aeb8b781cc401d490ccded6a625431c15e76abe6b57eb44ff2b0ca9cc0349697

Analysis

max time kernel
140s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
23/01/2024, 17:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-01-23_3184da3c93fddf8cb07c4fddf8c8d7f5_ryuk.exe
Size

1.1MB
MD5

3184da3c93fddf8cb07c4fddf8c8d7f5
SHA1

6527d1b63794df91acdd0d3df2e44ba23141c373
SHA256

aeb8b781cc401d490ccded6a625431c15e76abe6b57eb44ff2b0ca9cc0349697
SHA512

73c9ce8c354e7ee31cfb5826aa9d3a4b05566c9a6f22508f4d4a0d061c51bcf03691ec6fbdf9bace5fbc6dfeb569bd6515cc34f618cf10ad484659f0e6282106
SSDEEP

24576:fSi1SoCU5qJSr1eWPSCsP0MugC6eTCEQkbvK8N3t3QVkLhoo+SVfhl2/:XS7PLjeTCErvL73RLSo+2fhl

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3648	alg.exe
3644	DiagnosticsHub.StandardCollector.Service.exe
4680	fxssvc.exe
3872	elevation_service.exe
1604	elevation_service.exe
3900	maintenanceservice.exe
2356	msdtc.exe
2520	OSE.EXE
4388	PerceptionSimulationService.exe
4808	perfhost.exe
1008	locator.exe
4992	SensorDataService.exe
4716	snmptrap.exe
4268	spectrum.exe
5024	ssh-agent.exe
3080	TieringEngineService.exe
3760	AgentService.exe
2432	vds.exe
2888	vssvc.exe
4540	wbengine.exe
880	WmiApSrv.exe
3048	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	2024-01-23_3184da3c93fddf8cb07c4fddf8c8d7f5_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-01-23_3184da3c93fddf8cb07c4fddf8c8d7f5_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-01-23_3184da3c93fddf8cb07c4fddf8c8d7f5_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-01-23_3184da3c93fddf8cb07c4fddf8c8d7f5_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-01-23_3184da3c93fddf8cb07c4fddf8c8d7f5_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-01-23_3184da3c93fddf8cb07c4fddf8c8d7f5_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-01-23_3184da3c93fddf8cb07c4fddf8c8d7f5_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-01-23_3184da3c93fddf8cb07c4fddf8c8d7f5_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-01-23_3184da3c93fddf8cb07c4fddf8c8d7f5_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-01-23_3184da3c93fddf8cb07c4fddf8c8d7f5_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-01-23_3184da3c93fddf8cb07c4fddf8c8d7f5_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-01-23_3184da3c93fddf8cb07c4fddf8c8d7f5_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-01-23_3184da3c93fddf8cb07c4fddf8c8d7f5_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-01-23_3184da3c93fddf8cb07c4fddf8c8d7f5_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-01-23_3184da3c93fddf8cb07c4fddf8c8d7f5_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-01-23_3184da3c93fddf8cb07c4fddf8c8d7f5_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\98ff8ecb4d74bb6b.bin	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-01-23_3184da3c93fddf8cb07c4fddf8c8d7f5_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-01-23_3184da3c93fddf8cb07c4fddf8c8d7f5_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-01-23_3184da3c93fddf8cb07c4fddf8c8d7f5_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-01-23_3184da3c93fddf8cb07c4fddf8c8d7f5_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-01-23_3184da3c93fddf8cb07c4fddf8c8d7f5_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-01-23_3184da3c93fddf8cb07c4fddf8c8d7f5_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-01-23_3184da3c93fddf8cb07c4fddf8c8d7f5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-01-23_3184da3c93fddf8cb07c4fddf8c8d7f5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-01-23_3184da3c93fddf8cb07c4fddf8c8d7f5_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-01-23_3184da3c93fddf8cb07c4fddf8c8d7f5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-01-23_3184da3c93fddf8cb07c4fddf8c8d7f5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-01-23_3184da3c93fddf8cb07c4fddf8c8d7f5_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-01-23_3184da3c93fddf8cb07c4fddf8c8d7f5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-01-23_3184da3c93fddf8cb07c4fddf8c8d7f5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_85453\java.exe	2024-01-23_3184da3c93fddf8cb07c4fddf8c8d7f5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-01-23_3184da3c93fddf8cb07c4fddf8c8d7f5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-01-23_3184da3c93fddf8cb07c4fddf8c8d7f5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-01-23_3184da3c93fddf8cb07c4fddf8c8d7f5_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-01-23_3184da3c93fddf8cb07c4fddf8c8d7f5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-01-23_3184da3c93fddf8cb07c4fddf8c8d7f5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-01-23_3184da3c93fddf8cb07c4fddf8c8d7f5_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-01-23_3184da3c93fddf8cb07c4fddf8c8d7f5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-01-23_3184da3c93fddf8cb07c4fddf8c8d7f5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-01-23_3184da3c93fddf8cb07c4fddf8c8d7f5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-01-23_3184da3c93fddf8cb07c4fddf8c8d7f5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-01-23_3184da3c93fddf8cb07c4fddf8c8d7f5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-01-23_3184da3c93fddf8cb07c4fddf8c8d7f5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-01-23_3184da3c93fddf8cb07c4fddf8c8d7f5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-01-23_3184da3c93fddf8cb07c4fddf8c8d7f5_ryuk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000af51142c244eda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006d66082c244eda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000097362b244eda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e504e72b244eda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007fdedf2b244eda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000071b9b92b244eda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e7c80a2c244eda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008094742b244eda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3644	DiagnosticsHub.StandardCollector.Service.exe
3644	DiagnosticsHub.StandardCollector.Service.exe
3644	DiagnosticsHub.StandardCollector.Service.exe
3644	DiagnosticsHub.StandardCollector.Service.exe
3644	DiagnosticsHub.StandardCollector.Service.exe
3644	DiagnosticsHub.StandardCollector.Service.exe
3644	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2580	2024-01-23_3184da3c93fddf8cb07c4fddf8c8d7f5_ryuk.exe
Token: SeAuditPrivilege	4680	fxssvc.exe
Token: SeRestorePrivilege	3080	TieringEngineService.exe
Token: SeManageVolumePrivilege	3080	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3760	AgentService.exe
Token: SeBackupPrivilege	2888	vssvc.exe
Token: SeRestorePrivilege	2888	vssvc.exe
Token: SeAuditPrivilege	2888	vssvc.exe
Token: SeBackupPrivilege	4540	wbengine.exe
Token: SeRestorePrivilege	4540	wbengine.exe
Token: SeSecurityPrivilege	4540	wbengine.exe
Token: 33	3048	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3048	SearchIndexer.exe
Token: SeDebugPrivilege	3648	alg.exe
Token: SeDebugPrivilege	3648	alg.exe
Token: SeDebugPrivilege	3648	alg.exe
Token: SeDebugPrivilege	3644	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 4432	3048	SearchIndexer.exe	113
PID 3048 wrote to memory of 4432	3048	SearchIndexer.exe	113
PID 3048 wrote to memory of 1904	3048	SearchIndexer.exe	112
PID 3048 wrote to memory of 1904	3048	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-01-23_3184da3c93fddf8cb07c4fddf8c8d7f5_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-23_3184da3c93fddf8cb07c4fddf8c8d7f5_ryuk.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2580

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3648

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3644

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4680

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1924

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3900

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2520

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4388

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4808

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4268

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3080

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3760

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4188

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2432

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2888

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1904
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4432

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:880

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4540

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5024

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4716

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4992

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1008

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2356

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1604

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
123KB

MD5
46be2dcf24a53772ca830a5c718dbdd9

SHA1
54f10aac2f2d4236d381f684a47abaef98d3f4d6

SHA256
4321447e1baf77e63b8a6ffb788b90dae548d0ecfbff14405c273ea9272b0e56

SHA512
751865a71e946e296b7bd0bb585345f3b1e8fc51fe59b76a30b3b7856b38b1f2fe54a3418a7e0cd3362090ffffc9da22ffa7847da6e3ddc019f73c22286fcf57

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
87KB

MD5
a6e728079e034ea8a93cc2fa1fb3e73a

SHA1
802b8077d99eff7fd89c280c4559d9b77e504363

SHA256
29bd6fb13bd94c8d75b96301b7f07ebb3d8b5a7bb3af89c28cb9da1432483d01

SHA512
6719626de323198a5f2120ad80a5648dbfc63ad5f80b47df5ed589cb67d0acde0bf0c66c7ea89fbc430328514f3b1a330475f5c4f675c461868f3db1fbbd4c40

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
455KB

MD5
a2770a3600dddacf2832693a605c28dd

SHA1
0d9cb1c3ca74a343afc99265b647918bda570adb

SHA256
d7875cce6bece3eeda70797e2b7b1a3b7bfc6131b4de8d358df54ff904116673

SHA512
b248e34026181dee08f4e62a8edc84329b247f00381ee827c953af623328285ed5a0d8cbf4f1bf0f09807f3deaf838e59fda5d59c9101f97056adbe6b504d229

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
30KB

MD5
8d6dac58bc7582db7c0dc26cc5fd5596

SHA1
403a02a4d548456f0539bd8fde07cf4214708a80

SHA256
3cc42001eaa6209e93005eb5440b948b9d8d88fd4ba3a8a51a6f163e1be0ae95

SHA512
bd09c774a3f4b35724619d6c0f26243b398af6e03383b225a31a810a6cfc210dd574ef05e528328ca769206c4861d8c9d7f527b347410974e6353b72b114ce70

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
58KB

MD5
2868bb6f24bc330e4e8df105630b7589

SHA1
aaabe47ffbf03aa76c9eff860dd66d5b23f3a510

SHA256
d0490590b8de3bfe56bbe8dd34c75dc50fcb36ff3a5bd610ba56c731933411eb

SHA512
05442a806722fae276a081fc39b65cf918020a7d880eeaedbd4a6b79799fc419761f15cb61827159d1e2eda1512f8a205be01731d133466d8fbcb78c09457669

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
92KB

MD5
002e8673dcfb1159d7151de9f1187038

SHA1
8d28db0d17a9e0d69679d9a71b7cf58e017f6261

SHA256
e8f3d7b22e45bde95c02a58758482625d2b8605d9212399a609508cb454f5c1f

SHA512
ee74511f26438c36a251784baeef9d14518d675e65239c7b5f7b0d7915653cf77d110ed4cbebb5f7d4bbb0c143e224ea81b80b5054aa2cca87ab2305c6863f23

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
90KB

MD5
7630a9aa599b5f42f79cfc7d44a6aab2

SHA1
6c5820fbd1e4dbaf029d7bcb36c3dbd601156ee1

SHA256
0422a53fc309d6144f512bb61cace481c4353882b8ba74e6a85d3c2b4d80194e

SHA512
2e31948ae9e999968867181a8526dffff3f6072e9749e31a005259715d9b763a1d833537f3f2c17d1590f1bbe80c6ea75040c6f18bce1971ea93122fd48868a6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
92KB

MD5
12b0973d15416695b09f86caef67eb4a

SHA1
4f0ba4494263f4b91d80ef42731aabb9ac79c2d3

SHA256
11699cf9ecceb51d0a06d174564eb536b9af7909fd79a44fa06890662528ec12

SHA512
7d709c287879e0d81cc87ffd25174492edeef0c989886c0b8bcac6d68f1d34f0c2f3afcf0e6b7154f85b2dfdc31059b632268eb72900bc823614a73b1aff7f28

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
77KB

MD5
da179d1789d062312d1c534c5bb3b3b7

SHA1
4d34b0a00535d1c6ad9352e34fe7cf4e7b17fb6f

SHA256
09fc21ea40579fc415232a2cec39f786935c8017f3cb325339b8c12765463b6b

SHA512
888d74b6bfc644ba60b10550f369231465364a966a350a4fe08db4da5280f97908bb771f4ad93e653188d5f7cd2a577ab62146ed09490de4121e14b50e497f2a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
79KB

MD5
45ebd0d66c3490bd32df262c575d1074

SHA1
36534ffb6ecb52bafe34ba1f216a70897d9ce258

SHA256
aba3e60b7f7192349c924c83a0c8d0dc6395b08cc002c1d380c759b9210573d6

SHA512
559ac316d9b9bcfb0fea313e736145f5c7862e6a05b4bb8d0cc90ae355dbc3039bb15f552ffae08d9813e05d838a0048fb62c3d381a585df8aba834161f03cbb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
10KB

MD5
77881f3c9fa5a866b8100a0775166723

SHA1
d74d6351abb395ea45290c2544ec9e461a447a92

SHA256
badbcfd719a541638d9a8ae1d8e1c837b014445b0b9e44c8c5107d930f7cedb7

SHA512
18cfbc3c679daaf00b25eefd76928fe62a41be82937243da15d335452f429388f4bbe804dfa687d210a1838856439f1df1e1fdcba9a2498d6e9dd5300d3c03e4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
92KB

MD5
b73208d14e7afe2b45478b2e953d43a0

SHA1
1cf36922e060dc5112ca3cd945333de09fbf4028

SHA256
349a04e9044c7ce178a00550e35e1f751890edf3de3fbb7044309bc01d47141f

SHA512
4a9f7b04d09bb9e1e1e7f9d36b1bd5086e9c535f3ee759c5390ff17eae738d29e87b41def72667f308f5c4ae038dfafe77252bf86012ae2954457df3943afe90

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
75KB

MD5
a3fc43b19a44aaa5bc3cb9efc8d92748

SHA1
68cdb98b06397d33cc51555fb25a3cadba26ffc8

SHA256
dff6acfca3bc891462bda5f6e745877c7cbfb3795ace8d02cd562883a3e112ad

SHA512
1d486cc8d3eea9ed286b55314c848192c91733222f5470da5ff424cb0b731f228c376b231bfee25e24a52923d4284e210a36e75c060474dab2e9c7d5c4a422a8

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
91KB

MD5
6bc57cc982021cc9a86dac9c1f6ec853

SHA1
d06a64058dd46e4e3dd3aa66833e561008b54b35

SHA256
fdedd183a418c284aa8a4a4f934d374aa077ccbed0454e0a56b608536f305718

SHA512
73a46190e7df96ed160958a1de79f89e58d7b1340a7b273bdf2e8b6e347a571eaa77972ee4a83d3963343dedb944445a75dd6214d868db7d8f9813a51a8166c3

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
57KB

MD5
777f6249babe45149784b5ee526e09f9

SHA1
c0983439112cff0d167ed28573b42583fe3ed81d

SHA256
e4961d8fcb6ca3545440a36a97f783f71968a228e1d1aba49070f0ebbd947c70

SHA512
e6d75bc4c5292bf7379efbedcea423240c73e9bb2544dcf65436ee1a5990d5e6bb5eb0c78b04ff2e684438421cff25f5a4d08aa323bc1fa17e4f811ddccfd6b0

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
72KB

MD5
68a10b200653aab8353f43301f706d4b

SHA1
2e4d0fd775fae6717435085c3d23cb5562637320

SHA256
cd346215672d8de18fb88d2201ab726a1572664c6ca8fb9aacb29974cf4f6f5d

SHA512
0df980efde259946f71fc55b46c66f7f9c289b79f288918b74244bc77fa0e0260541dab60a23e98b10408796fe13f96bee98e3a586aa55af51e1a7463a8cdb3a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
65KB

MD5
90cc1449b530743d7b8c774c030ef5aa

SHA1
aed53f8ab723ad3bbf5ea2d89ea33e0d8f7634e6

SHA256
edfa24a9a4783ebfea4a875fb5d6064f3f1907b0782637a12265397eaeee12ea

SHA512
94768d9bd4f0f87443a8116cd2170fcd24908e8e1986ac3f7a59bfb7c7bf51db1691a8e7ffd6e17d6acac9d831d273cee57be0996d3aee4c7ce02c8794499c38

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
79KB

MD5
548ed4a9315a5148f8c40c94d84155e8

SHA1
5a176638dc65f7852712debe927121c7a974c099

SHA256
70f90e817865795e5b47e942894b0e47ca0cd0f41e783a7e07d53c45104a7a07

SHA512
a2cf6aad3dbeabe575da9ef232a8244ca3e1bff53d1f75ce25994f402b0a244538a201ce181f8cc172df420679f1c92aea13ecebf34ec6d8801cc8b9e8c45154

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
528KB

MD5
725987bf027fedebdf932abf332f8e15

SHA1
64fcce6a964c31760e596abbdd11c27eabd534b4

SHA256
c8fa80233c4309b1defc27cb55802ae5b00058c18d68a6b8568ae0b2304addb6

SHA512
6d798617227a14ed425517fb46f9eab4e874af9228182f210c2734ff1874bd940838ffec34320791de6d20fbb77e5c5ece79a75781942628b4557960d52da652

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
29KB

MD5
237b1f3b98f90a1ade9f954bf45192c7

SHA1
2eec6162ea008d9385373d1d8d75f5c92616c7dc

SHA256
18cb136adc87ef114ddaed32395543fdd4b1613ed20158f969790fd9a5c722e0

SHA512
f22dae911cc6f0ac25c48fabcf34bf25cb3170fcda185b8035b19442b6ff226790d7003ec6ae58f7121adda6c0773e4edd7a282b16d676f58a70d24f8213e444

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
95KB

MD5
4c6fc20871aa16989d57d846eb2d6e13

SHA1
73f3b4608b3bc5da597730fe4946458149ac158e

SHA256
06c8741e8c628e22270aee562d9c8c0b21d00e74d5213f9df27ad3a4e2b51a93

SHA512
cab686030e927d50fb9c6462071e904c54fbb7f770c6fb918a9ef3052d40651939483572919f61477c9a1364d58fc0a08f00f72184a3f6814b55134a42c0311c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1KB

MD5
c5e10a6400ab42c4a646132eba2dc45b

SHA1
7bb7cf5313481a208f9eb596ce138bcb5870701e

SHA256
000cdd518ce6d2f4eaf4b6d9f1309ff78b56ec07caa5581333f4a0e8b0034859

SHA512
a05cb6deb9e11edd4d0f4951611d6e7dfd51a6a226c4ccdcefea052180de0008db64dbf67e391c6b7206ed1bd57b82163ca8b61356a98ae46d2558d3b2e2a4f5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
77KB

MD5
cbe629b77dbbaa97a2ceefc0bb3d7c70

SHA1
51adac3a7c8ccd55027b180107b6da2ecb42fc91

SHA256
bb949f82ecd00a99e8740324cd69505a470c837d8dda9064fb130d21e28dc92a

SHA512
ef6dfadb6363833cea13ef64186f0068c7beb4be41ce61dde52a73187a38f9eb41269632eb76e5de7e05a27bda6c1ec0765ca0bbd8eac2c278d50bc4c5f4fb1b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
21KB

MD5
6962b3f011a1624c6bcb6fe2bdde9878

SHA1
cd263472a3489d3c1ba62e11bf21e24a5a3f4310

SHA256
41c0a1ff0b6f56a62b59cb15e0be03a4b749c890d0d1b4be8ccef89c24f0e278

SHA512
c1d1386f7f313944d401ffd2254a557e17095a12841c21903da0dd49050a9bcf7048bb7650b7eb44cd8b7aa05abe868577303b5b8408109a2a3d4707bdaba6ac

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
7KB

MD5
02336d95551b32368bdb651310ab1e96

SHA1
60ecc2b4e8c2aac731e5589c03e8cc27c9632c55

SHA256
e3f1b2e2b4066478ba54bc9720e3778bda7e09198259e0dd00e01d722ccfe4a8

SHA512
cb0a3f6bddb0d4d94f5b72945261e48eb0020c21d0047ea4862ea3eade7dc5b5b05c202b319093887d5c8b24518cdfb85a5c096b4dec2113a5215f8a0d415d1c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
41KB

MD5
27fb9760ffd409e38651cd92783436ee

SHA1
f69898e92fc15ead6f4bc295ea11dc1bf34f98e9

SHA256
87dfd1c26759107ec880e9f6aa845969308ce2a2d4ab6869e8af02fa819b622a

SHA512
3958171f058ca0d9f903d655827f5dca878c077f067818d9c4abcf49169ad7171fa9c29aa18d561fe95341142de0cff8325f00d78d3dbd84488e748b8e57953a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
10KB

MD5
b48df1a80f3dbf410467cc57f718324a

SHA1
796c3d99f5eba60703c6e4e9ce76ff74b2cce479

SHA256
96a51d79f7c07cd5c8b9b1037eb5b722bd0b9b6da6b23f426dc5618d62d771f9

SHA512
34fbda6e236042085260427a0fa6a13c78e40f535325a0d03e6831ff0bc20dde77e8a9d7d6a0d82bf90a251323dd7f9dc954afe7037b422803ca7470d2fbd2a3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
49KB

MD5
4945249060d099e6d4283de6c98e570f

SHA1
e41a717b2850c1e8103253eaa633e4487e817ff8

SHA256
5a63bf6da0aaaef60075a7c8cf940567b00f7856b60c60801a41243140adcc2d

SHA512
fee300949ffdb5c706c226a7076b059f02eb9f3afc0480996ca6d7ab5b79d4ef88cb921f2756c8b22474547c0f1f6125ff334cbf829c33fcc24948a3a00fa506

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
3KB

MD5
9a46bcae3ff8425593bb80250707f26d

SHA1
a3c1f7ca635a3f1c69187e9ece72d6e9acb18b9e

SHA256
2402f7b735b24233f9584ec0d535e6a00d6640b169c3697340a92d048eebfe26

SHA512
4bd5006b5e8731c5337d96426e4a12c8ce965063b6a34a156923c3a1bfc54db7ff12c51258fee38e80cf171d46cbe49886ee3a60156a6aa0633bed79afc4ec82

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
39KB

MD5
95ec4853b87bb5cfaeb19645fbf69681

SHA1
ee877ce0ae50e42e67d9faa56e80a8a60bb087cf

SHA256
17b85511d399bfd59676e5facdc2d1ebaa92e111124fcf0559f528f840d63d47

SHA512
f0e2b61ffeae473fa11d514069a96f8bb9709896138c42555207553598c36660709cf471abe8d0ebc5adad0c1b5c71de6e8ccd7a7541c384432c1535c12e6b74

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
5KB

MD5
addee46ebecaba6b05e31df3fcf014ed

SHA1
55e22475613e845a47fa2fde4a9e63455aaba9ba

SHA256
c6cb06619121232606e59bdefb58d4f0e7a83e3f6a30762588d044847d371bca

SHA512
a0011b702e7f443ece275ac0bf2efbfbca3550818f2be6b6cea95cf8df71c5e8341ca70afcebf35ad40864df1735bd8a8345fa8a3f5c7b563cd67289a49df866

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1KB

MD5
7f046152b54dca9974c740a3094c6b7f

SHA1
c93ec71e51205a6319794788cadd96979eb5f501

SHA256
b217d9ce75f416d3e8978641549613817fef1a7f4ae22156bcaf0e3f9812fd4f

SHA512
a1b506b80f72ad3b233bde94478417dd9d4c5ea29f6b947fa3e631b4ef29c18f4e2d3ce6975c347b002ef9e77aad10349561dfebd9524d50b564d6f13c1a4175

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
57KB

MD5
de6bf09ac0619aaad94e92512e04e3e5

SHA1
ced8aed803116fa8093ffb2012b36f374b8a0913

SHA256
10f775777c6188eeec3c64d5da9dd7dc0410fefe27bedcf5659c3c2e59244139

SHA512
440511658c797243a723abec9eac0c8f0d487d03cd523171f45f03a21fd33074e11ba48f38520a39abe4fbfb9fb331e8f9f22aa9669a24685afa8332f8b7c0b0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
50KB

MD5
a6c01e6f8c73c6cf0d00a9d4acf94abf

SHA1
71cae46d9b3c3b262ac112d2b179e5265527a93d

SHA256
f126971583cb4333f62adcaa49b6cf8426b86230e9ed0b6d8e7b28874a3d1e75

SHA512
7556a3b225dfcaba212d071b1d6bdc360ea51e6fc22bfec4e374e49660b72f63ecd32fb3e521c74dde4d683b2b8c9f8137ccca73a7f59857612d163643ccc101

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
50KB

MD5
806a9dfc325c1317cc6b3ef7e920510d

SHA1
b6c499f31e702786893070d2ca87c05bf24413e7

SHA256
4769661796e8bbe17b1cfed55cd7f12c9ff8343acdf2ca9d50f07e9b3288c42d

SHA512
6db76ffae4c6a1d67c813bf1ccc2e5e27e35d6ee9308504c3b5f0d2e0dfdb4ea931a411d70497ba1f501d08229e98350a5ee8b82ad6bac08479fc6e9c333f355

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
73KB

MD5
490b5fea110068aef0235c85a936d199

SHA1
2456b62d8b39e4624c3a9ee45037b627b8f722c1

SHA256
e5fda112a7301dcddff30849295a73e2558ea0486e9b90c3ea30351203472c6d

SHA512
dc31f3f75e41eb38e39b94a002b0fa05645c9241e6ebe1f1651c61ed4d741798d1c9ab9740dbf361af0c290677db0e864f291330019cc9dc5b45f2095069a733

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
20KB

MD5
1515bfd661ac88d6caff2cf1c62f507f

SHA1
2cedc878b88fbc0254eb994332e21847cf2d8c3e

SHA256
8ac479345e9d3c59773a31a8e78b2fc1fff92764dec8fbb334fcb25fca08a311

SHA512
ef125dfa90102587a80c023a7fbc3c7b506e8de70f2574904a36b2390b7a9dc368ffe8ea1f96c1c0ccf4c1ae3c4d39a49fb793702b7bd9b6e7a860b58c28a1e6

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
62KB

MD5
c509e0444e1fa3e0db14e6e29134a3e8

SHA1
6a36aa0e4d10cc49f6086c3a4879f132ee344c2d

SHA256
0d765f2b65cf4f12e5c6a8a715050980630c483addff31ae7425241244841b19

SHA512
9f1841f6be2cb5b3228c6df99921f790ffbb305539d8c83d135b0738ca12db369b1d0f4772ba41dd35a8539a5097f9cdf073e88be94c9d36a0834087f416b181

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
76KB

MD5
a4ab814b958eb94e846873839dedddff

SHA1
5ef94f6a36d21aa8d883ab3782ba2e38f879762f

SHA256
ba855c7a1ce163f76ff31d23de6300c5ffbdd5fccca73fd779b40c8f73335ef3

SHA512
94b935bd95b873a88f1fc9b6a4386de34de3f77e6144ce42630b82787d5a315b7f2048e0a6f284ed42b001718629837ab6bb7f1d56bc60fa64b66dfd366361e0

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
110KB

MD5
5b367735b2fa57c4fee52ccfb2c52f8e

SHA1
610d74b537dcdd8759f71914bc9aed6b08b73142

SHA256
5480d6bedba6f1c9bfd7ac14b5d1aa9e030c9fdae620b0317fb462f51d841696

SHA512
096939d38ecf64052585f93288f4781da676766cd751b9184cf472b94833c88002bb6e5ae92c9b26a834f3262ae7bff18b974cf8452a0fd5d2e3f821252cc7c5

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
73KB

MD5
bfc51ad4abd9849629f281cfcdea7341

SHA1
81347f55494c17e8c84048dd2d9ff1b1e36ae6fb

SHA256
dfa918e71c639e170e7135547ce9327da983e3070d6f75f4849bc44ffdea7c16

SHA512
695f472aa9df1ac5423e6002bd78a4ab103765bae2c979a05db5daa1a1a605373c4ddd6a4eb5066619c0135984105e1777253db2aae987fd011fce56e1d31b96

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
217KB

MD5
8f7fd192acfc38f0154f6f66a8fa9ed2

SHA1
417a97d9ed8a5d381b7751e7ea35ee68f8c181f4

SHA256
6edb0176a6d3824bb22d117b4bdf06f69b3d9d2604ccbb95d3ad9af773141850

SHA512
13f79bfcf1afe8e45a4abe0999e12a07897d2d75ae3973210bb0b68ed7375ef0d0ce3ed15df357e72be54c262b5d8b0dd843a4d4085304a1b37f12fce8cd40ae

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
202KB

MD5
d21a6fb7ee9a701b94a9097bc6ec71f9

SHA1
9289255a2a19e1d49e01da2f08b342299a3f0fd0

SHA256
3d4544137e37df547670d24b43f2c5711b5e1e5612db6edcfa91748635ff274a

SHA512
239c46161a1a4588ec57e134190691d74efa9224a8a65fe70474b018a2283f741185508b005fb48a16eed831c80cd4571d00d76c7f3c4d633b3c7f61c5052a87

Download Submit
C:\Windows\System32\Locator.exe

Filesize
149KB

MD5
75ea0323b70df1206443ae67aa9a169c

SHA1
eac0eb054e5ff8befc2175c0321cf8c19f25f41f

SHA256
9a06dfb67ae54350ffaf2a41abe4cc57fe1e69f0b7b2d0addec77da625ba1ade

SHA512
2c4f5c33cae5eb43c41c650664032596a9551fd28d3deb8f3385c69846d9c3d7ad25e35c4f563b2769eaeaaf13ef247c4a610d17aad48e25a9028396c565d229

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
255KB

MD5
064ac47ff8a8cc628a4fd616e0182012

SHA1
6001b3d62b0b36440d335d2b78b86bed92ab160f

SHA256
7bfcc870ea32c8e50e133c574f1e066e28ca27dbc1f48a40ac81fb6bc90c4386

SHA512
d7982bf29dfd94426063a080a9c480cf759ddb44b314920e3662d5d3ab11a241861419eeb6779fe7612aeb149e94f8bed106a1288962951ab6d2946d2ff50a95

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
72KB

MD5
d4586156f120d86b6cd5854bbb8a249c

SHA1
2c1c6d3c4cb6e733eaeb9be7fb5f0356a598f461

SHA256
99d6d47890985a7a33adc2eaafe9338fb00d22c3f42aad5e515d9e6cf7344a4e

SHA512
b8efa29c458d9eaf594329be76b1d0631a93700a0c5f8105a3c8e9932ec76cf1f82f3ddbdda51aef2cd1877f5ae1611369b46a8193ce1231cf8adbcb26d3ae75

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
40KB

MD5
1731afb866832eb66a1fc3c0cb0b94c2

SHA1
3c96f251d24e5af4aff57cd0a7047ffe28e8a9bf

SHA256
8a870f6940c4c76c14ad665e5d733d569c942d3231068ae1b574f8e956891774

SHA512
92c57ddfed58c7e74e8e0761d8e3773e579ef530550336af487444f02ca115413d5f48538f2cf2de2db171b74b30ba0812cb66bdf82949a30ad49ef6fe203162

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
135KB

MD5
fb03df492751f1e56c563718730fd1c9

SHA1
ced0e41c2fd175bfb670fe66ffe808a78a765e72

SHA256
59772651e08fb71fe0c059b3c3851b38bd04e9541c1b78a1f6e20c3b57c57687

SHA512
a5df93e5e17165df521c033186c8548f94965f8c9808a61861bf3e3a5172e73376a2a28727551c86e00377ed696c0019b77b484ee5f984e225c9e67f3129bfe6

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
103KB

MD5
6a2eb3f5bad2177fe7c17ef578666505

SHA1
c9164b8e9a522b364eeaafec878c6951edfa515b

SHA256
055e1e854b912b8724a52e8ad2bdb5d95358c6d180faed398f72c4584f7ed1e4

SHA512
ddf64905e835fa27fe1cf89ce276c1e546ddccd1ca43c42d28d5f5dbb67a80c90f3859220ca5abab07faa97a20bdce4db897435fe472f596315bf044b2956c56

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
102KB

MD5
9d8d4a149677163a9f6896315057f942

SHA1
4add5eda656f88b06e0a1890afc2a31c22d93131

SHA256
6a27d8a9dd37aa17c66273fa36dfcb7a8bb2eb19e8e7aec30e6e6f7f8f7054b9

SHA512
b17225a11a1cc6bc0df3f8b1ef9001c945c7e9eba757d318334668065bfce012166224a6bc6fd0d0d5968ddc60bf654fc7e4aae9f55a69b0fcc5e51fb3bd27ff

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
44KB

MD5
060071d5ffcc45525082bb803c74cd3b

SHA1
21dbe9397e139243337736a61891df57cf67dfd5

SHA256
3052a5c08f532416cd2412b80528234378a6e4e05230274b405af6acf9f116be

SHA512
478124621c73a51f0d9b9493ba2a6c32d3bac7abbc6e7ea5abdbe083aec7aabbc95c145ff1331c02d5e15560c83d450c05ad01bf3472cb97f8efa01de56e16ec

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
32KB

MD5
0fc6266fb17481f9f0d4e646b596b317

SHA1
6142d2738d25d6a0f6fa5fde9c5cb4c717ce9756

SHA256
72d0ac48bb9736005839df0fe3fd57370cb37adeee4677d4760705fb9501e110

SHA512
a68bdb6a9c8e1838863f12b2d08930b8556bca32ecfc377cb1b72d10722c87ef42bbd2428b969f04311121ba69fad18bc040a392dfbd13ab6685a771983adb7b

Download Submit
C:\Windows\System32\alg.exe

Filesize
376KB

MD5
dde309c139aeb55e48885773a5c360ae

SHA1
67a65026af1f3fc2d6609b86957bc344e45f1dae

SHA256
b5d97fd02c31c2981e58c5569115dbeb333e308f8691dcd4df0458b9ddecb8c6

SHA512
7faae264065cc6727c3278102c8fea28ef6c9706815dbdffd6604afefe3ee21a850fe7ff898a209954d516cb4aee1c4e24dd9de2c90cd3c29bf68d62eb55b137

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
468KB

MD5
15a903da0832f7b8e8c482b3e05abbb9

SHA1
8fc8e6936fefcdb25f7d5728275caff63ae14f9e

SHA256
b292f5524b38c66f0f29cf4611e4d017c5d550612f26ea59ec5ce739b22820e5

SHA512
8e821a3ce66209db59f38919c67ed22371f97db287d9b35f8a6444e278fff85aacd0365e3926da36d36bb966a0289ff5baee54352b3ad585810d300595e10e76

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
42KB

MD5
fe964985a759f0d9f03f41c8613c9a66

SHA1
d7a5dbb4d5694110235fae9ed67653cdac2b5cf8

SHA256
1d27311cf05dc4eb9fba5c412efec76b1f1f6af09d86c9391d48c21a0ad0c0da

SHA512
7a364b4a6bed42139bab183d87de1c561471748d1b1803715cf4c968c7ed78ff66319e518589a780394ee1b5306ad459101de6f3126b6c515189447e8b97681e

Download Submit
C:\Windows\System32\vds.exe

Filesize
55KB

MD5
c5a4a20af11692e9669f565b277ffe51

SHA1
1c0ee1906b0046817da60ecc70f14fe00a2ffca1

SHA256
c19628b1bcc4c753c09032c92753d2be64bcef29e3d4ea279f5630b8271f291d

SHA512
1148b6c2b47d3c9134b2d99a8fcafb6c7f628d0db0a96b74b17170deb6882bdf0a710ef874b1a09ec8bf9a6b37d42c06662cdecd245fb7ee588c80c70cfc185b

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
84KB

MD5
2c49e2653e5d9a805ede19d407a4637b

SHA1
d03eec6f4d6d912a719d29dd97153d7a95f3f5b6

SHA256
db22e6a3f2d6330c329ad9970ffd1d6be36f30f91917c5e7405cea221f0a3684

SHA512
6c6c1dd1ffe7997633b5901e175f1b37f36101a16e6c3f66eb5edf0b8dd6a3e649ec53faa277d8185fe9bf6566b459703d51bee64f43d1299696bb698413e50b

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
65KB

MD5
6bb9b00cad2c2c9cb4b0672a77dca38e

SHA1
e3e810d86f701e3292c41daf4eebccf36a1d743d

SHA256
e90ffa6af2ec49fead7082d1d52036db767fad4519e8ef6b901d3117c7aa393a

SHA512
490eef3ff0531ef460e22903ccc24fe0bce25b6e3d05b059f54723e344729274e57d00040e06a1c2099c0c516c41a7db0cdd7bb4a268af0e70100b7b4df73a58

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
147KB

MD5
a9e50d6b3a1600ed5f3f306ab87ff70a

SHA1
321f2c943b42197dbdd0f454ef6c8f697ce10815

SHA256
4e64495eb02a96c5cea53819a7242460b63233611beb1536c1d211171685f881

SHA512
79696914efc31d1901c91bb02b6a24456a12239c4675f22a277b631c3c20bfb9258a39f534834b4a10d045a78e2b5f239c439dd9242d427181f51665283d0a75

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
89KB

MD5
c1fdf31cdd63b81d14e4779746436d84

SHA1
6eb04f36c2289970b8d69fd0c2957fa7b8cecd90

SHA256
b07dbcceb9ad74dc9a3e86c44bee2b32cc8238acc4e7d3f315bc138629eb8d77

SHA512
b1c435fcf8da9854fc7e0faf1b8a988de34bcce806fcb0dae007dd909d32791c05289a379aeacb56c78dacf6499d15c40406af2e6a0ce3630fb3c2f7eb2beac5

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
92KB

MD5
708d9498a48bb9f34713ef5bcc64fb6e

SHA1
16b42aab1edd3059b5b4b4d957f7ef0279d60c41

SHA256
b1884dee7e2644bf25b397599ad4bb9e84e28cc7b736bfedf0e87955f2248306

SHA512
c512046ffcd5b470c5f105c94e342b03401d517694d9e2699d0a7acb072d12aca0efbf702b8bd55d00b7dad9458493286b6be473de35caccba28faf82e876d5f

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
53KB

MD5
85c0c8b1f22a2a9af3726c99b44d80b4

SHA1
719ace23f37a34bf02f7bf5841467286f8f55c78

SHA256
cea17160ecf77bdac19a8b54058c7f9b55c37fe894dc9c526c874533017b3bb5

SHA512
f6f4c49d475cb827ea34c760befbc1eb3d7183bd54636e4b95842f75a232095e1de459bd7f327b3ddd6972c00d0525a02d551a1829cc72ba681dc1e6e6fca700

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
60KB

MD5
00937442e8a0b5d04d3ada7b1f7f0956

SHA1
8777b661d3a6775d10c73a7b704c1327c99632ba

SHA256
3e7b5277bb907774e7fe895097fb78e830c91ae7fe0b2228258e23f451704e4f

SHA512
15f166d960b8340bc206359db8a418d13ee5ca4c5eae0982d33d9fde42ea3676f6cd7ae6daf080c8eddedb2671ec9c04787cea36446784531560267a8e6deade

Download Submit
C:\odt\office2016setup.exe

Filesize
151KB

MD5
e79ff054d97b9e1f5eef9a6719e4ca83

SHA1
521a8c4d4a4c39145a0daf92f5beb4ec250f2a9a

SHA256
d931bd95d358abf8b4cfc29a59b68cf71a64fe6d81888f847f8f32247cb7f69f

SHA512
72ebac0447a66d365d16b13ef58d7bb848209c389ee0b11e503de66c72dc4b8ef4da1e4e629d225b0eeb2eb846e10ee96d2f5e2ea1ce6827500e73c457149e79

Download Submit
memory/880-291-0x0000000000660000-0x00000000006C0000-memory.dmp

Filesize
384KB

Download
memory/880-284-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1008-146-0x0000000140000000-0x0000000140129000-memory.dmp

Filesize
1.2MB

Download
memory/1008-155-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/1008-213-0x0000000140000000-0x0000000140129000-memory.dmp

Filesize
1.2MB

Download
memory/1604-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1604-68-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1604-134-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1604-71-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2356-93-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/2356-94-0x0000000000CF0000-0x0000000000D50000-memory.dmp

Filesize
384KB

Download
memory/2356-101-0x0000000000CF0000-0x0000000000D50000-memory.dmp

Filesize
384KB

Download
memory/2356-158-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/2432-495-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2432-246-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2432-253-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/2520-119-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2520-107-0x0000000140000000-0x0000000140164000-memory.dmp

Filesize
1.4MB

Download
memory/2520-174-0x0000000140000000-0x0000000140164000-memory.dmp

Filesize
1.4MB

Download
memory/2580-66-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/2580-7-0x00000000020D0000-0x0000000002130000-memory.dmp

Filesize
384KB

Download
memory/2580-0-0x00000000020D0000-0x0000000002130000-memory.dmp

Filesize
384KB

Download
memory/2580-2-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/2580-500-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/2888-265-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/2888-257-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3048-305-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/3048-298-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3080-222-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/3080-216-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/3080-282-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/3644-25-0x0000000140000000-0x000000014013D000-memory.dmp

Filesize
1.2MB

Download
memory/3644-26-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3644-33-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3644-32-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3644-92-0x0000000140000000-0x000000014013D000-memory.dmp

Filesize
1.2MB

Download
memory/3648-75-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/3648-13-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/3648-12-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/3648-19-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/3760-241-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3760-228-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3760-235-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3760-240-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3872-59-0x0000000000DC0000-0x0000000000E20000-memory.dmp

Filesize
384KB

Download
memory/3872-53-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3872-121-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3872-51-0x0000000000DC0000-0x0000000000E20000-memory.dmp

Filesize
384KB

Download
memory/3900-87-0x0000000001DE0000-0x0000000001E40000-memory.dmp

Filesize
384KB

Download
memory/3900-84-0x0000000001DE0000-0x0000000001E40000-memory.dmp

Filesize
384KB

Download
memory/3900-76-0x0000000001DE0000-0x0000000001E40000-memory.dmp

Filesize
384KB

Download
memory/3900-90-0x0000000140000000-0x000000014015F000-memory.dmp

Filesize
1.4MB

Download
memory/3900-79-0x0000000140000000-0x000000014015F000-memory.dmp

Filesize
1.4MB

Download
memory/4268-256-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4268-194-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/4268-187-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4388-186-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/4388-130-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4388-124-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/4540-272-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4540-278-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4680-38-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/4680-45-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/4680-49-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/4680-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4680-54-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4716-244-0x0000000140000000-0x000000014012A000-memory.dmp

Filesize
1.2MB

Download
memory/4716-177-0x0000000140000000-0x000000014012A000-memory.dmp

Filesize
1.2MB

Download
memory/4716-182-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/4808-199-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/4808-135-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/4808-141-0x00000000006E0000-0x0000000000746000-memory.dmp

Filesize
408KB

Download
memory/4808-209-0x00000000006E0000-0x0000000000746000-memory.dmp

Filesize
408KB

Download
memory/4992-167-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4992-160-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4992-226-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5024-201-0x0000000140000000-0x0000000140197000-memory.dmp

Filesize
1.6MB

Download
memory/5024-270-0x0000000140000000-0x0000000140197000-memory.dmp

Filesize
1.6MB

Download
memory/5024-210-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download