c39dcc9c6dee20cd899d6ac731337470d46ceab3e277bb575f5b271ce428af5f6d814edb9c66be155cb915ed2a9583e0265e65

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
a25e5877abe9a356265cd790e355bdee

SHA1
b8f5ecb035ecff8e2a3c73e67d0309902a60b342

SHA256
0d934147d9e7fde0816ea2680421de3a0fce9e5d80722356dccf1a6507e39da1

SHA512
f103e30eec62b0b477d1593b00e1feccaaf7cd9f7774a0b867bb2b7381196a6f36e3b6bcdff96b0f730c0fddf64cfeabc7501c1cd9edcc800c8fef0f43d9cc4f

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
547KB

MD5
cc327d487eabd66490813fe613f9fb09

SHA1
6ad12ff9a327917933d444ee2995845882a06879

SHA256
a24313f6b27dcad4669d918020bc81d63135f2829742d03dc43cc7406fbd009a

SHA512
20322eeafe6248165192ceed45f4ea36f02cf10dd069503bbdae1b5b19777f93092d37f15a4b4f632ddc48c24a8f93021b11f69d79ff23e2dedeaa3ec6ba8774

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
576KB

MD5
0c622989ec0c7d398412ad34723b3660

SHA1
3f2a18f155fabdb25070403395610f8f93a54302

SHA256
ae807914ed79b544a1125e1d64aa5203a6db861ab7cbe1e191efb3b0f5738663

SHA512
56176c50b9de267a6704d795617a9d52169cd0ba7578007435deb2bdd65d4568b32cbe8c4e5e15ed5a38642e55375eb90b39ff595d45710f7e2828794c78509d

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
3762a7e92cc9378d5bdafaf0ef216313

SHA1
6a6eea05327b568495fc1fa063272a0459dcdeac

SHA256
c01bb9be427d16721ddf9eb76a83ed81a2818381c43b30b758573e085055dd2e

SHA512
ad66ff54d9f3f2682365af82ed47c2353b2b8657b246e3710949e873fc48ff23aa0b0043e72632e9698f6f5eae1c8b4af449f68000069ff527949ab26f30be0a

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
362KB

MD5
03a34c218b93a1785d8b641b5f7d5477

SHA1
d52a4e1e573e5e0bfc76aa8424b831fbec03898f

SHA256
64b4f6588bd33ab1c1aba17c726547c015162b111eaf610b7ec008be894e4c21

SHA512
9911a486a1eef717cc73a38b6230f27c597b52ca4bbd5466d00dcb2ef133cda1e500a8bac2ed42db3416b2d308d28f70689758a57c01f0b6300a06ab700109bc

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
977KB

MD5
77b506f687b60d144d7f1b2acb261188

SHA1
fd5f68759dce443a2818e27a4726658022b05137

SHA256
3022528329f3ff1f4fe7213ea8c2c580b8f58a134c94bc5c208ae89a384f0534

SHA512
c5049885a67b67e8041dface66ce13e6eba293bf9a8f133555575d062e8968a396b7353ddd27bc772266194887a67787e90a0c1a88275aa7b93b5652ccae9853

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
949KB

MD5
2bb971d228fa902cd434e77afa1a2f4d

SHA1
9e91027f5b309558dfcd52f40a928e9089016627

SHA256
247de50f52aa12b33e553c2b5c6b408ff24cad2b9f41cfa84b654dee917f8e86

SHA512
a15b5a827414068fe44de07fd7ceacf062bac44b18d8529a0c69db42a23735facac1c69eaf824efa4d791ae21270b9dc97cf4f47065ce4ce88066dcf0dc2f3c8

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
786KB

MD5
3ca1b4eb605e5f33fd240b12c134128b

SHA1
87302a97565b575e4028d90de629c4aa5ac19133

SHA256
144d7dc4947cc231a7ebcecedc601a4ece4e8dee9631458260afea321321468f

SHA512
9d1e0ba52068ccd50d1dade26f5de528f252b7f9e35d1311a7220eb786bc6f55db9a72ac82bfe0fd3f9a26ceeaafba393ce3fa2125f0adefe3c9e4f09e9cb5c3

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
382KB

MD5
421dea3cb75be08bfca72c520b168172

SHA1
8835cbd2ed2f88cfee6b00cf7582ce5cd6a426e8

SHA256
8937a2f2ca247a5afac007a71bcb907c35dddf7f00be9c61c4e7e8a142cb2a55

SHA512
3bfde0403e9e16f4a7e2a5ad4195209f22a67727d9a81457773367dea624c3b7a859733a192ab61b3f104708c3abf5e6337bc768c8607449aede546b2b5adff7

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
1a093d2120229563c6c4e9e7d0cfa983

SHA1
692a985173ab47e6b9681ecd12fb3ab8c41c6c45

SHA256
0f76bc24be61f587fae093eadb9d49be4eee302e9639d843a21637252c1bef96

SHA512
361541ec50e47e3d589f224178380f1b9ce2d568e22fdac64086ab5c6ef308612a16f0f39e0947aed218abbabaacaa1398416f698120b64a6ac3864ea27ecdf4

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
ec04ba3efee228010afdd503e1147f52

SHA1
1ac32621067418ed438898fde07331e5aba71260

SHA256
8b9a5e857d069b70ad869d7babce9f8bd46d1c01351ca199e6664f094d7e1619

SHA512
9c579ac420c87f5cc49c13a67d94a5cd15bb28d71fcb1687e3b37288e80ea13749a96665f973879eb311426312ea7ab01256003103c64decd2c470727d50e660

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
18fcb60cd0ea11df10f9b2e23dac4467

SHA1
d58a2e5597ea824127aa51fd1dc8b447e242451c

SHA256
046087ab9b3dd1c3491916cd177d3322c84bf7d47bd123b996c71e422c9d6ab1

SHA512
fe537089bd4747074fa1a793b4b0428b22b082c87a6b22d74193bb892fbba1af6cc5066e1eada79dc3e6d50b8a7df0d4a8085e02a69543db01a85cef6a8e89d7

Download Submit
C:\Windows\System32\vds.exe
Filesize
652KB

MD5
067ccdf8cfcf5553b69bed9934dc9f77

SHA1
f1ec9cd11465fc9ddb8322e6e482c92146b3da12

SHA256
27af27b38d2b9f630306c3a3a0387105ca310a836cc1ea76678d3290083094d8

SHA512
bbd26032ed71982412dc49386973f7a1add4cfb0626a260d7ed01c9ee1bc287fb50a180a7dc6729f8d5183768cd4235ebfd7485afb51f460a0cc5bb18ea09dea

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
239KB

MD5
e644327272838429b8c2dd70a815f41b

SHA1
612dd9c25af8d629bf9aa5439430b0aa7bdb574f

SHA256
131481ba56afa5b1a492d12d644492c9a947581d6019f1751de9d88db73bd40d

SHA512
414866a3ea5e44f2559858d1982711a91b71c1408738626033f3fa8c93aaeb19b8405a0dfd5a68e4ac55309db8253f7681231cee061acc6d8bbe42d4f2a41179

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
297KB

MD5
87793b58e25f6102722b8f8c0660d4fe

SHA1
bf8cd75f89b04ce004a41685ddab64866df00c82

SHA256
554b84338a11f00011631b69518169f0ebe18955eeea394497d62b791a69c285

SHA512
f4762718f7ea815404b0aa89e9998f6ee5ba516acd538f9db2129139430c6308c18c92f0c99bdf339d34b7d78ec5e51c506dd3fa6a5021b71e2c2ae8c7d89129

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
284KB

MD5
49e87c02ecc3a8e4b3aa2535327d394a

SHA1
4be1e622c62af199ec1cff5537a5030571ecb1fc

SHA256
3775f519308ccb2a5fbcbee0851adc79917f177fbc59e5990cec1a78eed8c067

SHA512
d7b6dd5d0bb532f30e35cf70474d253a0792e479e283ab3832d59830458d632c76d9dcfe8846afb2d0209e7823c4c25ffaf105ca203e3543545dc46bf7f300d5

Download Submit
C:\odt\office2016setup.exe
Filesize
454KB

MD5
ae9e66b91805c907dca765e3adbd1917

SHA1
9738375d8dde2cf353c608e8ce373e9f2b094f97

SHA256
0f5b4a0d15cce335b0a1ff8a02291f23035d9bba21238403e90749d368b70835

SHA512
754243b7b88475c3c1c3840074ea5f893172194ace14b15c88698f431203d898f8f01299e399a0731bea3b03e5baafc941e3c1443d24c145da9e66ead7f17254

Download Submit
memory/220-468-0x0000020DB7FF0000-0x0000020DB8000000-memory.dmp

Filesize
64KB

Download
memory/220-444-0x0000020DB8020000-0x0000020DB8030000-memory.dmp

Filesize
64KB

Download
memory/220-455-0x0000020DB7FF0000-0x0000020DB8000000-memory.dmp

Filesize
64KB

Download
memory/220-431-0x0000020DB8010000-0x0000020DB8020000-memory.dmp

Filesize
64KB

Download
memory/220-465-0x0000020DB7FF0000-0x0000020DB8000000-memory.dmp

Filesize
64KB

Download
memory/220-445-0x0000020DB8020000-0x0000020DB8030000-memory.dmp

Filesize
64KB

Download
memory/220-454-0x0000020DB8690000-0x0000020DB86A0000-memory.dmp

Filesize
64KB

Download
memory/220-453-0x0000020DB7FF0000-0x0000020DB8000000-memory.dmp

Filesize
64KB

Download
memory/220-430-0x0000020DB8000000-0x0000020DB8010000-memory.dmp

Filesize
64KB

Download
memory/220-462-0x0000020DB7FF0000-0x0000020DB8000000-memory.dmp

Filesize
64KB

Download
memory/220-429-0x0000020DB7FF0000-0x0000020DB8000000-memory.dmp

Filesize
64KB

Download
memory/220-469-0x0000020DB8690000-0x0000020DB86A0000-memory.dmp

Filesize
64KB

Download
memory/220-470-0x0000020DB8690000-0x0000020DB86A0000-memory.dmp

Filesize
64KB

Download
memory/220-479-0x0000020DB8840000-0x0000020DB8850000-memory.dmp

Filesize
64KB

Download
memory/220-443-0x0000020DB7FF0000-0x0000020DB8000000-memory.dmp

Filesize
64KB

Download
memory/220-491-0x0000020DB7FF0000-0x0000020DB8000000-memory.dmp

Filesize
64KB

Download
memory/220-478-0x0000020DB7FF0000-0x0000020DB8000000-memory.dmp

Filesize
64KB

Download
memory/512-308-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/512-254-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1112-245-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1112-71-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1112-70-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/1112-78-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/1200-285-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1332-18-0x0000000001FE0000-0x0000000002040000-memory.dmp

Filesize
384KB

Download
memory/1332-0-0x0000000140000000-0x0000000140099000-memory.dmp

Filesize
612KB

Download
memory/1332-21-0x0000000140000000-0x0000000140099000-memory.dmp

Filesize
612KB

Download
memory/1332-7-0x0000000001FE0000-0x0000000002040000-memory.dmp

Filesize
384KB

Download
memory/1332-1-0x0000000001FE0000-0x0000000002040000-memory.dmp

Filesize
384KB

Download
memory/1372-325-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1372-282-0x0000000000790000-0x00000000007F7000-memory.dmp

Filesize
412KB

Download
memory/1372-274-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1372-275-0x0000000000790000-0x00000000007F7000-memory.dmp

Filesize
412KB

Download
memory/1468-352-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1780-442-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1780-311-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1780-320-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/2288-40-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/2288-241-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2288-32-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/2288-33-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2292-56-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2292-55-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2292-67-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2292-62-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2292-72-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2372-293-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2484-16-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2484-26-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2484-237-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2484-17-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2672-44-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2672-45-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2672-242-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2672-51-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3216-336-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3216-289-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3540-345-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3540-304-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3540-296-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3720-477-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3720-330-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3884-261-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3884-266-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/3884-267-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/3884-259-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/3884-318-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4044-14-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4044-80-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4544-461-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4544-322-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4688-340-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4928-250-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4928-255-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4964-326-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4964-328-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5028-337-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5084-490-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5084-333-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download