kinsing | 2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a

Analysis

max time kernel
145s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 16:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe
Size

1.2MB
MD5

9c570d450016d56e5a1bdda735539075
SHA1

f369d3186cb38ad6472da7b14e814100356020d1
SHA256

2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a
SHA512

b567f8b216c5bdfd312b833756c29657e49d5a890bb726d4cd37120a8757c9ecbbadc203d60070470e27810b41b7bad2ac8033c1cf960aa66a275c8cc10930e0
SSDEEP

24576:JTN9gj3Htgtozpyj4mIexbUSAL2mZ7mzAWbeIYVgOBvWi:JYHyELexbUSCfmzz9YVgY

Score

10^/10

kinsing loader spyware stealer

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
808	alg.exe
4468	DiagnosticsHub.StandardCollector.Service.exe
3924	fxssvc.exe
2904	elevation_service.exe
520	elevation_service.exe
4760	maintenanceservice.exe
4784	msdtc.exe
5096	OSE.EXE
3132	PerceptionSimulationService.exe
4676	perfhost.exe
2804	locator.exe
4472	SensorDataService.exe
1924	snmptrap.exe
4596	spectrum.exe
3204	ssh-agent.exe
744	TieringEngineService.exe
3880	AgentService.exe
2208	vds.exe
3200	vssvc.exe
4960	wbengine.exe
3544	WmiApSrv.exe
1752	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exeDiagnosticsHub.StandardCollector.Service.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\dllhost.exe	2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe
File opened for modification	C:\Windows\System32\vds.exe	2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\4717ba501f063bd9.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe

Drops file in Program Files directory 64 IoCs

Processes:

2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exeDiagnosticsHub.StandardCollector.Service.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_77703\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe

Drops file in Windows directory 4 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchFilterHost.exeSearchProtocolHost.exeSearchIndexer.exefxssvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c8aead20a84fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004a42de1fa84fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000673e3b20a84fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009da6c11fa84fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000928b4920a84fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005586c520a84fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004314e31fa84fda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ef9f3d20a84fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
4468	DiagnosticsHub.StandardCollector.Service.exe
4468	DiagnosticsHub.StandardCollector.Service.exe
4468	DiagnosticsHub.StandardCollector.Service.exe
4468	DiagnosticsHub.StandardCollector.Service.exe
4468	DiagnosticsHub.StandardCollector.Service.exe
4468	DiagnosticsHub.StandardCollector.Service.exe
4468	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1728	2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe
Token: SeAuditPrivilege	3924	fxssvc.exe
Token: SeRestorePrivilege	744	TieringEngineService.exe
Token: SeManageVolumePrivilege	744	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3880	AgentService.exe
Token: SeBackupPrivilege	3200	vssvc.exe
Token: SeRestorePrivilege	3200	vssvc.exe
Token: SeAuditPrivilege	3200	vssvc.exe
Token: SeBackupPrivilege	4960	wbengine.exe
Token: SeRestorePrivilege	4960	wbengine.exe
Token: SeSecurityPrivilege	4960	wbengine.exe
Token: 33	1752	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1752	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1752	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1752	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1752	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1752	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1752	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1752	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1752	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1752	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1752	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1752	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1752	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1752	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1752	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1752	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1752	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1752	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1752	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1752	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1752	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1752	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1752	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1752	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1752	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1752	SearchIndexer.exe
Token: SeDebugPrivilege	808	alg.exe
Token: SeDebugPrivilege	808	alg.exe
Token: SeDebugPrivilege	808	alg.exe
Token: SeDebugPrivilege	4468	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 1752 wrote to memory of 1576	1752	SearchIndexer.exe	SearchProtocolHost.exe
PID 1752 wrote to memory of 1576	1752	SearchIndexer.exe	SearchProtocolHost.exe
PID 1752 wrote to memory of 4716	1752	SearchIndexer.exe	SearchFilterHost.exe
PID 1752 wrote to memory of 4716	1752	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe
"C:\Users\Admin\AppData\Local\Temp\2088914a799277cf237a85ec33559ced9ed37540ba39a8ad1329f4bef5ecd18a.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1728

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:808

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3924

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1176

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4468

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2904

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:520

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4760

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4784

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:5096

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3132

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4676

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4472

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3204

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:744

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3880

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3200

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4960

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3544

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:1576

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:4716

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2208

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4692

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4596

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1924

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
344KB

MD5
d767f95304499e879d23152e34ca2a20

SHA1
51ec827b2d7bb595632d06f7862a664021797684

SHA256
87ffd8bd5103d6689c8f41d29562452ab0e30ac696a4957f128c40ddfe5c91cf

SHA512
d2efa5465ec2accc3efe7f50388666b531b06049eec4372e74d323d42c4c121ceef458dc786e331df7087e89ea7dd5a71d417a6db2b015aec2371a8d42a127a2

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
271KB

MD5
2f073d5063e8875dc0d6dbaf1903c2a5

SHA1
ee63347867b6ef3860510f55a751b8ad9911825e

SHA256
911d34b370bf93b98e32a1a1a1af93a418e409af7a249d80f990574ce626d118

SHA512
beed9d70d204246d87b4ed4962ced0b70655c3be1d46af396b7d8b1d3e4f2d014c073f4b505ff94c90be7e913882a07bdd3773eb2a19694e5aefa76091929f68

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
260KB

MD5
28110b1d3674d0a843deda64774c3b96

SHA1
76bbc2e7c11e6d5c31be632ed54e88346ec179fd

SHA256
87624b017f0c1795508f4cc32ea504a706e17e63f3d6ead87814e7f147d7eb04

SHA512
510226d1875e391ba59d63f303724f1e57a606931ea94d17bf0846b331a9beafb49fa0cb8b6b2b0c1fa915fb729690d9b4babeaa6ec9effdf11c8519e807ca7c

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
298KB

MD5
3585cdb6440146703d92112323ff7807

SHA1
539d7a9424d5e2ab66a598b2533bb5e81ec914b5

SHA256
2593e97684b328bf2e40bae63e4bc79e54d74f2673a593601a41053a438508f9

SHA512
3bd73fe51f416429b1b4a926151a0e02baee1451b8e72c6e3bd3a12ecf2a6d44d9f8a935be253d46bba7c525bee4057d38f0e1178ea5fb4fa3e8b9ceb45fd43d

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
238KB

MD5
069e3302d3b748f1ed9334c2fa852642

SHA1
c623ac6d2ed925f4e7e276db2951591ec21cb10f

SHA256
ce6f2c12cb7023e55398b17545c7b240772fc46bbe33c132956d870fee1a6663

SHA512
638c8a97a22ad2a3907df95a90cdac65c7631d21e2d94de2b7caf285b4a465a48625d34f1e2e5240abd35a90fd6538668c64dcd290b42ee3c5e7686d926582c0

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
206KB

MD5
c7d4454d5e7fce146901ab8d4f6b134b

SHA1
6f894887547b7319312eacd11a6766d54ede2a82

SHA256
c5ac3357c09df7f64f25c326f40af232bb18e4a4c34bac34f4e1838648abaab0

SHA512
aa6e9339c0a474c3e8efb0dadfbb7a86e04b81dadc9d54f8c9e549b55e3bda5f6c34e1851ba7803cc4e51ba6c90caee2c6017bfce485a707fdd0896de0858f86

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
311KB

MD5
687f1f74645aa4220922c379d40b92f7

SHA1
ac4873104ca55e6c36800adb68c1ecbca93ba67d

SHA256
8426254e0a234b62ac0dba682163b93f551f044712bf996e72fe5403dab6ca4b

SHA512
324c4cd64158163da798ea2cd334001a0d6658c2fb3d266032d75f3b4d45beb53c3cead1651aa73d3a4a64ab92f7c98d0bc203308772e6d326efb6567ab1dc55

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
126KB

MD5
bd2810e46061b8a0a736f7dbc804f552

SHA1
35e51bc050dee7214eb906c2b247ecd98746c026

SHA256
9694eed824759c842b5c63eec8fdc3f4c0cbbda4ac40544c28e9952aaf5499f8

SHA512
c59ca73e0ab5952bcb7f94ae37ea17a24a35cc79159263e87b104859aac512c35754790d8cb8ac8afd67373b6e1cb16f34611bd448bf06e094f418947739748f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
314KB

MD5
9c0a069f8f62b760be39697a4cbef91f

SHA1
f20bfaa9a59b9be871fb4676bb111fd03c32c8ba

SHA256
2e407da1fbb71d2fcc32e5b07c9b5028c0acc612e97864d100089336f4f8687a

SHA512
32fd1ba3873bf159f71c6877ff446bcb7f3b71bb0ef47ad93ce9a00a6c6857281a791f51bac2f669a024373378f9b4a2410eddf9cb3daa9168b2c9df8906b3c1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
160KB

MD5
b3a76b3f52b559c8ff77d5745a817f2e

SHA1
a5f943e23dcd3ef371995595a04345075800ea40

SHA256
11c7d7a45434344fa1f5a5c568e9f9385d38699d46ab353b0a9a8dd4144b1212

SHA512
028d43dcc2ae1262fae7be5c6cb7ca1dd66ea6cacf932e2b3204d0b5c85e2ac4cef4dfc2af3c8fd81c52866a3563423557e602267637c4ca2042964214e56fe9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
23KB

MD5
4fc605cd0c1ce715763c79790e52628f

SHA1
b4563baf18dc4d52127163adb95483f480f3db8f

SHA256
5829921de83d519d0a8daadfa9182de8dc3ea41d5583af7e0a4b64651f990a0e

SHA512
056a2690c2b985ee0241c3f8c846191c8d2e9f3fbc0fbe19e4b64640304dac0d562341a592ab0a9c9a63291a5d39f3d1c88e67009153bffd2102fde627e54513

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
249KB

MD5
f48e71da57bf8c5e919d1df1a1cf4df9

SHA1
9f0fc0f17109d8e9d0fbe0c2525615e2a1484205

SHA256
904d6f0d9c819ef402de75b0784199d4f2eab7d04e888247a399379e2576389e

SHA512
c49789eb7b6710da3d127d509f5c2e18d44abe44e5c41fd8e3f69cadf2717401b172b3ea7b6cb5350703ea4fffa9e4c9d03b1bd54585b42917cb986ada6f9865

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
85KB

MD5
817e807a3946581366e9c2bf28244ecf

SHA1
a6ac7d48663044b1cb448943275638647128c5a2

SHA256
b78996ccb0083f7a152cc8fc27b504dec80bec57e92c5fbade528ee9e1db360e

SHA512
c8ad49c082a1c75856ef016ee071a76e299d366683fb8561895236ec84b17b6fe20f89f216d7da50889cafda945d67d37a33d6ff1bdfacd6437df3c5d2bc4ba6

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
155KB

MD5
17b9f8970ba7899dee880aaa349eb915

SHA1
00ea8a4a21a396f71c6b58e213419f0558869764

SHA256
632d4f8e42bb09c663e350b0682ad170d27413b3bb322998d7e61fa2fe7217ab

SHA512
962282cf02afcaeede9ba5f8c1d7b62bef975326b8f1eb9d4d467bf4e377a217b2304141fad5990459639d3469a4fdee07d5a99c83fa666cbff499f19db5a72d

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
28KB

MD5
449c5e501d9e38052ef53913809c1556

SHA1
30752a5bfcfb1a5e2f5d0828f49ed07471b3d174

SHA256
b4547a8cf49d012d7d0e5b58e5d75bc63d7a7ca8e2fa1e03954c303458c69907

SHA512
2201d11df20988b22e7b05196513cea52d5aa41288825b16447412de6c870095fd537ffce5eaa86ad2c7862c08e2d08a8a97ace1c76e8f5868a6657c24fb2f1e

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
Filesize
75KB

MD5
252a13177360790d3e23977eb6eccf9e

SHA1
071cd806e948ea80498bff61e70aba3c264ae7b7

SHA256
fd86d8c205a38c5b9bd050ff313b9daa0b2e0b0bc0a87e8d81ce7c2093ced0fa

SHA512
cd7c5838efbcc38b3de45a9f130c9f5a37fe4f4229f05f6172856e53c7ed06239ead32c8a3df7c9db7773bda3f18ee2438775d190b2d5b4194a9f5fa4d652d8b

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
Filesize
61KB

MD5
1b4bf63b37e0b08768a4796732f149c7

SHA1
7c2b87401258a4107f2f07815ccbe8289bd3778f

SHA256
4abd3e3c459ed617deb15a50bf744f629e6a1ae37dcff5eaaf0feb84005514bf

SHA512
22aa60c1c21a14cb5ff6f4a320687b6efd3fac62fc78abafdcb96806baa646e2e821fee518562c1ac1ba0c48be43e4c432bb44f646717da04d4c64090c6119df

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe
Filesize
71KB

MD5
2f9ff2182f8266d62ee8cb42791c137a

SHA1
6fb45a5b0304bd0940c8ebcd0765f718392ca99d

SHA256
9bee303304fe4c3d1290fc4ba85e5bf0ce96e300a21846f3cfeb0a0cdfc2915e

SHA512
11857edd8a8622993f91b107ec91934ac27867ebc5b30bad22a9f78ffd68a3c9a0a8cde026afbd60eac6aa141f8621f63a1b5d6c0ad4db28b7ca573018780c21

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
Filesize
431KB

MD5
e3a2e1e3ed5aae4e0933123feb98a225

SHA1
261dc0c578bb1ca578180fc693bdb3cae5eedb44

SHA256
a60287e8be4b78ff23996123300c4477c65e5d0237e6dc18bdc1b324b046b8f4

SHA512
8bf0e10f4b0f41dcef30a613b3dcfb088c73f9f06b502488fba5c7738e66b0cc9b159f952847cb534f6934e1b783e4fa9810c9ccaae5575922d8fc16269e31c5

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe
Filesize
58KB

MD5
df907d23869726bc698d6aa10798c476

SHA1
0a30f64cf5ae075d53280a455ddf1b03298b37b0

SHA256
268112e1cabbe33a037888cd1748d41e318f940fb4f7a7586c95583427480338

SHA512
0e58b6ec6660b12ddaf1a402ecb8e5d4cc2a9b12e6e8e4051f34d4ef15c55e43b0b46103dcad98197f1548e0ea17866eb0d6658caab0f7f21f48b1240865bb4d

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
210KB

MD5
d2f53f8ed1b7ef16a261874fa84ad614

SHA1
a84ff2c45e191acac722a6642b9a9cfe0eb1ad8f

SHA256
1b280a1dc271d4d5f20b7038e54d81d83f790d7978944bc1b444d0b081277307

SHA512
576fce4ff6a72c4dedd20cfe598ce24d1861084d8329c8349971c0a078b52e6bbfd9a4c167b17b5416244d1f0c2e3b4ac2709d0971501237bdd39c2a0bc11e0c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
92KB

MD5
c3f7122a9d4d5330e95e58cb40db29e2

SHA1
7011443cdf945485b1572c862d389ba531c0f31f

SHA256
366a7ce7d51da6d667bec9bcc49cdc6fcb62c09aa2ab4b5b6773925b35b9152b

SHA512
806f18a8a2ef8efa99bd83e425b2e4317ad3e8cdf39930cec73f14286935c0ee03ceebae61c1901f5babd2f74747970dd1610e6b02591407b9b874be2282111a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
118KB

MD5
3f3836724c6b6cbe34dc1b6959fa98f9

SHA1
a5d2947f7fed67ec55d002699217615223c2e6a5

SHA256
ace3687357a683bcf77e7ae0ea6d4b87f936bc371ac187f6d1d617e9105a8da9

SHA512
234eb59c52d25a9217921523e468a2f2730878346a0ebfc3bbde99563b1badcb08cccf391109d2c920b88a1fcaeef60cc0bf434775984b6b1adcdc523fae2655

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
71KB

MD5
ad9bbf35528423b1bcb05c17538ed43e

SHA1
8303fcda83d5292682aee62ca15884aa88e9a8bb

SHA256
229c7b1f00100facd5664f6475a5e98731ad6dec2140e8d64eaed5cdb16a06f2

SHA512
7bf379d62d3f2e5227f8ea2080eb2c1f7a90cba4c6bcb5cbb9b082dd3247982a7a27e1ba1903c6d971aedf75e481b65bc372811c9076e5d413afd118d431bd4f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
73KB

MD5
80320884c0e849b97f869c4b5b70c6ac

SHA1
9fe49382e981e95500a21d8cf8918451b70bfbd6

SHA256
3220a69d2d9409353f672758a4268fc483b7267d709b197d455b2c765d0116c0

SHA512
e9003ba48ab951ce3bb625ed9e9032653a78c279f931f6a311b65fae9810784aa22a8c0401499ded96046a5dfa4577c56fb39cccd0c142f1fcfe3f007934ee50

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
116KB

MD5
c346d175bf3ffefa619010c04008f8d2

SHA1
cc4a6b1d5552d4708274cdeca99290acfb85de96

SHA256
ad824a7c6bfe2a50d35c918d1bc0d316f3631632564a7bde83097c6244ca25bb

SHA512
691ec8a3e01f8e873ca0b32fc8163832b1487704af51522f308497b0092725411dae6c36bf3f3545d7addb4a3133eff709eff28e5df6bf7d6bfb8afb815bc8c7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
20KB

MD5
bcaf8c75614066555ccf817ed2df0938

SHA1
2364019756a2bee4cfcc2a0f4f28c24b90417cad

SHA256
9c8c3bf64717a28f5c9e455f05b1bf54166091f21bd0010ff2e5d4b1dbb730d9

SHA512
91e731b32471b9ce0949f12d9985bb85e0afa24d5d42d9e1aabd87606301b1bab938369c3bfcda1b0851c321d8b5c0116bfde69de7bb094a6f30abd059f6f6c5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
34KB

MD5
7fac1984604f8248834a6e78e88b5f5e

SHA1
6ba7db0409b9b1b288ce473547989da978f5da9a

SHA256
7a38c6602a6fb08b9ec004bd8227d8e49b1ca1e3fef7885292eb1b3f9471b0da

SHA512
922f89d660716be5d798b495eff34c75d876577c5fdbe0c0f2ba18131e611a36d153efe0f23dc09c95b9b4c1a30a9f852e054f7c3ae731ab87f3ae5ba0359839

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
59KB

MD5
42f16e87964f0226d9c9b962670ccba5

SHA1
c296da329ecbd5680704d24b85589f35d17fbeb1

SHA256
2c97280251dcab1fef7d8498b6af74b9b5dbf25285a1ed31c56187a2bb9cfb1b

SHA512
c69d3169b2b1c2ab1a76e662dc458979af86db7813e07b20d14bb13f62be7da4924dba772419c013c7d274f64bc9e011f64569f3761db698a6c9efb46553012a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
113KB

MD5
f9548211da06be634d9b52869c91bc7a

SHA1
6fea7a5cbdb8317642a3dfc9c325529053cbb25f

SHA256
d92be43c80ad45b3bef6ae15e7b6c99597473e0f1ccc9b21f5ba392838c9f0b2

SHA512
3a12d0ec290b1625762ec3559aec0d5d9dea5f6bb2813bc02d26cac4db3a766b1aca06f3617562921ddea7bed5b7fb15e6994d54038b06dfb23d5bfd61f4ec7b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
64KB

MD5
c9fcad01b652dbe9f635d3986e60b200

SHA1
7fe741fb2e7b76d798dfc8a4025cac625a657cb3

SHA256
d41a7cc525cd168c31b0a131858ea5220f3e2d7f0b349af0082f9a1bfd7f863c

SHA512
7ac1eaedd05c1e434c8461a6195ce26254961f3f1259bb1af37ffd774bfee78b578eb7356a410a445096fd3664a8bbd6075f30be61ab8c5eda9dd601b7a3de1f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
29KB

MD5
891209df4a3186a3dee74d3d0da4a3f1

SHA1
dbff13a33b74d2ddebeda8f6afe232c040013fc4

SHA256
11947a496bb4ee390c0a3f5a958b735dec790919f1d2c767faf1373b490ce23e

SHA512
9bb23fcdd675b990e91ccc432776029e665790045053af5c787b61565210b5c66f26bb974b0fa96cfeaa816aeb20097dc3a7d5dcaedfdb7065bed404cba72935

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
64KB

MD5
51b35c1e0d17e4ad4c16eef8aba477ab

SHA1
5d696a16fc2be985c128abb801eb6e7e77a561a3

SHA256
7ef9f2000b85b95bb0d34c4162339540c8b3e416c2d306721ee4fc3d39ce52f2

SHA512
6185ca5342f51e94cf19e3491692c16350d7ca07111f2c6e29d56fa6e10cec7517e7f4a8067e880fe57390f16e3323b700ee3e86cd5a5566c232a8e4b32a0d3b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
88KB

MD5
2475ae155a750cbf02b26bfc3be9c454

SHA1
d62a754633f91ea3dda63d04414d0f05ac85c2d9

SHA256
04c463db53250e95ceb93409b02e951d8419af074ce3f481e7906044ba8928d8

SHA512
609437fae6cb2fa982b4474d839e228deb3258288ee666c4573a9986c762d3aa879923bf16ee0bf2a1930f8145fddc1c281f68453ca958a0f1119cdb7d727902

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
32KB

MD5
5ec355a796b85d3dc2d7549f42e0166d

SHA1
d5fd2c52b291e93a41be5b3e385bffa8c4223117

SHA256
468ec6d98ecc848ff913a78712d38419a99aec96fe5a974ffd616115c271db66

SHA512
b80cacdc8d18776d4203f53814e93dec53d81a4ff53de6ee611b3e0de7d1a2dc6151da0c5bd657a8f833587ea298e53dbf96d39b1abfae5afa2cc5732e07ac52

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
99KB

MD5
15d4a83f76d95fd5369418c2439dbece

SHA1
45bfd20e9d65ad1bdffca1b9153834c60d42f5d5

SHA256
202a4f4c7cb2b351bccfd11673fd99bef887936e666e44e18f3edc2c88062444

SHA512
c9408b23d740beb0f53db14ebc4460de5e97951842dc8a636aa5d737f4c72e2219e5fd71cc4ca062c67054686fe5d920ce46ae910638543809d30ab057ca24b6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
77KB

MD5
89d3e1226e3fbea3dd081ca04bf5cef6

SHA1
cb1e9d1928d6a46f7cda8744834f558d712f084c

SHA256
a4fbcea911ab30fbe590ad08830ba2bdd42444c54ab51e0b474b29a09476965d

SHA512
4c762b1360f4ef2bfac6cb6e023a4b4d610dd27ab03d4815e14f148763774d1bf4dfa61f509fcce99af8e5b9ec463c2d45e087c0253244b602210311f5325591

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
32KB

MD5
859756d5f200edd218b730a0c5325c61

SHA1
f23d0babeb655efe7b923082950681bf7568f243

SHA256
a3b851f93c6676f86f9846783c952db9f2bb9ab699498bfb751cb4fe241e56e7

SHA512
ded0d1fc048851c3b67a9d583faf7ba24898816c7da737b02d1361c87ffb2f691b7e85ad87059ac899b4b108af056ff185e8a6c25135e053b0c6088c63ced720

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
58KB

MD5
1cdba84b2101c99be2d83dbc1dc1fc89

SHA1
0bd8507f894918aee03e9606bb2e658c5487b8bf

SHA256
1a6dae7f1b1b1e617e4ee8e262ce36ae3dbbe49143af2e54b92c9ee957e04a0e

SHA512
cd8050f02b2d5d6524765ecb49959946cac6a86155c3faad5b606b1f89e7b6e16043c3b25a20fdf4b1849ed960b2b439149e4169042bbc00bd99507c07de1aa2

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
416KB

MD5
5f1151cc6140495ee27689638a3e5011

SHA1
0cda26456db7e00675bb0ed8741e466b9787a5d2

SHA256
29e607f1b3df1342c6f1a6631fd466649c86857cd7e0e5fdd99f8eca73d16acd

SHA512
612799ff2135fb04a682593c38bce4c3ada905b4116d1c91d43a149b5b4903075b4317dd88196a97f8a040f133f8c4cc8bb97586d0c869fcbb57cb3a29a2dca7

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
127KB

MD5
1791062c9d8225f9b9d0ed9b1ca26e7b

SHA1
d50edd95a4bb6c0a7e6b16f75502c5daea026c09

SHA256
e2146bb62032e76ce9085e3f2b9841bf8fb502fc655f59c18419b5283d7d94d5

SHA512
47eced5df14b3ac1771b9ff794de6ecc72845389cd57bf427ceda485b46ce10d9f64eb664fa91cac9b4ad433edeebfd64fc7909f7f79b9f7d719af0ac5ac04ad

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
240KB

MD5
5e6874bb428e0096c9d00259960bc00c

SHA1
519bcf20bc513a5907d895eef2e360f4d40a5fb5

SHA256
d7c23d61940d3ea2c178a2f97fa9f21eb10146d11311386eea06f469981397a4

SHA512
acb567814f91333333cf2e2c66cfae6a2e93da02654b97a1e9b220f578e4026a00c6c0dc43e83e4ebc3306f720110a8598d7144fe3470d8fda399ebc9676f15b

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
72KB

MD5
f8a2a0310054a6fd6c47fb03425c10b9

SHA1
198864f4f36698de99984c856b1e144f414a661b

SHA256
075a4f71aad99a04573a94082189f731c1af7666d8b59fb4456b04938895955a

SHA512
0b2636fb12b3890a62d4a90ec96df1707cd9508da093269744bdbe31b98524162dea1f138bd371d3f2a727dacd83132906e063f651dcf2374583bef9de94be30

Download Submit
C:\Windows\System32\Locator.exe
Filesize
88KB

MD5
50b0b091e4a785b71e0d9e336b7b9e4b

SHA1
8b23db9ad4e8d0d439ec375252ca5e19918e2b80

SHA256
717fd1956d472bd741ae6cdb07fa6869c02654ceef44ed5577fc30e24a2b3a3a

SHA512
385b1896cf104d8ba24a87d00b3812192c02dc5c779645a5748291114f6c5bd24da0b85a7ced360b53ade1ecff814117cc1071aa51e92d1fb0dd42aaebec03ac

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
160KB

MD5
1c4abf9fe24262ff9c847ab2bc9d608d

SHA1
3fa44eabe11ecc9e766712632ac6baadfcad710b

SHA256
545bb8b9340aa491b67a1b240d8ebbe3066db52311601accb4161cf6ac984fa7

SHA512
bf2de23fc3c8cb5e75ba6486ef2c042c2ea127e3660b5b0b1d2729b54249145550166e8fce2e3f90e33a78b5b131b0a2c44bd27c2dac9cc4a839a5fa32b2fff9

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
186KB

MD5
bc007c7a09f7f2a88230fc430985939f

SHA1
603ea80df44d3b99565db12fc076bcec5017c1d6

SHA256
9feb40830f2305fab46d8bad97e0d74156dbd38d2d9d6e26178e3c74b3eb6e0a

SHA512
f2d468d2d23a603c24f55c890d1d853563ebcbdce39348a9a655beb3cbe071e3fab5fdfb56f7ea6f48816afe02eea9699cac9a7236a6554b05aab814d56bc0f1

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
149KB

MD5
8962c3b25015769491be225de7b14ac4

SHA1
4d724028b6b2a06efbea2f71fefde211aee082cb

SHA256
76b4ff8e926dfd2015652d5b53c29320599e8b0ca2f02761ffee143269bd1ec7

SHA512
48413293f31926ed3d2c282db986f08cf2e8fa455cfa4b2059aaa8b7cb1083cc82e3a5f71b8797197918fe5b6e74acd89804fdfe0a8102061bec89789847c1d5

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
78KB

MD5
a21d6d284fc8b94590215163ad1f2dfa

SHA1
99323f223f0f318a6c9d1046c249b86ac359f577

SHA256
e7830804abd96f9e4eab97aca06483e39caf18d88b462687a1332338a5cac735

SHA512
70497c20324d53cc0c51e647b96c48bb89d1de613e54b42d7e3a29ea5768e326ba7dfd053a60788a80c73cf8e46e4a54fb057feebd6a9a5f730f26f7ca22d663

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
88KB

MD5
5fd41ef345538709b33a59a75872f78e

SHA1
c74d7cb444344ff7a282ff4ddf2cabb5aa60e0e9

SHA256
1588e794cf57283f9b0e0f9fd514e85dcafc29c1ae53b4b5fc9a1096aaf405f9

SHA512
e4b0d1fe1463af067ff7f839d623c701a2cf176fc847ac5a675811783b52ba6433d5e2fb80661cc42ddcebb2ad88788a6eb78f422cdb4f58b6ef19b4d565b14b

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
166KB

MD5
feb8b019d0b3d01d8a67c08183637b58

SHA1
a45cd02be9e4a8389f6065e98176b5ef2d6fbe34

SHA256
8aca747dd3d29c1ea375b901546b2b9375089aeef969c156df70314427550690

SHA512
421fdaf2eec2447e99c2cba647f18c5a8d38dda6369bf67a16935fe01609962d803d969c0fefaa112f4e5132e0852a87ad43964b81a9c9ffccf439716f4b1d2a

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
225KB

MD5
0f3e623b2475fda69bfbbc3922ac1dbc

SHA1
c5a2684d28c7f3658be00a6444445ebd6b20cbca

SHA256
72f5fdaf814552110154ec5c5b302063543f2abe354eef1cf109210b7890e159

SHA512
07dbe8d8b94d03603828b40391eb0aef09ce4db241a11f29e5cc26fba1ab2396f1ad72db3dd4f240ab2e07f4319990ff62d0e43d9687ed480c6be38e70f178d9

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
145KB

MD5
518ea26616dd157394c8b72dd2e5c1c6

SHA1
696f80cdfc06d3e388f27a35d32966115af46e17

SHA256
b7be1524ed987385566607b36498961a4ca40b99499c9439ec38f2cfdb3ef086

SHA512
9ca915f1868e9a9613db841b108cccff79721eca7ecc21b4f26a4cdb9f636b76ffc5d0c8ac10da9ba0183173e979cbd6487966c0c6b7cfabc2c5a19f6e15b0a9

Download Submit
C:\Windows\System32\alg.exe
Filesize
330KB

MD5
ca2f32431822d19a64a945b3763c6362

SHA1
1e1391704effa6f35b9764e778bbd9ff0c7422e4

SHA256
79236b39cde071628c0114834d50e71edca721ff34fe8ff6dda6dce7658e0421

SHA512
01b96c3d6bda8d151325ab8156405a478401dc564d65f3b9f4916499367cd86ac99326bbffc6edd7452b57e0596341c97e81520619dd9582b0f3587feecb669a

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
288KB

MD5
d71ef6d982b4150f40028e804d4c5a6d

SHA1
02c14cd68211ba8c50f2e4ecbf9f06f9a0526606

SHA256
37df3c5b2b778593125ab28c42ba5c6fd702fb76f3332d124c975a5ba55d2b9e

SHA512
9f96f899faa833ec245dcae5d0d4fa271954fc1b469a2886decb96aa7b56426fb4c06ea74c373ea56e3659d178a40561a274ff429f91e5d1b70a506023788f44

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
57KB

MD5
5829d9f6fb2ac156f17cfa836860f7ff

SHA1
4455d102ee0711d65f7750819903c02ac6e73017

SHA256
feae8c66b78fa1a3498987dd04aa79c5cacf6a80a8bdecf12004691106d12813

SHA512
f89c87cf700ffc46c779c2f6b0555165b71b7d7826c50cd8e5d5db7c4c78e3022cd56c897ae03ae4caf702161258e8923dbf9053a6ba997365b357a13bbeb7bc

Download Submit
C:\Windows\System32\vds.exe
Filesize
70KB

MD5
dca8d2aa0fbc119683d0cfdbf4c7fade

SHA1
597158298b791304a6bf53b0d5988d72607f3cf3

SHA256
92859c594965b988c6f4788e28c135dbb550c84a3dcb55855844461f295bcee1

SHA512
cf63de0adc1f8770871c43ed8bc2ab097293680c12ed69e8ae9130c6abd161b587f6f72623006e80eb419b42248c1a93776899316dd558c08e6eca880a85c383

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
61KB

MD5
aadca28b20c0adccfbbe34aab3f754da

SHA1
a6f7fcb835f11c5a883e0e7effdd40e695932fb9

SHA256
222a933329e0e7ae786620cdd472219cec90dde1b879c6ed65ae0be99ab85f09

SHA512
a08f486ce81c2009ba8b63bd0a32d3ee1b78ed08a29e7e82373c51ceb67a333390792d1674d9f331bda184ec72b7b240f96267d06c40845058e5867702a872aa

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
93KB

MD5
8b6f50f06ea45b602c613f76f74400dd

SHA1
fc56648d2eb228578cbd035b52cd77ee58fece2e

SHA256
4fc9d62c8770f951878c903bd3bc522c90f6f159f5d69fdb476083054378432b

SHA512
db8540fd272e6e0b2f9955021792e5fe9fc2488b0272e7e2eefd727a7ad1e2c6a599e804c7498e2ea608af23b11408920268f46581b2240b9f74ec51057aee6e

Download Submit
C:\Windows\system32\AgentService.exe
Filesize
146KB

MD5
125aa19362e31235e40cb818fabb31fd

SHA1
1aa870a214bef78e6d7388bfb3a58470a1e81050

SHA256
13044839282dd4ec5787d082503b421d6d4198a020954a42c84f0b65f4c12c8d

SHA512
a0897be329219e5ecb422c20ffb63e02d752dedc5459247c81fa3723dfeaf2349f7480d35f6f3112111fc26966469f0dd96c6d4fe94a218de2a382a0416fa916

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
243KB

MD5
147ae5079563fc05a0dd973f3aea3038

SHA1
08b948b6b81462021c0da04a004c2c64b45e7e0e

SHA256
7c271b799e3af37da1b0f39f83a81fd63b9fca1ebbf34d21237750436fc17613

SHA512
1710af97380d06a87567088935c525897449a487c427a7ac94a579f632cfc46074d4b5a4cc9e5f790ef5c819814a411dd12df75044424ab6bb990745ba21e2ba

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
291KB

MD5
cef0d3ff34b004a5cb3a07f35c65fc15

SHA1
ad1030705b8182327db61c7ec4dc86df82b56095

SHA256
a3aa7b75230a5c67dca8a38537be12c74a10c31a228f842b1de5285be518a887

SHA512
7ce9d30d30d4dc2aa398be4131f96ac1184ff9b257fc5534898966cdeca4b07920b8fbbd581d6d800a40326b68d571b8897bf12eb81f3b75bddcb4d964d532e7

Download Submit
C:\Windows\system32\fxssvc.exe
Filesize
121KB

MD5
d173ba9bb71dfc247efb5a5052143e9a

SHA1
4ca41dd6e3b86df9ef894417cd64d1e772466256

SHA256
da2722a3cd4ecf5251eae51d2b27c879f852da2352cfdc4178103ba9970c0514

SHA512
1c72f7745e11f5444822d33df1da55f64853265203a2e72b8f7036f250c93131a2f13ac843bac9d09c8cf72c57797dd5b73a04fbbe2d3b6e874de79ec582e3ea

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
374KB

MD5
0dca639f9bb6ae1a529dcd16bdef36e4

SHA1
a4d3f2e004246953710aa8634a17023bbbe9f3b4

SHA256
66c3a4b53ba6c4f275f5af6ca3e6aba214ec6bd61e89fdc774c46989eb74d37e

SHA512
065533e575fe3c18b938f58f1d5bf36ef0d6c440e81ad49977551867632a2e8b9b471a354454b4c61f285c7c9c0609d51358fb52550fee749413c84e5fae013a

Download Submit
C:\odt\office2016setup.exe
Filesize
235KB

MD5
0b2a2d1dfb4fae12ef27bf819ba873b1

SHA1
4ebe5432de561d4eb74520c0f742570b2663a487

SHA256
cbedb95b256a0a15177878847c8e4ca7f35e27fa026f56eb2eec6b2fbba91e5c

SHA512
1f1ddf4a4e57608c76291eb1841d400ffcc0ee9a44160e0a5ff021ad426dcbf8112c03fa82acf714cf7c57b50146d9a395c17a9b4ceefda495f99a7975aa820a

Download Submit
memory/520-66-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/520-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/520-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/520-134-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/744-213-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/744-204-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/744-272-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/808-13-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/808-74-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/808-19-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/808-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1728-7-0x00000000023E0000-0x0000000002447000-memory.dmp

Filesize
412KB

Download
memory/1728-6-0x00000000023E0000-0x0000000002447000-memory.dmp

Filesize
412KB

Download
memory/1728-64-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1728-0-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1728-1-0x00000000023E0000-0x0000000002447000-memory.dmp

Filesize
412KB

Download
memory/1728-493-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1752-295-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/1752-287-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1924-233-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1924-174-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/1924-164-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2208-243-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/2208-235-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2208-487-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2804-144-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2804-138-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2804-212-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2804-202-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2904-51-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2904-57-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/2904-50-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/2904-121-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2904-58-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/3132-123-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3132-185-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3132-130-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/3200-256-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/3200-247-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3204-190-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3204-200-0x0000000000AE0000-0x0000000000B40000-memory.dmp

Filesize
384KB

Download
memory/3204-259-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3544-282-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3544-275-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3880-226-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/3880-219-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3880-232-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/3880-230-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3924-46-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/3924-49-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3924-37-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/3924-36-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3924-43-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/4468-32-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4468-25-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4468-91-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4468-26-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4472-217-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4472-149-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4472-161-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4596-246-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4596-176-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4596-186-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4676-135-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4716-540-0x000001A05DC40000-0x000001A05DC50000-memory.dmp

Filesize
64KB

Download
memory/4716-541-0x000001A05DC70000-0x000001A05DC71000-memory.dmp

Filesize
4KB

Download
memory/4760-89-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/4760-83-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4760-75-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/4760-76-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4760-88-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4784-101-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/4784-92-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4784-158-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4960-262-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4960-270-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/5096-106-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5096-117-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/5096-172-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download