4e5be8dcf85f8dda270588eb1fcde367eb4428823298dcb6b6f2bec81bcbcf7d

Analysis

max time kernel
133s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
24/01/2024, 11:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-24_92dfd4bbe0c7e114a632af786243f521_ryuk.exe
Size

1.1MB
MD5

92dfd4bbe0c7e114a632af786243f521
SHA1

5c8b50747a2e87c7438d71e1aaf7e8a03723c645
SHA256

4e5be8dcf85f8dda270588eb1fcde367eb4428823298dcb6b6f2bec81bcbcf7d
SHA512

0e3506fd2bc5af9d26790b1152e0a9376088e72d78b6a396d0b4db00ed952740df30d9fd407c8c99abf079d1d4c87254ab1d3caaed2ce666fb8f3358140c2da8
SSDEEP

24576:GSi1SoCU5qJSr1eWPSCsP0MugC6eT/b69pJ4iv2Umu1ZvTmWePdJ3IS:WS7PLjeTK4iOUh1pCWe1RI

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4832	alg.exe
4100	DiagnosticsHub.StandardCollector.Service.exe
5664	fxssvc.exe
4612	elevation_service.exe
5672	elevation_service.exe
4976	maintenanceservice.exe
2860	msdtc.exe
4300	OSE.EXE
5836	PerceptionSimulationService.exe
5188	perfhost.exe
1320	locator.exe
3996	SensorDataService.exe
1680	snmptrap.exe
1472	spectrum.exe
3312	ssh-agent.exe
2036	TieringEngineService.exe
5484	AgentService.exe
3340	vds.exe
2176	vssvc.exe
4420	wbengine.exe
5688	WmiApSrv.exe
4956	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-01-24_92dfd4bbe0c7e114a632af786243f521_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-01-24_92dfd4bbe0c7e114a632af786243f521_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-01-24_92dfd4bbe0c7e114a632af786243f521_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-01-24_92dfd4bbe0c7e114a632af786243f521_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-01-24_92dfd4bbe0c7e114a632af786243f521_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-01-24_92dfd4bbe0c7e114a632af786243f521_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-01-24_92dfd4bbe0c7e114a632af786243f521_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-01-24_92dfd4bbe0c7e114a632af786243f521_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-01-24_92dfd4bbe0c7e114a632af786243f521_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-01-24_92dfd4bbe0c7e114a632af786243f521_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-01-24_92dfd4bbe0c7e114a632af786243f521_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-01-24_92dfd4bbe0c7e114a632af786243f521_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-01-24_92dfd4bbe0c7e114a632af786243f521_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-01-24_92dfd4bbe0c7e114a632af786243f521_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-01-24_92dfd4bbe0c7e114a632af786243f521_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-01-24_92dfd4bbe0c7e114a632af786243f521_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-01-24_92dfd4bbe0c7e114a632af786243f521_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-01-24_92dfd4bbe0c7e114a632af786243f521_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-01-24_92dfd4bbe0c7e114a632af786243f521_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\de05dcc51f063bd9.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-01-24_92dfd4bbe0c7e114a632af786243f521_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-01-24_92dfd4bbe0c7e114a632af786243f521_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-01-24_92dfd4bbe0c7e114a632af786243f521_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-01-24_92dfd4bbe0c7e114a632af786243f521_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-01-24_92dfd4bbe0c7e114a632af786243f521_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-01-24_92dfd4bbe0c7e114a632af786243f521_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-01-24_92dfd4bbe0c7e114a632af786243f521_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-01-24_92dfd4bbe0c7e114a632af786243f521_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-01-24_92dfd4bbe0c7e114a632af786243f521_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-01-24_92dfd4bbe0c7e114a632af786243f521_ryuk.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-01-24_92dfd4bbe0c7e114a632af786243f521_ryuk.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-01-24_92dfd4bbe0c7e114a632af786243f521_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-01-24_92dfd4bbe0c7e114a632af786243f521_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-01-24_92dfd4bbe0c7e114a632af786243f521_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-01-24_92dfd4bbe0c7e114a632af786243f521_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-01-24_92dfd4bbe0c7e114a632af786243f521_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-01-24_92dfd4bbe0c7e114a632af786243f521_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-01-24_92dfd4bbe0c7e114a632af786243f521_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-01-24_92dfd4bbe0c7e114a632af786243f521_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_77703\java.exe	2024-01-24_92dfd4bbe0c7e114a632af786243f521_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-01-24_92dfd4bbe0c7e114a632af786243f521_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-01-24_92dfd4bbe0c7e114a632af786243f521_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-01-24_92dfd4bbe0c7e114a632af786243f521_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-01-24_92dfd4bbe0c7e114a632af786243f521_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-01-24_92dfd4bbe0c7e114a632af786243f521_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-01-24_92dfd4bbe0c7e114a632af786243f521_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-01-24_92dfd4bbe0c7e114a632af786243f521_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000091b47686b84eda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b4b55786b84eda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006b509386b84eda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b5f33386b84eda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000071afd386b84eda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005ed29185b84eda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d81a1c86b84eda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4100	DiagnosticsHub.StandardCollector.Service.exe
4100	DiagnosticsHub.StandardCollector.Service.exe
4100	DiagnosticsHub.StandardCollector.Service.exe
4100	DiagnosticsHub.StandardCollector.Service.exe
4100	DiagnosticsHub.StandardCollector.Service.exe
4100	DiagnosticsHub.StandardCollector.Service.exe
4100	DiagnosticsHub.StandardCollector.Service.exe
4612	elevation_service.exe
4612	elevation_service.exe
4612	elevation_service.exe
4612	elevation_service.exe
4612	elevation_service.exe
4612	elevation_service.exe
4612	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4084	2024-01-24_92dfd4bbe0c7e114a632af786243f521_ryuk.exe
Token: SeAuditPrivilege	5664	fxssvc.exe
Token: SeRestorePrivilege	2036	TieringEngineService.exe
Token: SeManageVolumePrivilege	2036	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5484	AgentService.exe
Token: SeBackupPrivilege	2176	vssvc.exe
Token: SeRestorePrivilege	2176	vssvc.exe
Token: SeAuditPrivilege	2176	vssvc.exe
Token: SeBackupPrivilege	4420	wbengine.exe
Token: SeRestorePrivilege	4420	wbengine.exe
Token: SeSecurityPrivilege	4420	wbengine.exe
Token: 33	4956	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4956	SearchIndexer.exe
Token: SeDebugPrivilege	4100	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	4612	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4956 wrote to memory of 2888	4956	SearchIndexer.exe	30
PID 4956 wrote to memory of 2888	4956	SearchIndexer.exe	30
PID 4956 wrote to memory of 4592	4956	SearchIndexer.exe	32
PID 4956 wrote to memory of 4592	4956	SearchIndexer.exe	32

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-01-24_92dfd4bbe0c7e114a632af786243f521_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-24_92dfd4bbe0c7e114a632af786243f521_ryuk.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4084

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:220

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4976

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5188

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1680

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1472

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3312

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5484

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4956
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2888
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:4592

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5688

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4420

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2176

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3340

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2960

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3996

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1320

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:5836

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4300

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2860

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5672

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4612

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5664

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4100

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
29KB

MD5
ec432d51376e98387e28aa1f93b5dde2

SHA1
fe7212b5fed6bd031902e125f9870fbb219aec94

SHA256
6363bffc3a89290b0dff912da7723033c35a4d8204537c89fb7f07e790171819

SHA512
6199aab3b66fa98eb4663d1124012c564e5d8cdf4328bb50bf9a977e940ffef9b5ecbbb8e85b1d095a470957b340fd065d63f5428726e156d3c298ea272568aa

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
24KB

MD5
d859ef6c37bdb13dd2edd257917f31d2

SHA1
380dea64f5512300a40b408c462d20863bda67e5

SHA256
7f0b115cbe0802686ea5d5a6d4b2bf57ef356c121582bc870c04b0a19ba739f5

SHA512
e08bf5b7edd71b76cb95ee444598a05234bc3ca3a1744bad8a9703689937fe8a6c4c5809a5bcd715804ae45c232d10d6c00c4398793f4a4674948908ed3a82b9

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
22KB

MD5
8d72423f40cab5ef71e9753db442a064

SHA1
ba634d533b1b8785aa9fc823300bc0576bd4016a

SHA256
a0dadae173ee77d28286d5013553d12175c234868413836899f0f1b4c6d9b9d4

SHA512
110cae357e2557849ab43654e76c5fe64eaf52170b35e8576406f5362a9cf84dc0eded63da6b2ad98b2b1abc07c9918b379ac5c11613a33ea6c45939811152c3

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
23KB

MD5
700113dc0b11e4a457056049ce3e9c63

SHA1
8cb67ce27e57478b11fe64dc1d1c38ca1af062bc

SHA256
ca437a7b890aa85cb715c6680eaa44fc3e7964c24e22b776cf24759c224f357c

SHA512
bb6cf308702de55a6bb5547bfd455f81f73765cec4bc060726b137fc14bc74a1c31f3eb6af0129f6951f1e3c55c5db357f4efc2d946e748fc067215a126c30d0

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1KB

MD5
82366de3296f4efc359ab49588fa41f1

SHA1
b0bbabfa5f2d2d2223686ee09b91f3448b0f1e1c

SHA256
8d1cbc112a2771db61bb9e8d1c6c690dcdd42c5ddc592f7bb77d62291bb57ed9

SHA512
589eb6d1b58e54a53932d9eceaa74ce27b103fb6a8fa2f25bdc7409ecbc7380bb65f51ad8e1973b830fa3da67d2809a84211e5f83607f651e9b539317b4f5ce0

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
6KB

MD5
cf9946bd2e2ef40e4b7a8545c106a500

SHA1
08d4ba42596b7e97ee1cd02f4c93803ea5aa17b7

SHA256
3fac14948835c6b7904523e2329ac862f23e7b95f87dc9838ba3a852b5648c8d

SHA512
5537fa01e7e184d93e0a71ea9eea4d0788872933d69921e86e7ddfe59c9e703331026528fc2c110c8e7ea67cba364654f1ee80997ef67ed8a9bd7115c6b8b8c0

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
11KB

MD5
ee411e687e694725ddb2c4577862cbb5

SHA1
a62058b4fcfdf26a3c0eda189cd38824e4a9ad74

SHA256
0415f1b85d44ccfaab203fbfd9d0d75e8fa65f905df4bc2ed7336ad82769b20f

SHA512
3b6fa3167b030c5a8c8fc4faaa6dd66ee4fc0caf35fc27c3e3280088178d5d115a59066f89affd8d07cd5c2d6c84be59224c43f588f7580726a290674614ac7a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
2KB

MD5
ebb176c2e72b65b0930dcf39aeb6788c

SHA1
9208fba2baf303e8265a5d60bd83d664f6bc5730

SHA256
6dcd1340d931ceac59ffc61826c22bd9542daad2bfec79b6e5486113867e46c0

SHA512
f7306c949348bf9e33d82767470e8146c188083f2785bd8d0cf1e4d2daa737a2498e3715611f1f63c094a1dab7ce95af234283241bb096fbb584271ec0d50a7d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
45KB

MD5
6a245cca874631cb1ebd0318e50bf000

SHA1
7f3444ff880598ab08c833f7e6eeecfc9e90b7b9

SHA256
eebe38ce79332df4f659b6dc7bc8ee542e796fc780455a9487af63875a943332

SHA512
5acc1510d449e6625275edb77e13441dd0d306d64d06f5afc7ccc90ea811545415f06feca6c7aa67c2b5b7cd15b0e34539181b9cb39576942bd08d54267a4a91

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
26KB

MD5
cfb54d46ace10a5984b0108d8d411d0a

SHA1
f3982a7aa0e8bcf9a654ec3f9fd77c32a9d170d9

SHA256
20a44ade0b790d6c114b13a2259a8648063f8eeeac87daf99b207b67d786140b

SHA512
fad713cb5246ba42b57a4c909ffd26cdc577421c1dfd4b9ffb106b65b2172c03729d84dada2ea75a565a1d7fee85baac29ab85e7c49acb5d6fc3e76ea1e89dfe

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
27KB

MD5
7b0e7758bd51045378ab825db55aaaf8

SHA1
5e7b8b4fbc2b936660c1699109feb1b34cde7683

SHA256
b34cdbfebce5a6e57e582de5d387ee1ac31413f2549b4ad93bac8ebaf7471b30

SHA512
bf588926da58110176b012a13aa8939f80a92e0502605b3a895fd4424e46d2eed7243a0dd99ad008a79717bace6975c041b113a43d543b6930cb3172dc675bab

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
13KB

MD5
59fba2df645b494dc8832c2e115b1e11

SHA1
0ad0dfdf8d3dc605cedb2601be9f5295d2c2fa91

SHA256
fe3cd1c83dc5485d4ff634d6ed7fc7ecf58b0bd5bf1cf1afbdfca14cbc6cf1e1

SHA512
f8356b9a73a77f5e22586efe057a3216777d46c30d6f5021d944be023d651bd7fe4019070c2f263df6bbb506337afef9ef4681ad5ebe06dc8bd79cc64132d4fd

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
5KB

MD5
ddad003245f7f3759f228abc3e9ce44e

SHA1
90e39a334f0b2a26bdd2957d306ed503938f2045

SHA256
49e83e45bbb55ed1151edab68dae4be587c98c0bb7cf133d9d11c2784f3e9bd6

SHA512
912587f63cd85fa167073a7396a503f9e2c0489be1047b25ff96d3166480c24f7e66346d04de96e3b4f7ae6eeb25fde4034acab6ccd7e7c2e5f2145734ed80c6

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
73KB

MD5
aa8693900babf55559fe01b590768d7f

SHA1
84c1511e6d6604d60cfeffe77ae2f8b7d717ab20

SHA256
e53be3f36f00841b2ff4138eb9bb4964b771d4b86f640dca35166b7a95a340cb

SHA512
30caebc55c807805520772c29e72a88cfc0360394585a5ad73bbbcd13232aa45259f9e9b4c005184ec544a18dfe600505fe44a4508f0265ed03ab64d0b2abcae

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
20KB

MD5
810eba5a273b5492fd06d6a34d9198c4

SHA1
0cb128ed47fed0d6c1a5acde63ef768ef92e6749

SHA256
83b69a7d8098a42d50302952049b5a7e4c15813f7d3460e772f3d85162afd43f

SHA512
071085808caeb39d0e9d105b0f0b37d6b2ccd73aeadf38ab51216b28995c0171bf7798a02258b9194b191b94601001dcea25040a9e8849b8a9a04c81f8d72856

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
15KB

MD5
6392b1f2258fbd3047803d86207e346c

SHA1
16c9e0ccdfc1d6049d824f7cd18f56419afefbe8

SHA256
0ccdd0234050b51ceadbf73cf3bd24e57bb3fc6e73125cd5661cfe1c493ec400

SHA512
3562f4c46834a799c672ca02a689b471a7002e74e7f99cdd6df0e53e84c0a9a965685c0514113be37216eb53c251d2c160ec240966560498fbabff2b325d6255

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
15KB

MD5
822150e7ad4b4d9474ffda9068847ada

SHA1
429de3c206590de432925e26aeaa8b1e899a0dc0

SHA256
8d72161d58241f1113a35f92e39c16949e7ad60af38360fc8d9b14ba0f3df569

SHA512
89910da5260d39670df64a02b92b56ce660e3035e0fb46a06ef793a3cca581f964dc4f2ac26f96e74b6ddfab30f1977629c325d66911037b97997ce3731d0827

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
31KB

MD5
07be07caa57170a8bf1aa09d1f382b50

SHA1
3062eb99b700eb7e85d84db514b3e2fc2fe3a1c0

SHA256
870b48215d03abb5d98a21cb1bd3038bf30050a106d8e15a7de7d42b72d52c1b

SHA512
cb8af66f8e38c1872fa89e866fa7260b03657c062f3792840d3597b03df40369f75d7cdedba308b2847e4329e4301c32b8f9f6a0ea7c084f5c99322e2e3d148d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
20KB

MD5
a58b6d235eb96cfb1451fc43b72ec5e3

SHA1
eb3deabe979c32df336111babd0b00337568e748

SHA256
d5fe64b75e1361f16609f418cb860f15addddaa9956780f79432ad08bac33998

SHA512
428c2ddaac140337364e24861aaa5dbc280d76a80378f440b5e0019440d0381e2c93231b8ecf5eacb12c47afa821c414bc62ad4780641717787d043f840944a9

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
15KB

MD5
f1460a47e3be43651374eb33a672280a

SHA1
8a37c1318ca45fe94382a9ef80bbeeb1edfaf636

SHA256
8dfc551cab0c007fecf1a0ccd8aa445809936641a9ce2ea6f7225a8124dd35a3

SHA512
14ed4f8defa5d7f65bb2c1e44899665afb76d667b251340296dff930fbf50267b1cb8d74d8ff4731ed27903ba216684e0066379e86eba0070acebb7ae1e8ecd2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
57KB

MD5
9e16251ef8b19c951df6e0a1f3a3aee7

SHA1
9ecc05ec3f393be115a7b8354bb679982cf96527

SHA256
0e60314ee42e8dffef3127f62e77ab8948b06e1cb63ae9ccd29871484e236521

SHA512
547f7e29a762c4d2794184576b8704d3b9aabd2eeb33d0cc029e53d2a2294b4420937fc13cbb2399d6561148804010005db86ab39e6f9782f9bb216b8d8ee322

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
35KB

MD5
7ac2e642d6c61b28d9fa1bb347445cf0

SHA1
7f4272b468c83a186726bdaf7059e6aa7ecf3505

SHA256
9e4f26defbdca8e3e99b2963edac03533900270cd4ab4dd9b02a25bc83b1c428

SHA512
4478a21afaf063e82fe1b50c69d4659a6fcaef328457da4c91f4e04405a6f0023eebe575433b6ea0a741d3c60574d4b51ae3f25c826e047e7bea691f1c52616b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
24KB

MD5
45c1eae995eb0a0bbf96e2d90439aeee

SHA1
83140181dbc0627ee2b04cbe92dd1a1248bb0b8a

SHA256
2702d5af15e0e762e4565cad70ecf56bc929359f7dbc014d9879affc63c43fc2

SHA512
b1197ec84dae472ea56f5553702b87550076f52405ee2e43c700c8e6d1f328ce3ae7db638311aa02fe76233aeb95aedb0ae5270edca13e11b812e68a86e45df5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1KB

MD5
8103ae071c22b5d139a1761bfe6396da

SHA1
32fd40568e6a2c2d530f2572650ed41dd1dac106

SHA256
b60503ac31aa8517fe325e387b282744f0fd7c2559da36aafb68bf4819646b5f

SHA512
231653d77410f6a0fe55abc257c55e2e57b3e880463095dfa745f82ab8d26605abe2c9941041182e087d3803fafef91ecfb14defb39603651607954598d88cb6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
29KB

MD5
c1c68e18c5fe978bf55143560e05b2a4

SHA1
496742b8ab74e5132bbe4717c144d029c08591d0

SHA256
985d471fe9b052658bdaa16e4098b7ec1b2502f76899ea63861c0eaacc39f2cf

SHA512
c15766599d9d489f585a3c093717c6fb89d8a9ec89830e63dbbb20ca06808e540dbf2ea7381baddf9ed614fd795191533b353a5f6ab6aac24c42fd6c024a935a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
13KB

MD5
31abbc2230854fd1f82a730ec64ac95d

SHA1
89767891c6dd45eaad59e45b700e8c9559ef2a30

SHA256
5e285a477093667c7125c6cf9455eab493d3144400e24bfd60be406504434ff3

SHA512
c610ae02fee466288fde80afb8b26b13d1d996ba139a4653e11e9aff88b3c500106af06bb225583aa341be53bca482a1f07f602aa89a4ea76ba41bede821b7fc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1KB

MD5
ae0a7e070d14cc570a9f6ec1078daa31

SHA1
89a9b76a13ebd3e2a955c02ba1d0963fc70dc962

SHA256
af0b47068b145703111c01af2db52a02999469cfea10c947e3daf399330d30d6

SHA512
a39eddd6afa6e7845c9cbed1cfe80322c6a5aeb25f8a4925ac72cc29899a698b2420db04ca4938ecbcfc083533b34dd72cf6e14d9efc76d8d5ddb81bd3de706a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1KB

MD5
fdc112388f573a0fad8951765a5807ff

SHA1
2541390f3fdb8bc6c7db22a9d4fbbe6776da068e

SHA256
610e95a7aa8b6b50ebc4bdcec18dbf9ddd1ae74633e91aac5d31cf72bab16ede

SHA512
dba58f28daf4cc74ea4db0513a019a64ad8cd954daf6071cdbc460bf5c5fc14d0041e957dd194daf33e91d15dddde44690716e6da5b3aee1c616597021d5ae70

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
22KB

MD5
57fa031511fadbccedee059e82a0693e

SHA1
89b41c40d8479e2fbadee8fce2e93ed7ca9af9c3

SHA256
a0e94799b174d590c9994821de0d48f18638c8df6e4a6fa72cb9fcfa9b4c919e

SHA512
f0e9c61b1753acc57196ada60036db1226e144caaae4be1652ecbe27c13fe8764856af8c799272e69b3437707478574345b107c969d1a478f39b6bf7f0ba1b49

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
18KB

MD5
854a97aec1371a710408d7283f67bfbe

SHA1
e5cb8a8ef94245a1fe0f94165f10462733c2aa4e

SHA256
f4a6952b429a8438b67d44b971b5100847d24c6c75273c9677c14e4f4283532d

SHA512
2d8ddf1c29bc432d3ac878f1c4868b58fee4f1e3f0123ba2ea728c12e68e3034d6f7d75912af3e09519fad29d6a2922f646b6b48cd88f14065bc077740f01e01

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
10KB

MD5
b351c383d97da86c30a31dc8eeeeedbf

SHA1
1429f0a86ff86144b6f5774b45e4c1f64e861e9e

SHA256
29506aa59ada7bf79f969c7fa94b8e3601cfa4243a669ea287d57051836ec0cf

SHA512
87db507dc77ad6903453264f729d804da9ec2d1bbb769bb9bc88d99bdf18cedfbc906509fa841ef6c1d260564e08e621d8fb2408fc24ab33ace3c978899ee099

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
40KB

MD5
5654f03f8e115251da9fef6f26dd71e8

SHA1
8200ac10f44ea4c2fc15e42b2ff87d9f58798b94

SHA256
4f5d5b96b7b7c4db4eb2db67bb229ab839247b4611c3a81914cdfa77a075881e

SHA512
23f494cec6dd354b6e2be18809e65bf02f328b26dfb4a6395e207d0f518f06d1c03a71bf6ac5aa130f21b3e707d6fcf2abe15dfcfb8ec7336451fd55ef8d212c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
14KB

MD5
ef65219c9590b8ceae2985465e121d9e

SHA1
259f35adff2c08268b68bc3ed9cf4534380be03e

SHA256
bfa4fb4c9630595c90cec0b941bd98d0080d06914a68aa4fce968b9542f2477d

SHA512
d7f5f68aa6e398d2aed7c92be9decd3ed0a82575b26513ec8d922edd95c6bcc4b233b09c40838fe617f9aac9df24347d912380eca0990d4deaab31fe0804722e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1KB

MD5
0264c021ba3ddd17203a0c0714379016

SHA1
5ee820792830f1ec0d7e3d11df85e72c1a111ec5

SHA256
656a4b9ad37db82743e15ca57a3f961c3e3785392d97510a35b532479bae7424

SHA512
bd50ae4ea7f737988d5e4121f83c8d0e62a24fea2ddf85eba49418d51063bfa0b7729fbb914186a91efb742ac543866bf4cc04c2e1e7b6f0b776e7f2610bde38

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
15KB

MD5
2212887ba1607fcfe13ae3b2708e042d

SHA1
ad1a7866d8da55899d03b359916c7103991338ae

SHA256
6ac1a7540284a8a978bc2c8cab9b34e20a329d970dddb0511d034cc99c51c36d

SHA512
f31dfe001ac0142b1dfda5a7194ba269cf2dc1372d54b4ef8510259beeaa63c5ea4324e77bef2646c1b3d9f6bce007a9ab6e4e607d0bab919b2801716b51b43e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
12KB

MD5
f79a953205771cdcb15b6cda9963bc29

SHA1
5d8cdc6d6dc34c3e0c8b9c9bee3ad9e0c7298eb1

SHA256
27ac44de844010e49431537432ff42b06e3dbdf5e84d41b86f05856d7de64b85

SHA512
7a6c261925890104c150446f9b66dbe6f62f8f513c642045055fa4e48720b4b8eede48e7f6488cf582fdaa51d949d87d4817acd95b313c6aafcfde3f623c6057

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1KB

MD5
890e2103b710bbe5065bc6ef15948667

SHA1
d36567c8808378f54990ad5f3525e912ea19ad32

SHA256
7899e7b8f254cbc512154fe6d32310adb00fb5afcd7a7a6a0205331541c0e4fa

SHA512
89d1c4238e9fd7364bdce7a43889eedfb95298150c3a48e1dc26c1a3cc21edad229daa8a344bf1845ecbb2597600d2ba4d496c1b43abbdad6f29c26b27aed5d5

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
34KB

MD5
97d32384eb8adfa8a0785961810438aa

SHA1
0dab08f5c6489ecf2763d9e0f5acc4bf5a818af1

SHA256
b1f78a57a567700d1318d231b6f991903f0888b36e04fb1a6be7eaedef82b6a4

SHA512
5ec19db05803aec6d60743c26a17ceffc7a7a6869038fd95c2ee7c9ad3d14d297a66e3b408e98d66933163e45c69fec0cca9553265c4b4493ac289f4cc0fa207

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
44KB

MD5
a71bd8b4c02ded8d7de908e924b0e3e1

SHA1
0bf6fd8ed10f1bf7ddf4d3fddf65a8cce93dfbe0

SHA256
bcf8e1b9356e4f2847bc30980c4e46457c9a81cc4627c17e3a73575b480844c8

SHA512
bca3c3889566ce67f35eb45b011bc26b678e461aee5c4de92854d0648b828415c2dd97ce45c062a0b442a40f959b0830e85d7b0bf30955a7cab7a20c4fc8d10e

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
7KB

MD5
826708aa8697fd24c381479d17502e5f

SHA1
bc3c8da7c950b58653d89ee010be4c9cb9e29c10

SHA256
08ae277ff2dcfb385f58662a0078938157cb7e4076acb265add9240c36e0fd96

SHA512
b4f6fcce9dc78e368133f921ef6db82a0ba5ed991b2e009b57832acfc83670fd4da1660a73432e4bd41e83ad3bf3725aeca1e29498c088aeb607411824c46b42

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
105KB

MD5
277c54977c6b1be4e7e0bf5d4b7d5cfd

SHA1
11bd3ba61837bfef0a58ad78757e0b5bcb155500

SHA256
0f21c516ee424c4010e40f61e1abdee379a8b695cddd37f7f72eccdee30ab5c6

SHA512
ce4246768a27d650b4959b5fe88211ec4122844a1c46c1eeae4d46c675974ee75f7048a0b634279a4438e0dafb5165a6ce67729a7c3c21ee5cb037ab56669b4f

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
12KB

MD5
1fbdedc2e8a3b4447269216410a5e798

SHA1
1bf6dcf6977dc2c4316559860e1718c04b4b8885

SHA256
0d61804d2cfa6bee8d8226b81f02c08bded7c74844c74384e6f2684db09af774

SHA512
914825f4e472116be03508601b232ef28827420004eee467c293b2c721639a401b354780c985c085679d3a3ea430c35b45ff64dadc87f5559c73317974b3ffcd

Download Submit
C:\Windows\System32\Locator.exe

Filesize
9KB

MD5
e3d46cd213641ba8325c38e6c2dddc8e

SHA1
1716da56e74fab25e73178364eca63326dca4767

SHA256
3c8de756761bdd468f3727cbfebc363a30fc223cd56453926fed3094a4ba04ef

SHA512
055df0e01a49630b601fa0a2d8690c4a75463626cca23ad06098da265b91cf3b2329232617dc937a67cd8bba1b9008352392afaf4395bd5aa5a31a08e28c7e91

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
21KB

MD5
9e99e10cd4ef54da492b872a52a201b8

SHA1
36054b3beefc6daba45aa08036515ffbb72f3db7

SHA256
04a709b8643ada2e978d757a654f353dcca1fa32f6f2fa7b88aa2ce2957e4233

SHA512
e2ebfdd6aacde12b33e6c82f1d4da35090f378375f9df458dc51812f7d4b1abe183bbe9594a8e4a4e1542cd2fe530c57477ad6db3f9e75e48dca835373308d3f

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
6KB

MD5
ff8c8aba7fbc44ebb30cc08d1297b947

SHA1
1d68db3e4b002a5cc5955f6d600709a30a9bab60

SHA256
937d2a32769e2910316438d9b79348f4b28abf157d4925b186fd390ff84ff16e

SHA512
cbc108901c1e6f35e062f35739cd7d138da5e32a78902dd82dcb5ab6368ad1aea909e001f615f7a42affc9f7634d0131d23d5d0834bd6e7a5eba4feae36d3730

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
49KB

MD5
73912e9c2da20b97f964d55dfb237716

SHA1
5f03fdc89f414a21ff894055e95070c017dfa5f1

SHA256
8c9af1a2e4aeab24f5c22c95783ce7d65374f96821e1fb9906b8052c8f1afa01

SHA512
aaf5326f15a01dafb200ae93894515397219d13b8a14db7f4176dd6fc3b63a10de36ccf4536730d3a5f452c53f0dac3caead30d818ef0fe7366e7abe68f5d82b

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
8KB

MD5
fcb25fa73634ce3c18b34d0c8ded6939

SHA1
e1b0551ed0d82eef374adb5f62cac1c62db03e3b

SHA256
f45d02f6680dee2ddda268a55eacea9accce25c4deef1a05dc29cf344c71709a

SHA512
60b523b79ca141a8893eef09a49903fcce55b85cb13e546cfc9bb22a1e3e5a78f79805e80dc4eef06e8790da5139f378089e4cce914195a8775284ab831fe16d

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
16KB

MD5
b7c426b771d69279ec471f36b7a1f48e

SHA1
20c6ba61106d425df1f6c54313c1e839fe29400a

SHA256
9052473373155801e63d24e90e0d57734341c1442023d50580da8c174e2b0a8f

SHA512
a01cf463c1f1483a4f051c2c0c6c99c2fdba4e2b5f3d9822676ef5c6c08b35c764aa4daede5378495038e47a020d4af026cbbcbcea146705bb320ad34c354b5a

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
26KB

MD5
73d03dc4f202585fec638c57b5104178

SHA1
2a6b5c41d5cbb33701195a3763cc2cf7c8233c26

SHA256
e43f2800ee5e97720943d35b2f8042e04b9f204f1a6aaa6e1fcc109cd5d580a5

SHA512
9be4d673b0ac45e5f59330ecc0be5a6f2d6f32e247dfe1fff677cdd0bd56d41ec7b887e29af62489a1970b95a071e2a56cf30328f111bdb40239d1d519050f2f

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1KB

MD5
77a02d215f91c5158870fb8178374ea5

SHA1
fa6aca305733c725504f3b5b15ddad85e7d56c0e

SHA256
6e07e20b426ba7240d4b073e6cfe1906c37fb471b3ad01d59ddef2ec2e2100ad

SHA512
2f479cc0ab82822c18e3cbf2dbde9c2054cf597bfb0a0bd0bd2dbe6180dc639eba44d154b9a6db5b0339d7b847625599c7330a3c33a5feda6a4f7e18b22126d2

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
12KB

MD5
90dfe9b9beb194033b92bea7ddb6adc6

SHA1
dbc9eb1123c39ee5dee9706c018895a32e406261

SHA256
9c3d94a71ad419782812786571b6e966bb0dc2a11cac086cbe74f30f15755717

SHA512
60f5ffd57dd6a5d6a1bad480e2e0e0f746656a4746c70e21b38d749b26e4ab36fec535cbdd98e30914ff5843b4667b28dec7834622c2e1a170c4706fc2e63e8c

Download Submit
C:\Windows\System32\alg.exe

Filesize
12KB

MD5
71f4bda83bcc1cd02c8254a044412a7f

SHA1
fbbee582f7a7dae8a9819089a5000d74b91bb268

SHA256
25a77fb23a30c768be86eda654da9e6fc9d9fef0fce8decdd2e2e7b7924cbad4

SHA512
e4b6434228f61dea48911c2341a51e29836f6fc69e2e242ea8df7a01d46bbd65b831d25beadd9d5318c024979f2177f37dcf9e088ee721d4bc62db866b6be5fc

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
36KB

MD5
72b4b2d92c263b2fda8a30d94e57563a

SHA1
8b612fd76c4eb157e4e978ad42e47d8adcec7145

SHA256
a69555cfc12ff493be9e1bc3855fa4cc9f0d12aec9cc9befc9810f9203132462

SHA512
b7c57a90a84d0271ae15bb751fe9fb04b6d13b77c1236a79be14593998f60d052df2d22eff537a9fdf75be380ce78c2205ab35c14dd7e74c86181f4a4e322ece

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
26KB

MD5
27fe527b2fb03ce77162fdcd9f4a107b

SHA1
0e5332f402c9805f92d9cc82d8ccbd5ad2216f59

SHA256
54addfd17eda89a7b1e7846c8b3949809a0a00b4bdd48fa3d936b8a98a5ca927

SHA512
4a90020ddcbbc5e2d85ffd2c7746b9afa124b26f400436e27f4d9fc9f9c08a2196b7a17b4699e5081a5f450e23404796d2f3147165ba493b1a52cf59eec0b34b

Download Submit
C:\Windows\System32\vds.exe

Filesize
21KB

MD5
74af7dd6f25f5ada6c7dd1a08e802d20

SHA1
cd8b3ec3738b3f286ae410ce5ef93e274f8ba533

SHA256
35fb4fab52cc6cebcd69326e7a0b324c0397e84ac490cf010d04da4c850f4d34

SHA512
90ddb02e374956466da4ff2287b222995ca9ceb3ae4cbe5055ef45c506a4205629b0a9d3edbe87e073de2aa325895f49c07cd3112daf7c061321736a814f3884

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
5KB

MD5
2bad2dc2843832430386986fba8dd7fd

SHA1
69411794d407021074d394af8100be01831d2252

SHA256
d70ab1a600c5ea23df34feac169446d7e7d6981dca23f3898cfe58b2626f4919

SHA512
f4c5ea9d566cc17a78e5382d8e5f3dfb1515e7329a1e53002e97b9938e8f6d09626492c822652f651d969e96286534d914cc3f057492691e322b66e21b89aae0

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
5KB

MD5
99706647d91fe424a72e26a60406ee3c

SHA1
e8f4e2f81757136eebecb04bc6a433c4f4c3665c

SHA256
0855faf9ca06a41c49d40f01f0fc045032b094d30ef2d992be008f81ae34600f

SHA512
ba9b56b0116c4985d997339b89d0be70abc8ca25c82c8e6d629bc1542ca015b57047a48b9ca8dd75be1a3e6a8f4cacf53106971aac9b9d45ea2a0420c246b1a6

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
13KB

MD5
367eb6b4e8ed134a7981333c77d200b0

SHA1
50e178d380914f4eccd2f274fc66bf3bd5dd401c

SHA256
a8157141b7f7b55e28748cac2261fe03adff337002c8aa57ff5525ba804b852e

SHA512
8a376563fe25d78c71b55bafc12b8c05ba779c517c823f5015f400c2540f39f1c03d70dc7b0ae527dcf3df2125d20769dfa3f1f4c4f079cd2cb3826a8ef8a61c

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
19KB

MD5
1b123aad5601370d2c77c6f51ce67fbf

SHA1
3fccf9019829d9c33db3e60f5d0c1234ec0d9003

SHA256
75b75e9e34ada4efef12993813e602be8a1049627c257e64d36d718fc2ea0c84

SHA512
98fd35d7baeeb2447cb68bb0556534029b855b2e9a99c9b004d3148be6eee61a8a7b9b6b576c8e3478b6cce6dd36a2ceaf3e5f4856c11e6df6c3e0ccbd40d7b9

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
42KB

MD5
03acbdbedf7429afc84d3344a68fcf80

SHA1
35de08bf7ef177e9fe9f5945b45de1dc7a535f3f

SHA256
3bd5ae78b437b933b906a156379e090bb61d6287b9f7352f664440d74cb61efd

SHA512
1f4807797dfcffe35b8987801448572afdd4de4aeba30b701a0a3d190beca79949e0ace2f1f4108fd3b2c9dda9a1b08c7b6e1d726648850f6537665255071732

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
14KB

MD5
610175e2ac08a655d6da85e2e9360373

SHA1
2bf2f54c9514382c4b703766d9aaa0b5abb18e7e

SHA256
8cc8616695e90864474ba79f60922d87ebc48eba38cf7ae44a5aa2ce9ae0b6e8

SHA512
967f6a2a21ef614892b71bb7dd127249469d05158c4ff805223b221e8e19fef91e426c69ef6048543a876700961d28e3718b89c9bc494b5681f522cce475f008

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
21KB

MD5
9ea589591645e5d41e90e2aa7ee1a548

SHA1
653bf0b24b1f4f4efcf1e46167982c4d1732e587

SHA256
dfb3ae72db6d113e2143c5ff1316bf0e74a04d3d4482ebc5772528391afc8ba6

SHA512
f83438eebeb117ec8820ef94629b01e3807eb778cc2979fb8d8adf53904757de41a62df84ffca9d243cc32e80fce2a0add42312ae23cb800ae157325537a8c95

Download Submit
C:\odt\office2016setup.exe

Filesize
24KB

MD5
b7c12abca16fb768d66b84b5efd1ad4d

SHA1
0e4ce5c2b1b956840e6cadb66ccb4bb956d46935

SHA256
f927c1398842631a703a110ba9e1102d712bfb02d4d1dd4456dc46278ab24674

SHA512
b3e6515f0d60e0a14207b87cf58cdc9fb91632ca1efa281c0f47c9bee175503e805b6826dd969bc6b644aec4d4027f0b82c848446d70c4aa2dba21e5b9aec346

Download Submit
memory/1320-116-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/1320-164-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/1472-137-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/1472-176-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1472-129-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1680-124-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/2036-154-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/2036-386-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/2176-165-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2176-403-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2860-73-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2860-127-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/3312-142-0x0000000140000000-0x00000001401E3000-memory.dmp

Filesize
1.9MB

Download
memory/3312-152-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3312-376-0x0000000140000000-0x00000001401E3000-memory.dmp

Filesize
1.9MB

Download
memory/3340-395-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3340-161-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3996-121-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3996-168-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4084-8-0x0000000002070000-0x00000000020D0000-memory.dmp

Filesize
384KB

Download
memory/4084-55-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/4084-0-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/4084-1-0x0000000002070000-0x00000000020D0000-memory.dmp

Filesize
384KB

Download
memory/4100-80-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/4100-17-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4100-20-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/4100-24-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4300-83-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/4300-89-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/4300-136-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/4300-81-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/4420-406-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4420-169-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4592-427-0x00000231915B0000-0x00000231915C0000-memory.dmp

Filesize
64KB

Download
memory/4592-404-0x0000023191580000-0x0000023191590000-memory.dmp

Filesize
64KB

Download
memory/4592-387-0x0000023191580000-0x0000023191590000-memory.dmp

Filesize
64KB

Download
memory/4592-422-0x0000023191580000-0x0000023191590000-memory.dmp

Filesize
64KB

Download
memory/4592-424-0x00000231915B0000-0x00000231915C0000-memory.dmp

Filesize
64KB

Download
memory/4592-425-0x0000023191580000-0x0000023191590000-memory.dmp

Filesize
64KB

Download
memory/4592-396-0x0000023191580000-0x0000023191590000-memory.dmp

Filesize
64KB

Download
memory/4592-428-0x00000231915B0000-0x00000231915C0000-memory.dmp

Filesize
64KB

Download
memory/4592-426-0x00000231915B0000-0x00000231915C0000-memory.dmp

Filesize
64KB

Download
memory/4592-398-0x0000023191580000-0x0000023191590000-memory.dmp

Filesize
64KB

Download
memory/4592-397-0x00000231915B0000-0x00000231915C0000-memory.dmp

Filesize
64KB

Download
memory/4592-405-0x00000231915B0000-0x00000231915C0000-memory.dmp

Filesize
64KB

Download
memory/4592-381-0x0000023191590000-0x00000231915A0000-memory.dmp

Filesize
64KB

Download
memory/4592-382-0x0000023191580000-0x0000023191590000-memory.dmp

Filesize
64KB

Download
memory/4592-380-0x0000023191580000-0x0000023191590000-memory.dmp

Filesize
64KB

Download
memory/4612-35-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4612-40-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/4612-102-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4612-32-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/4832-72-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/4832-15-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/4956-177-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4976-56-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/4976-68-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/4976-70-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/4976-64-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/4976-57-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/5188-111-0x00000000005C0000-0x0000000000627000-memory.dmp

Filesize
412KB

Download
memory/5188-106-0x00000000005C0000-0x0000000000627000-memory.dmp

Filesize
412KB

Download
memory/5188-157-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/5188-105-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/5484-159-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5484-388-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5664-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5664-33-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5672-44-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5672-113-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5672-51-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5672-46-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5688-419-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/5688-173-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/5836-100-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/5836-94-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/5836-150-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/5836-93-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download