932a2635219dcd7a39a601b09d773ea3c524494eb96c88c73ee537db670a30c8

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
24/01/2024, 20:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-01-24_a775374879a087723ca9895ca907671b_ryuk.exe
Size

1.1MB
MD5

a775374879a087723ca9895ca907671b
SHA1

e471dd80ed1fcc9fa8227cb210a744c682032557
SHA256

932a2635219dcd7a39a601b09d773ea3c524494eb96c88c73ee537db670a30c8
SHA512

13347cb675e2936c1fdb011b32a3643148596aafc7a2aefff9dd8d64733dca57133083d7038512b9d72be89c69b712d8bd06f76e61c3d9f65ccd5a1fcb3c9622
SSDEEP

24576:cSi1SoCU5qJSr1eWPSCsP0MugC6eT9n2JOt934J7Z6bQaj1BvUm9J:US7PLjeTQJE3jM2ce

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4556	alg.exe
2440	DiagnosticsHub.StandardCollector.Service.exe
1148	fxssvc.exe
4640	elevation_service.exe
396	elevation_service.exe
3084	maintenanceservice.exe
4304	msdtc.exe
912	OSE.EXE
4960	PerceptionSimulationService.exe
2068	perfhost.exe
888	locator.exe
1168	SensorDataService.exe
688	snmptrap.exe
4008	spectrum.exe
2352	ssh-agent.exe
4392	TieringEngineService.exe
1556	AgentService.exe
3484	vds.exe
2396	vssvc.exe
5008	wbengine.exe
4928	WmiApSrv.exe
3060	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-01-24_a775374879a087723ca9895ca907671b_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-01-24_a775374879a087723ca9895ca907671b_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-01-24_a775374879a087723ca9895ca907671b_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-01-24_a775374879a087723ca9895ca907671b_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-01-24_a775374879a087723ca9895ca907671b_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-01-24_a775374879a087723ca9895ca907671b_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\514e21b54d74bb6b.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-01-24_a775374879a087723ca9895ca907671b_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-01-24_a775374879a087723ca9895ca907671b_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-01-24_a775374879a087723ca9895ca907671b_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-01-24_a775374879a087723ca9895ca907671b_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-01-24_a775374879a087723ca9895ca907671b_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-01-24_a775374879a087723ca9895ca907671b_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-01-24_a775374879a087723ca9895ca907671b_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-01-24_a775374879a087723ca9895ca907671b_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-01-24_a775374879a087723ca9895ca907671b_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-01-24_a775374879a087723ca9895ca907671b_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-01-24_a775374879a087723ca9895ca907671b_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-01-24_a775374879a087723ca9895ca907671b_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-01-24_a775374879a087723ca9895ca907671b_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-01-24_a775374879a087723ca9895ca907671b_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-01-24_a775374879a087723ca9895ca907671b_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-01-24_a775374879a087723ca9895ca907671b_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-01-24_a775374879a087723ca9895ca907671b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-01-24_a775374879a087723ca9895ca907671b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-01-24_a775374879a087723ca9895ca907671b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-01-24_a775374879a087723ca9895ca907671b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-01-24_a775374879a087723ca9895ca907671b_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_85453\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-01-24_a775374879a087723ca9895ca907671b_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-01-24_a775374879a087723ca9895ca907671b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-01-24_a775374879a087723ca9895ca907671b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-01-24_a775374879a087723ca9895ca907671b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-01-24_a775374879a087723ca9895ca907671b_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-01-24_a775374879a087723ca9895ca907671b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-01-24_a775374879a087723ca9895ca907671b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-01-24_a775374879a087723ca9895ca907671b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-01-24_a775374879a087723ca9895ca907671b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-01-24_a775374879a087723ca9895ca907671b_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{BDAA48F7-DD30-440C-811E-DBC3EB54B114}\chrome_installer.exe	2024-01-24_a775374879a087723ca9895ca907671b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-01-24_a775374879a087723ca9895ca907671b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-01-24_a775374879a087723ca9895ca907671b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-01-24_a775374879a087723ca9895ca907671b_ryuk.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-01-24_a775374879a087723ca9895ca907671b_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000191e6396064fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000121ba196064fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000041317696064fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b1b7bd96064fda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003bc44c97064fda01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2440	DiagnosticsHub.StandardCollector.Service.exe
2440	DiagnosticsHub.StandardCollector.Service.exe
2440	DiagnosticsHub.StandardCollector.Service.exe
2440	DiagnosticsHub.StandardCollector.Service.exe
2440	DiagnosticsHub.StandardCollector.Service.exe
2440	DiagnosticsHub.StandardCollector.Service.exe
2440	DiagnosticsHub.StandardCollector.Service.exe
4640	elevation_service.exe
4640	elevation_service.exe
4640	elevation_service.exe
4640	elevation_service.exe
4640	elevation_service.exe
4640	elevation_service.exe
4640	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3464	2024-01-24_a775374879a087723ca9895ca907671b_ryuk.exe
Token: SeAuditPrivilege	1148	fxssvc.exe
Token: SeRestorePrivilege	4392	TieringEngineService.exe
Token: SeManageVolumePrivilege	4392	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1556	AgentService.exe
Token: SeBackupPrivilege	2396	vssvc.exe
Token: SeRestorePrivilege	2396	vssvc.exe
Token: SeAuditPrivilege	2396	vssvc.exe
Token: SeBackupPrivilege	5008	wbengine.exe
Token: SeRestorePrivilege	5008	wbengine.exe
Token: SeSecurityPrivilege	5008	wbengine.exe
Token: 33	3060	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3060	SearchIndexer.exe
Token: SeDebugPrivilege	2440	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	4640	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 2308	3060	SearchIndexer.exe	113
PID 3060 wrote to memory of 2308	3060	SearchIndexer.exe	113
PID 3060 wrote to memory of 4452	3060	SearchIndexer.exe	114
PID 3060 wrote to memory of 4452	3060	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-01-24_a775374879a087723ca9895ca907671b_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-24_a775374879a087723ca9895ca907671b_ryuk.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3464

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4556

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2440

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5068

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1148

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4640

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:396

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3084

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4304

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:912

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4960

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1168

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3952

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3484

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2396

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2308
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:4452

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4928

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5008

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1556

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4392

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2352

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4008

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:688

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:888

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
80KB

MD5
c56a24a516092ed9360af275a735b216

SHA1
4ba249cb298a456a9645155ffda069edbbf0fe23

SHA256
d8e8a42aeb2a8629f4f27f9dd04fcf8e7794c549612d2d5b0af194c49b550532

SHA512
fec4d3a2f30e99525632b9011231b8bedbae8b2b94bf8753ad77511fbd2d2cc0c29ffc41cc037582482c5bfd561486cdafd50fab9ab4d7a96c3f497d2f5e55f8

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
343KB

MD5
1522def07a37dc794131b2a6a3228892

SHA1
7d63bea64d89075ada7c96f63fffa7cff58d66ae

SHA256
a23e4e390afaed51cb9804abe84fba15737ebda37087aba5fea9548b858f691f

SHA512
20ae912b84e76bc8eb3fa5cbd0329ad31001c7fd509ecb9778c7ec2c24f167d8690daad27ad4033eebd677ac24b1f1b79c0b4cdf133bfd953d3c2231012af537

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
124KB

MD5
6e7facc54f60258515596b0dd7598088

SHA1
8a0f4efbb8175fd18299f36839b30ddae15d676b

SHA256
86d2f8e2e7a06313a32b52e2a20e36eb4a515bd1ba84afe479badf44bf248eac

SHA512
b4efef7c91121b6d8d184f3690542cf3d2d7f8f65e7edd16262633f52adf27264e5b8beda79041f928abe1b8b954954a569fe5383fc0ad63920359279b13ebd3

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
105KB

MD5
bb6b884af2c0a5d18b7446b6dd3640ef

SHA1
7179e8feed2104f7179193609a96116b425b12fb

SHA256
a179fafcfa9767e33620a5c3016e67430ab0302a3098437773cf7847df654721

SHA512
a491d9da67fe9f86850e2374976164dc0ff1008941f64e7a5814146c159f801327bef5ad575870855210d89e9322e942ff4972817835fffe46b5c9c92f18fd77

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
47KB

MD5
3a5f63650612bd5754ed3ab7daeb1f51

SHA1
42c52a740c1315d28fd79dcea4628da352c1e0d7

SHA256
389c3dc4527715243fb0d28bbf85bea2f5804d9ea947c9fe498ab4ab012f7009

SHA512
d6080894c0e38a206a6c8b7e8d17b44d78fc471701ebce932e588087a26b12758ec5e899f7ecad5e7198cbc93fc2ee77d53190a30cd65147113ca4197ca5656a

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
226KB

MD5
34a236067f3ccbc631d312e966085f5f

SHA1
66335bedaa82a89391adac046f1efcd5c8c253a3

SHA256
c6e39dfe720847ff48bddddd6071792876ea0725608ceb266d2c9b6fbc0cdc88

SHA512
a2e45c570ead65c011cad2112f65ab2c6fe956e4e7de6878d97033ba14b2f36205d650598d00fd05eaaf121dea31acb62679635cddf1285eb3d14a2625c4fd44

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
132KB

MD5
a3875e2c59360a8467a2bcd2f0673a34

SHA1
5a466d6cc08bde189609de943ed9661337b56142

SHA256
0ea4b86bdd5af7e2809d5a678dddce4d36cca6cf01536a20fb86b3cacd1284d7

SHA512
5abd0fe0b107a25f0066f9dfebb42003bcd8afb94d1043bfa18003b92e3a8c6911820d299b179d8092cb103ca7dbb8956cb13fd2fe1da435818ce601aa482a89

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
128KB

MD5
88597e5805c6233dcefe284ad4c24970

SHA1
8871de85d89126159363c60263b6bdce9db86382

SHA256
8f8d5149323f11a832fca011eb30672617cda9b209a2462a8fdbee63561a30a0

SHA512
170a01a29644cb277d82ffe0147a4273b100b164b42633047b77abfe7e05479e793068fae65409f0c1a4f0ea3e4320565b8b827257d4c45a4cbecda02ea6f9f0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
229KB

MD5
05e046a51699befd992da1df19f1e2c4

SHA1
b0cf8881fe00c8eb29b78c83f2dd3b1f4871fa45

SHA256
2ec7cb2dbe33a873a33cf9d975edbe1e9294cb5c78119fb2b58262a20cfc2674

SHA512
37f1e8908aa2f28a06e4854f3bf7ea894038d0a5d1419a327c64ed2b56c04e72e5a572f517981842f5288f64ac556eee92b67f57880f3a3bf15fd66e956cb417

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
117KB

MD5
a1f45efd91329379ecc2708b1c2f4361

SHA1
27a7acc1b6d296c5f5a66a7050559d63a98001ad

SHA256
e36bae5d0fb79c83cd5fdf26a3a400a0aee6b769baf019a4810167cbec36a10c

SHA512
d986d3523b4f3d29dcc07c6e5f56bdad1154da0d09637295443681b5f334481a9cc421c39dea030fae7b5dcdc1ce8e59df9816c93806ded5674dcf6eafe5d8a7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
31KB

MD5
41865033faa3aa9096d8dc455771b4e9

SHA1
79af45170030b71494dd022eea06c5a6932034c5

SHA256
617c16cd97c5e4d02914ae80c59cfec31f158cb746cae6576a35f5181905690e

SHA512
dd453d4803cb77a953f56961f74076926459423277d83602e10a466bd8d6ef21a9568c58a2475ddf4e230a9aec0f87d32cbd5b229eeb848f2be0d426ab99952a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
228KB

MD5
1727a2cbecb014f183ae31d153a0564f

SHA1
c57d8aa64e595190e01343dc0cf1ccdba5648307

SHA256
a5a9cf29987d93fee57ad7b6df9b2a28680d0d38b1854edfaee7afaf0a908ba7

SHA512
520d79150274322987808abb28e32266e5b76ca0ab09f4543e1f2346b46153b6085f2b7ea81912536509c85e594577cd481ec9ac6084aee3f4e05e4f6f4654c3

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
221KB

MD5
d56b8326c9175c364f99098972518bfd

SHA1
511ce5787df4b7498a298ac04fb06cc48619b335

SHA256
67c9ebce8e352d3d911c1770c5adddb81988c61f8bc5b7bd78520648e0f6ccb8

SHA512
53d8fc5684d7d77c906b7a2b25bab09ca3456d09c7d204c8fb9b2ae95813c152f099f8cf57ae065b38fece563c60c49ebb9710d84a59bdabce787668033675af

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
239KB

MD5
eae1af9c00ad3d3c477e4a27d70368cc

SHA1
da0099edb340ca6d1023ce2790c255e976259fee

SHA256
4573860d229af4ab6bb0d4c14a3a3eb43ed5055ddc7d23c5bc24bb0099f32eff

SHA512
3d1d0fada0bb3b00f5c8e2a341cf608529678306bd80be008014d96bd42770b9b474af874924050f29a687a1bd29c829ea4fb66be1776c939ee4df879fa1ebfa

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
139KB

MD5
ab618314e1a11201b37f557d784177b9

SHA1
971f1aaed1d5edb9b6a0da94e504501b25ab1962

SHA256
a608d8c0fba5ba3c724641f9ee1a77db5988774f015e94632aefdf878efeb3af

SHA512
d398853d9deca3c603747e709b19eab833e1918dde8b241e111daa7e0bf6beb077b5c2b8a5e2e0b1d9b6c8c082fa97ab8483f93abee86aa27a69b48187492f40

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
220KB

MD5
ba54e6ee87cfe3a0ddc551ac91d8b6ba

SHA1
ed711135bf51050ec05fd1745c6cbec88e06af05

SHA256
c72c1142f59c6d2d0c7030178dadb4927d733f019fca9cfbf7afdcb2135ebc3e

SHA512
47cc9028895dbc8a4437c0210e66d2b5fac974183ee33bd296e301c9db84b9e11b5b0fdcd19aa73f0538fe215b17a54d78ea5eafbee58cdcdf4888d039f00fc0

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
153KB

MD5
464a564dddab55d0cb20dda801073d37

SHA1
3e0db0445dc530a5db05b71f8919f68cf65ef01a

SHA256
129746cfe75bb7e4abf5e968ee6787fde81cc0959e7bf3844927244a3c736a1f

SHA512
7a0f4238d110f34311016d1277e92ed89455e6fa0221e354facb783300adf713be318db6f4491221490fd71051728f3733551a21354cddc3f93d619a6ff90e77

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
67KB

MD5
ebb895ec9852fe602fcd15d90eebdc91

SHA1
fcb6f9c97cecdadac76172d4980abe46d22f4194

SHA256
c50bd41a27c98d4742c79ae129facf36f4f85c53490f0d9f47e4e97fe89db310

SHA512
eb78fa6ea8e07635d01bae3a50e8110fd9623d5fc24c2e7390eeab430c3b5de415508dbadc7218471c3ec4125b3f8a2b3746e19f5c59aaad56bcb0ef3e7f9b97

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
644KB

MD5
66c3b0db63b2bf8c4b87e7f9925230fe

SHA1
2bf685338c1b578da0537b6bb32e7823b2c9c254

SHA256
e8843132593b20bb298b12399ea563e086b914de66b8fc792301d67329b99d73

SHA512
cdcb32edb4fe7f55b9d7b2e15f0deb567bf8171fd97bcd71904c6faa0c20280c49712a6a8a47656412fc8746dd1632bc6af216787e1603b41331ff58fbf90870

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
131KB

MD5
1aada8577b7a86119c7bcddd6819ba53

SHA1
eff80157a6000cbcf905aec5ad2f8ed2ae5c350d

SHA256
7fa30bc48dded3773c5ba10d4427ce8c2b59b266f95700c36f484309c9de69b7

SHA512
69463509ce80d0edeed6bb80ddf787422473227ce913ac5bae82e9e0753fe51d227fd4b9bcb83612b9d0d43d005f2247893ec21badfb4d74b989fec07407738e

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
194KB

MD5
03c2c4690ab236f76b9ceff50b425635

SHA1
f130c2ea7737a8a3ad05fd07d13c2c475e6ea06d

SHA256
c87582da845d7e08bd856ee55af81b73b1554ffa12bb7ef7e6fef5482927c24c

SHA512
d23bf9ebd110f7ae0f4ce304026b6bbc756f1e4653dc677c41e6e0e2bd0afaf703f6c35724118994632a8f3b2547799cd5a32b6f94d2a594b2daf36288a28d6d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
182KB

MD5
0592729cd3bac5a9f6987b50d32177fe

SHA1
fa1610920c2235a148e579db98c434cabe691a5c

SHA256
1bcac4c11dc3a4e6064052f12c0886fbd14647fccfc817cfa0268d1475db09e5

SHA512
7e10393b92eab03b13ef0f8fcb9b42d87ebfa0c0a0b5bb6e4a4cc91b53f49cdcea5417eb5bec24ad0013e785d2c2f15ccf6ca1190c34cdd4c1254547ef2def36

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
202KB

MD5
8cbe7e2a3c6bdac4d2ff8ab8d3b774ee

SHA1
d29b5c5e62c94cbb35bac8c30da804b2531ff2d1

SHA256
d5263d3abbbba6dc31c068e7ed145195597f6109b862ee0d36bb3f9a3ad62ce4

SHA512
922f6c1dffea8ebec253dc13140869ae8ba6703c1e7710890f3f48692215fbeef331ef3c2a5e35f039bd8c789a9793d0e953bc68feee9f07271da1cbf4055d50

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
208KB

MD5
fc9c7c006bc62bbb70b63d43eac3cfce

SHA1
f6090a9e439c45b7a4f32e9554416fc5a83cc634

SHA256
5f7741dd5b45b6eda8c26179427d2f961e2872fc2dec7cf50989305383df095a

SHA512
8599415e641e1113aa8084418fa840917b74ff761fa01a2f24207cc08c3546ea5b64f8c0f3f25bd63de5e57476472a70d95a2e1a394fa44b1ad62ff1879d6cdc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
149KB

MD5
109ce9eeb2f538165d58ec27152fc6b5

SHA1
40d7f66f8e6b51149d7ad1bf43959f0bfbe199a9

SHA256
25be58fe8aac4c4416f74ad2a8b620a1ca7c8ba7e8411891654e481b5f67e792

SHA512
52c1549cea0f3fa5f0a6a382e664f64e7d710d691097f766ca701b3f80431e84184beb009542fa5584a981602402586df88585d3197bad53dfc637b996e3e412

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
154KB

MD5
99d8c81c4fc2d206899529b62c6cb842

SHA1
7958702dc22169bf62fbf6d1cf74c488bea74d58

SHA256
6d32b8b19eb3af160b39c1cb29d2c1fe6bb708b35b9049a7c0cea0533583d77f

SHA512
1021a0553986e06bbbdd1417be5f1fdcf72b7a962cab15e0d1d322abd36d8478cff470aa99d0a8c9046be58f31e1c893c60d0c6b9414fbf35a25382f8b503f9f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
147KB

MD5
c503157bef840ea5432b516f83f12b2e

SHA1
6afaf92a05f29c28f20ce058fa2dc4fd7caec27d

SHA256
62f5926ef7ee9d97a76f931033840d9dd4d6470d9f36e7fd861d0e18aa5aad7f

SHA512
a9abc5ee9f55d8effe18074e9776d1db8e36e686adf726fc2c969d0e1541df57533b01376ceaf9ab250eeb030cb2bdbe029a7161b59cf3a4b722f65f7e885875

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
94KB

MD5
d0112e4dfdc4a353383e08c92f83ef7f

SHA1
5d1558bd5df981d3ca5f0977852998db16521d06

SHA256
bb030ac440eaa1ae35555549b85072db883903434873eb9566085fccc9b8e2b5

SHA512
12696004652f1851b7f2d2f3b1b7b9eee8271798599f218b60dec9f67799e159c2e91cebb17cdd4b79bfaa084e74b7ec57d3a27880a83f1c593df2f73905a871

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
224KB

MD5
8e6087f7c1c9145dfc8dfee49554c3b7

SHA1
e989fd26aa93cbed4338b0da2e958e2027c95e2b

SHA256
c879e1cc46eb70d1005672220c76dd50d09ffcddfa271a3bfb433a1129adc2a0

SHA512
ea0c66208b68c697028cf1c3f0c11273a4ae6cabc050188b4d9c7311f9db7b39314495061aacf8e760a90053e692fcb769dd1fec026f7ccbdc063a9e59f39f7c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
98KB

MD5
029c95778c9b3d88e331e0c1af4b8a71

SHA1
fe766edddbeb8577f372a82416609639559e808b

SHA256
55d7e99c433fe79ae374dbfbd25d6685804f473a60677da164847f080f4a3946

SHA512
c02ff0d989dbfb708d5559a4327df7a1f614bdca1250f4f4728ac4a45b3b92f5c0eda124279b99b1f8ee04c7e71b504b5d456cabc92096d7f4bb9c3d3cf07419

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
229KB

MD5
18f68b3aa6757d7c68e43ca88d9bfdda

SHA1
f006c3d5657eed69105356f336302cc35c68149d

SHA256
a9881513972ae078cb7a962cac5db5e550a79d620deb085b2ecbf8c74fc26de6

SHA512
1a19e59e0922877a7c62f8c85ee5702780c285abf65dfdc09f85c0013b11f6f5e8482215e53473d0a85fd3a8c60de5ae9fadfb4627ac8fa3c7b5f7fb792cc0e2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
191KB

MD5
bc246aed7c74798ce0eb7a627d12987e

SHA1
ffdda4d5af7a15a52858207bb787ecd4b8b89c1c

SHA256
406df572c750b60b96d1a25043a84a003949c3250b5d9ea261bb10e0f012473c

SHA512
1cb721339ed65e5e3956deed76ec60067808d8d4bac6642da16a7e9cae737643de9b8574aeea4c2720dbbf824c4734a7270334ef4a1b393b30ac5b1c09915d5c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
229KB

MD5
6cb707b42ea870dd92ae55713f0ff576

SHA1
9ae8d65128931a9bf29003cffd842b40781a2443

SHA256
69bea853b26d10e9bc58bc4b27548033a4b56bb6f5efeb028e5f756367508fd2

SHA512
186c90de750be0c6d7980e6742d148bef40dd597de77e5c8777482e158978ada25fa96dd57507c1254885b210687871997a1ca29a583e9315cee601b56ca3022

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
75KB

MD5
3bd0a72f98c7c867445e4a1ebb0ddd6b

SHA1
f216083cc31b19c9281f34750b2a58f6ed7ff440

SHA256
fee7c1e2ecd86c28a863d657dc5c8c61b736fbcb57b8ccde85fb7bac9c1d977f

SHA512
b93fdc82bb23a904a9b5fd49d169f78f33b1f9592487f9de8dcc466afc5f6159539374acb74ca2a5d661cbae8eca706a2fd34850937657d745e189679c1f5faf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
204KB

MD5
47d0b71eca1e66a35debadfe1a7d9809

SHA1
505bbd0b9f30525e8de96ce77186d4cd9fabc887

SHA256
baabb813449d8125dbfd90702966e9c2c5327d2be58f720a5424ae590205b4bb

SHA512
c80113120e46913fd7e1cc539c0afb1b1b8c03a8809b08ac93eab679168bb048e16cd178a05ca90c50e463f5d023f67ca1feacf40021933e7da3d8fa5ce5cd49

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
132KB

MD5
89d4daa0302c4d5bc6b2cc8cd9cf6b0c

SHA1
8c3115a5d7a62c113b7172e133c0f52678dc5d5d

SHA256
cf6972b357c8a98015eb24c04f3438f3f04eb3e618b96711c8580ac199d074e6

SHA512
b6281f8dbf1414bc0bd7af15b26a91bd4ba7e8cfbc6afec1815a2dab2fd376ddb30284567aae8092b085127e848d700c2a415b352e61175fec1e25db894ba502

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
271KB

MD5
ec0908d549d23e4d13491e1f42201695

SHA1
314034b27b9aae196f67666e1adbed6419944c5c

SHA256
7c3179b7fede34f78c8cdac53fd6ab2d3e1d174a39896e4e069cf12723c782ce

SHA512
884a7a168b0befd5524817f936f52423c2db713eed1d75e79043a3a7a287cafbb38b1d8cbc0a525475137d9cbe7d502d4c7c46d0d70276f1c5b432a634ff07a5

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
185KB

MD5
2bbe9097b52c7fef32dcb3677cf596b5

SHA1
01ad5456c8cb67c44bce1e184898519bb828be2c

SHA256
f18b9e8488821e28561c07f9e810211bcfe7906fea06be6fb7a748a825d1016d

SHA512
feb338649268b30947e8f502f2a7456ee006b3d653350003f498345decca64c886df78c50f852f3eb9419e394b058a9d13cb336dada70507caf4bd917ea222e1

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
121KB

MD5
e02d838fe7c031dd6f477a83e71eaf78

SHA1
4875445d17d9254259a0c6969e0f5bcb03454ac0

SHA256
5115dacbde167ba4e44a3456b397104f23e672d121ccc5117d4230723b735a65

SHA512
09c7a05508ffe18ba459311a0c974742b52db3942990d31ca344401a3f4a0c4cc730359b970da5528f1beccfe5cf3c327d28b5c24778c8f166e76296217373da

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
44KB

MD5
270e15822b05080c57105cc102975ce1

SHA1
64da4f0368f2cb03b2ca700c31bc3301d40df745

SHA256
619c04fb515de397c73d679ed9064f80986b46a031e3b2431402c8402a32df16

SHA512
018c9f606945ebb93daf98fd3ba30d53d736639dbf29e1a2c7588adc4f311fcb187e27f49237590b98fc5d677a555e8ea07be6af2c3043ac7762f02b4e2b339c

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
198KB

MD5
122828e7485763e2598d370fd432e62f

SHA1
2d5f121b029d727e6a6873240dc4a179a5aae31e

SHA256
c23c218bb22dec5624d0a591ef48e67faeb744bbf619872e950d3ab3d7f5ca43

SHA512
19503e51c4337925a6bcd9fa5eb7e92599999e49ad31565cd9c22546a5d23bb64b0a20bc0b1e4df8975ae01532a0c697f26beefa207424a7741d14f76901f9e2

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
370KB

MD5
2ab582d9ca1b0dcb6384a2a297b5d2cf

SHA1
2c7d6f71b23070d5f3f59fb23b4f41776e89c8c9

SHA256
e1a9cdde5512870a98aaedcbc860382e2b2527fc7948c9df523ad641f634c493

SHA512
13004220755157c57c2137159eb9cce45c58cd8db692052bcc5b470d0e2d540cba6252c689421fe9117954750fa8a93d6844b76185d46a11be48b899e412b75f

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
226KB

MD5
d9f8eb58a401991e12f4745599d6f4a0

SHA1
763afa8d84109039ff93bd5b46f74668273224ca

SHA256
6facc5bcf6468dee8e8dd9d93f54118b5e251f4cd8729eab42fb03ca2e581abe

SHA512
890a3f8adfc11a1021c113b56efa58cb81006d05c7ffb157166aea4a186af86fd9bf04061feb09f611cc941eae5865c7bca5ae3dec69213081fadb2ba527e603

Download Submit
C:\Windows\System32\Locator.exe

Filesize
22KB

MD5
d49bc0f587fe90bf57a3603a3c561290

SHA1
1b847bc872dace779359807a8d28d851fbc90808

SHA256
e3323603f67208f7042500b099be12a8f6d76fb012737597974f5b6f018b877c

SHA512
2e0070df9d7af458130f218002985de41c75c2a8a774cc5192526a76a89efb566c35d0994d5be18a6ab5aaac89013ae1e483ac1f7a6a01561a8539ab88e42aa0

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
116KB

MD5
0f37c0becee26292a8c8a2938744e00b

SHA1
1ddbf45d809768bce1a33086fc7865265b3d07aa

SHA256
3e07b91431afbb806a38487150350e421857b39115a98092e0ac87662586ae07

SHA512
12f466947b2b6a19447588f826e4737460d85e907d7938c2fdef9321ddaecf7c785013ef177bbfbb819cc50807b39676eb8d8f9104e7aa4e08bcb8c0ca1bf47c

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
129KB

MD5
7f0b21a667191208f9832bb498a9c94c

SHA1
4178c4fa0e167233fd3d182555f0be4b88fc877b

SHA256
d3582a150f4cb4c72237cc56d5a608257be5da0332b0805ebeda084b454993f3

SHA512
04a275543b049f6e4b4b12ce5055eff4c7c70cf5f0e9ee948787ec3f6e9ee3e2341feb165b082ea8c0ea374927b34ee86a65bf68292fd4780087c8bc26150f6f

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
94KB

MD5
088d603cf79ca62def1766a8f0a12f09

SHA1
626a5577e35f722f9596bd55dff26175c95dce58

SHA256
5a40654e03f8a499f5a3f0b54f0d302c72a95ae4df3f3347081a86296fde36a2

SHA512
409026dabd2a2fd987b0226e649cbcf9f44c887b7cd5241e3fb7ee994c7658631627afde239750f15c0e06cf68f6903ebabd5e4f926275b38e6c7d8d4855d87d

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
126KB

MD5
a3124d1c8dacac5ec34dfd580fc93078

SHA1
cf05714f4f888f7418ee5a89f82bd45aee63a0a7

SHA256
174c23a0a97efd952463beaa31ba3ec9eec456480f449b701123f3d536bb13bf

SHA512
09d4bcdee582e4c22839a9127049f3654e9e28d0be566f8a553aee66608d2372d35b8796cff508209e0e970dd3117e1945aae1d591c940a082c06baacc7340dd

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
70KB

MD5
72c015920a0af2832a0049d3f94921a9

SHA1
95a0a17522c5c7495a6383082f9f824a66172fc9

SHA256
41d4bc80683b75543899ab27af15881f48e5b3c6ee13e47a2eb1542cb1656df2

SHA512
3365f158998b8130c4de363aecd54893e93a85cb3ef72565174809fd100bb65d2246b8cc6fa878bf42417e4d5ebdd2102198d26aa251651e04b853b72679d357

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
19KB

MD5
a4e0692a2d15e2c53fd7f3675578ac8c

SHA1
5c0e32d7d76e9dd470405262a86a3aca761f318c

SHA256
c1b2fed448b58a77460c862426b22a9ad92a4171eb81b6d07cb4901fe50a0c2e

SHA512
e4460dcc4da7f25e26c4a067dcd36392ca3a11409b3717fe3714e0bbd76c128ce18a7356084746ee40f2f12aa8621e8abf1a435ff5e8ed9b8943b38127293c9d

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
154KB

MD5
bf0c8cf8a30ea138ef497e522673e47b

SHA1
58e4b43fa84db42c68b62831962619074ed9fae5

SHA256
5bbbe2e2c4ead7f27f39881efb20202cc0910028e0aac81820cb4c606b1fe173

SHA512
b9aefbd85f93c915819c48575c20605b5714ba2ea921993a6fa4dd634d15597c6785bc619fc6888eb9959695b30e0d2e9599a1c7f67c938f42be07e23a9787b8

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
105KB

MD5
d1f0c06ab5c38cc1730873303b5fa275

SHA1
a1ba2c085f9cf281715bb0b5e341169a59833d90

SHA256
a389a385ffe36abe660331302eb519b4506f689cbda0f88192e741f75a015ae4

SHA512
ec7b6b83f4ca58529cbddb329bfc76ef05c65e078227c3758746b87ff8ef240f7746ed888ff84b45934bbfeac0b9f1c07faad1d59976725badbbb1370537ae57

Download Submit
C:\Windows\System32\alg.exe

Filesize
396KB

MD5
629fb5bf08a6f2100f946883e7231644

SHA1
b47fbaf99f9fde1fca7ad2f5befef40529364515

SHA256
6c217cf7d41b78006720146e086712857c62084e3a45c6014fa3a063f9fdaa2e

SHA512
48f1f60cf60f3cb0e70c54f9cfcb501d3b4d5baee1fe670cabc275f1d8d32694d918859879431e65289f74b56f749ef101e58f02e98539abc9a972b7224a3628

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
116KB

MD5
c9a5e39c9cabe1da25ddeb16d2257aa3

SHA1
2db6a0c37eea1349231fb2cb5dc979f1d4ff9b6f

SHA256
3ba5c7dfdd3e9d176e1c103f5b3338a4fff9f10ffd2890ca6d30974eb46aff2c

SHA512
bd0c94c6eec2b33788f281288bc1a11337bebfa2b0d08910b2aaae7ed5db4da73930e230c7a352f72f88721990aa93e9f78b5a352e882731831e0f0e4ec02af7

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
115KB

MD5
aa265d22c0bc45a600c1cf538ff8e5ad

SHA1
6ea3d11015f95e0d12252d85cb21589c8a57d814

SHA256
d0a325a31a74d7e80471557d30750bf5f31724487de4e2a70b75925c2388c74b

SHA512
06da39ca94eec0b3ce1433d2efe4951cf214ba1475792ce5c44c4b3c53ae56c52f240db0fce5b5e3a1ee7dfea2d92b5f2c3bf08b63cef4cc7e966e6980eb8775

Download Submit
C:\Windows\System32\vds.exe

Filesize
126KB

MD5
ea9ac00cdaeb1947a9a2a9f9ac853c19

SHA1
fadb94aa75e59d8366bc36c411b7661528fb57ea

SHA256
1d0f4d2ece326598b7b2dc25555803ed69a9c071214c4bee02bc4c05ce1195ae

SHA512
a89e9792a6476315c2aa6ffee3aebd0621e8a04bcf929f5fff171935dfe12d904f232fb6c3f4a8fc66daf0a719755014c19892ebb1fa0276d3cfddfa634a4131

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
149KB

MD5
98807aceef1eb3fdcf8aca620c8b3285

SHA1
4048f660785ec87236e5b87ef36e71a9f699340f

SHA256
e1533b1d54a8a6d2dbbdd2590f898f2e98b161f4f0cde378133e790b8f09e331

SHA512
aac341f63eb53f1644e22721272dfdb0ee50fb862b3e324b387f483251a6ad98b83757b0e1826460a555cb95fe28fa6dde2a3a6722767176a8f3f0e9ce35663c

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
96KB

MD5
bf652edc2af51ec5507589cf60f0ebd5

SHA1
473578c5cd1196455206518457aa50d5a3e44cdc

SHA256
6e4689b8e0db161e31455240782a1bebe3b25fe3aadd16575e1ae7cbea34eb95

SHA512
b51ca00bd3462050af898507796e09fabaa3d8f0b02064044e3638f7644a4010c5ba8bf2a0ae3e3bce706da34aa9ec8f774cfafec6730ccd3021f3e7bd8b9496

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
225KB

MD5
00c8b66a0a1fe97f2334ae076132eef2

SHA1
44026dec230bd00953aea4e93c49e240767235e2

SHA256
f353b0dd680e59650899e8ffa91f27c843f0440757e94475f1eedcc5a008342f

SHA512
f9358042a63bd079d6de677c9301e69494ea3216d7053c98b928b445c597581f49b2ca39c5fa79ba953b4237bac0b25dcd03373bba8718c89fe6bc36ad39919a

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
43KB

MD5
e00f4eaa8fa609160d5935de9534b52a

SHA1
44b27eefc3877c63979bcc5948b0be6bce6d752f

SHA256
6ac665e46703eb6756d999f3e20049aad2ec5c2227cd84471ce731ffed5defc9

SHA512
b3aa82a4988d40f3fca1a9afe26067654dcbbff991f8ed6de0b1b695103d610e3e319c7cebdfedd5f9f72effefa5f0a4b1e637da7fa53eeeff223e94dcf727bf

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
140KB

MD5
593c42802aa9f1eb3276762f45f38844

SHA1
b5014e3bac6e3f6ee38ece6ca3bebdaff0157995

SHA256
879d18e10f2997ddc47c2b2dfe75d6599d990c291307ad1687f3f54a7218a675

SHA512
f186d688521164b465d7b46754aad5853f70bc53cd24d7c0aabcd2a3d6c83029a557aaca7da88e43301669e1e2bf0661eeaf07683abd51b02bfed246d528bd21

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
269KB

MD5
ab262ca553f027655328e9d6898d8dc7

SHA1
56d316aa9a03ae9d4da2c623fa3a82956adc4ef1

SHA256
9ffed539c995baf62e373f12972a03330afd63470526b42770cd5315095e6288

SHA512
57bd690674ebfcfe48411c0d5c0073e7f7562aae060835f4f45c8c6257270d48510733a41446ccea42577d919e60afda3db28f07a2d37d23a532cf7b7239d9f1

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
158KB

MD5
c90bf69f1ab2e292319f4063ebad0d41

SHA1
eaaa4ece11d9ac454bf0d6a3db5660b44a18c49b

SHA256
aa757e2c2bcf1e6485801fd45dac9d1249fa52076849c91b543ac70d37d27c1d

SHA512
5e6d1ab397c2136f031e952d1ed786898b18fd57cdde7c5439d6e81282fff6b381c2e1fc8a284f47c17f81079defa7529a2f1ec5ae8608cb3a6034a0a8aa0eac

Download Submit
C:\odt\office2016setup.exe

Filesize
212KB

MD5
fd6e222291361fb0af9d6d58eb758b6d

SHA1
3363bffab1dbcdb1d04b744f5150036bc26107f6

SHA256
c0158737b1134dc221353bed5f4bdcc41ee2163a525d60175930eeb3f2581ee0

SHA512
81af3430e5dffd75f5b2c44948eed4aff522b1775600ff5900c7815821da81324f2f8b7314ac0ccd2cb49346d28f702a32b0d0b57477b2e43d43879c6603c79f

Download Submit
memory/396-46-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/396-113-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/396-52-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/396-44-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/688-125-0x0000000140000000-0x0000000140235000-memory.dmp

Filesize
2.2MB

Download
memory/888-118-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/912-83-0x0000000140000000-0x000000014026E000-memory.dmp

Filesize
2.4MB

Download
memory/912-137-0x0000000140000000-0x000000014026E000-memory.dmp

Filesize
2.4MB

Download
memory/912-82-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/912-90-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/1148-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1148-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1168-122-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1168-168-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1556-160-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2068-112-0x0000000000840000-0x00000000008A7000-memory.dmp

Filesize
412KB

Download
memory/2068-107-0x0000000000840000-0x00000000008A7000-memory.dmp

Filesize
412KB

Download
memory/2068-106-0x0000000000400000-0x0000000000636000-memory.dmp

Filesize
2.2MB

Download
memory/2068-158-0x0000000000400000-0x0000000000636000-memory.dmp

Filesize
2.2MB

Download
memory/2352-381-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/2352-152-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/2352-143-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/2396-165-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2396-484-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2440-18-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/2440-24-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/2440-80-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/2440-17-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3060-177-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3084-59-0x0000000140000000-0x0000000140269000-memory.dmp

Filesize
2.4MB

Download
memory/3084-64-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/3084-71-0x0000000140000000-0x0000000140269000-memory.dmp

Filesize
2.4MB

Download
memory/3084-57-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/3084-69-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/3464-8-0x0000000002090000-0x00000000020F0000-memory.dmp

Filesize
384KB

Download
memory/3464-56-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/3464-431-0x0000000002090000-0x00000000020F0000-memory.dmp

Filesize
384KB

Download
memory/3464-3-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/3464-7-0x0000000002090000-0x00000000020F0000-memory.dmp

Filesize
384KB

Download
memory/3464-0-0x0000000002090000-0x00000000020F0000-memory.dmp

Filesize
384KB

Download
memory/3464-425-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/3484-162-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3484-421-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4008-138-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/4008-176-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4008-130-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4304-128-0x0000000140000000-0x0000000140258000-memory.dmp

Filesize
2.3MB

Download
memory/4304-74-0x0000000140000000-0x0000000140258000-memory.dmp

Filesize
2.3MB

Download
memory/4392-395-0x0000000140000000-0x0000000140281000-memory.dmp

Filesize
2.5MB

Download
memory/4392-155-0x0000000140000000-0x0000000140281000-memory.dmp

Filesize
2.5MB

Download
memory/4452-419-0x0000018045020000-0x0000018045030000-memory.dmp

Filesize
64KB

Download
memory/4452-418-0x0000018045020000-0x0000018045030000-memory.dmp

Filesize
64KB

Download
memory/4452-383-0x0000018043930000-0x0000018043940000-memory.dmp

Filesize
64KB

Download
memory/4452-382-0x0000018043920000-0x0000018043930000-memory.dmp

Filesize
64KB

Download
memory/4452-483-0x0000018045260000-0x0000018045270000-memory.dmp

Filesize
64KB

Download
memory/4452-420-0x0000018045020000-0x0000018045030000-memory.dmp

Filesize
64KB

Download
memory/4452-396-0x0000018043920000-0x0000018043930000-memory.dmp

Filesize
64KB

Download
memory/4452-417-0x0000018045020000-0x0000018045030000-memory.dmp

Filesize
64KB

Download
memory/4452-397-0x0000018043960000-0x0000018043970000-memory.dmp

Filesize
64KB

Download
memory/4452-485-0x0000018045260000-0x0000018045270000-memory.dmp

Filesize
64KB

Download
memory/4452-458-0x0000018043920000-0x0000018043930000-memory.dmp

Filesize
64KB

Download
memory/4452-398-0x0000018043960000-0x0000018043970000-memory.dmp

Filesize
64KB

Download
memory/4452-384-0x0000018043940000-0x0000018043941000-memory.dmp

Filesize
4KB

Download
memory/4452-487-0x0000018045260000-0x0000018045270000-memory.dmp

Filesize
64KB

Download
memory/4452-416-0x0000018043920000-0x0000018043930000-memory.dmp

Filesize
64KB

Download
memory/4452-486-0x0000018045260000-0x0000018045270000-memory.dmp

Filesize
64KB

Download
memory/4556-14-0x0000000140000000-0x0000000140249000-memory.dmp

Filesize
2.3MB

Download
memory/4556-73-0x0000000140000000-0x0000000140249000-memory.dmp

Filesize
2.3MB

Download
memory/4640-32-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4640-103-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4640-40-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4640-33-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4928-174-0x0000000140000000-0x0000000140265000-memory.dmp

Filesize
2.4MB

Download
memory/4960-101-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4960-94-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4960-95-0x0000000140000000-0x000000014024A000-memory.dmp

Filesize
2.3MB

Download
memory/4960-151-0x0000000140000000-0x000000014024A000-memory.dmp

Filesize
2.3MB

Download
memory/5008-170-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download