kinsing | e2fd400ef64cf11a4538fb9c4c88c3f74293642fcc26fc12bc25026ae7cb9480

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 16:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-25_c703be897d388065a0be6ca5e7f37627_ryuk.exe
Size

1.6MB
MD5

c703be897d388065a0be6ca5e7f37627
SHA1

33191a9a25d61f7654a50b2d19e5aa876c211bd0
SHA256

e2fd400ef64cf11a4538fb9c4c88c3f74293642fcc26fc12bc25026ae7cb9480
SHA512

4ce22eca565372e24e8f4a395add45ef3151f7e8d55a8efa3f89d2a3c5b8caaa6057d26baa7a84ddeeb2fb1a1a0ec3e85227493ac88f5571b120b3c47dacb3bf
SSDEEP

24576:B5t2sjXfHEOtqZpp0YYtwlGhNsof2e7A+ebC:B5t2sTHmpSK8hWomh

Score

10^/10

kinsing loader spyware stealer

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
3516	alg.exe
2308	DiagnosticsHub.StandardCollector.Service.exe
3608	fxssvc.exe
3412	elevation_service.exe
2816	elevation_service.exe
1640	maintenanceservice.exe
4484	msdtc.exe
2276	OSE.EXE
4468	PerceptionSimulationService.exe
3548	perfhost.exe
4664	locator.exe
4580	SensorDataService.exe
4080	snmptrap.exe
3380	spectrum.exe
2440	ssh-agent.exe
2692	TieringEngineService.exe
1772	AgentService.exe
916	vds.exe
4988	vssvc.exe
4052	wbengine.exe
2484	WmiApSrv.exe
3440	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exe2024-01-25_c703be897d388065a0be6ca5e7f37627_ryuk.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-01-25_c703be897d388065a0be6ca5e7f37627_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-01-25_c703be897d388065a0be6ca5e7f37627_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-01-25_c703be897d388065a0be6ca5e7f37627_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-01-25_c703be897d388065a0be6ca5e7f37627_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-01-25_c703be897d388065a0be6ca5e7f37627_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-01-25_c703be897d388065a0be6ca5e7f37627_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-01-25_c703be897d388065a0be6ca5e7f37627_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-01-25_c703be897d388065a0be6ca5e7f37627_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-01-25_c703be897d388065a0be6ca5e7f37627_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-01-25_c703be897d388065a0be6ca5e7f37627_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-01-25_c703be897d388065a0be6ca5e7f37627_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-01-25_c703be897d388065a0be6ca5e7f37627_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-01-25_c703be897d388065a0be6ca5e7f37627_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-01-25_c703be897d388065a0be6ca5e7f37627_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-01-25_c703be897d388065a0be6ca5e7f37627_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-01-25_c703be897d388065a0be6ca5e7f37627_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-01-25_c703be897d388065a0be6ca5e7f37627_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-01-25_c703be897d388065a0be6ca5e7f37627_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-01-25_c703be897d388065a0be6ca5e7f37627_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-01-25_c703be897d388065a0be6ca5e7f37627_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-01-25_c703be897d388065a0be6ca5e7f37627_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-01-25_c703be897d388065a0be6ca5e7f37627_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\fb7a47cc726fd8b7.bin	alg.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exe2024-01-25_c703be897d388065a0be6ca5e7f37627_ryuk.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-01-25_c703be897d388065a0be6ca5e7f37627_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-01-25_c703be897d388065a0be6ca5e7f37627_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-01-25_c703be897d388065a0be6ca5e7f37627_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-01-25_c703be897d388065a0be6ca5e7f37627_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-01-25_c703be897d388065a0be6ca5e7f37627_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-01-25_c703be897d388065a0be6ca5e7f37627_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	2024-01-25_c703be897d388065a0be6ca5e7f37627_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-01-25_c703be897d388065a0be6ca5e7f37627_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-01-25_c703be897d388065a0be6ca5e7f37627_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-01-25_c703be897d388065a0be6ca5e7f37627_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-01-25_c703be897d388065a0be6ca5e7f37627_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-01-25_c703be897d388065a0be6ca5e7f37627_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-01-25_c703be897d388065a0be6ca5e7f37627_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-01-25_c703be897d388065a0be6ca5e7f37627_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-01-25_c703be897d388065a0be6ca5e7f37627_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-01-25_c703be897d388065a0be6ca5e7f37627_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-01-25_c703be897d388065a0be6ca5e7f37627_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-01-25_c703be897d388065a0be6ca5e7f37627_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_75437\javaws.exe	2024-01-25_c703be897d388065a0be6ca5e7f37627_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-01-25_c703be897d388065a0be6ca5e7f37627_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-01-25_c703be897d388065a0be6ca5e7f37627_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

Processes:

2024-01-25_c703be897d388065a0be6ca5e7f37627_ryuk.exemsdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-01-25_c703be897d388065a0be6ca5e7f37627_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exefxssvc.exeSearchFilterHost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000085fd68abaf4fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000054953caaaf4fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008266d0aaaf4fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ad8ed7aaaf4fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
2308	DiagnosticsHub.StandardCollector.Service.exe
2308	DiagnosticsHub.StandardCollector.Service.exe
2308	DiagnosticsHub.StandardCollector.Service.exe
2308	DiagnosticsHub.StandardCollector.Service.exe
2308	DiagnosticsHub.StandardCollector.Service.exe
2308	DiagnosticsHub.StandardCollector.Service.exe
2308	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

2024-01-25_c703be897d388065a0be6ca5e7f37627_ryuk.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4796	2024-01-25_c703be897d388065a0be6ca5e7f37627_ryuk.exe
Token: SeAuditPrivilege	3608	fxssvc.exe
Token: SeRestorePrivilege	2692	TieringEngineService.exe
Token: SeManageVolumePrivilege	2692	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1772	AgentService.exe
Token: SeBackupPrivilege	4988	vssvc.exe
Token: SeRestorePrivilege	4988	vssvc.exe
Token: SeAuditPrivilege	4988	vssvc.exe
Token: SeBackupPrivilege	4052	wbengine.exe
Token: SeRestorePrivilege	4052	wbengine.exe
Token: SeSecurityPrivilege	4052	wbengine.exe
Token: 33	3440	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3440	SearchIndexer.exe
Token: SeDebugPrivilege	3516	alg.exe
Token: SeDebugPrivilege	3516	alg.exe
Token: SeDebugPrivilege	3516	alg.exe
Token: SeDebugPrivilege	2308	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 3440 wrote to memory of 116	3440	SearchIndexer.exe	SearchProtocolHost.exe
PID 3440 wrote to memory of 116	3440	SearchIndexer.exe	SearchProtocolHost.exe
PID 3440 wrote to memory of 1620	3440	SearchIndexer.exe	SearchFilterHost.exe
PID 3440 wrote to memory of 1620	3440	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-01-25_c703be897d388065a0be6ca5e7f37627_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_c703be897d388065a0be6ca5e7f37627_ryuk.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4796

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3516

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2308

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:920

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3608

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2816

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4484

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4468

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3548

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2276

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4664

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1640

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4580

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2024

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2692

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1772

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4052

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2484

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3440

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:116

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 900
2⤵
- Modifies data under HKEY_USERS
PID:1620

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4988

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:916

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2440

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3380

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
406KB

MD5
d7eb6a99a5afc398fb904d1c8b3474d8

SHA1
08b390210cb3cc7f6365b09936d7ad1f7d9db1d5

SHA256
a30f2045721376ec8f2849c621fc5b114ef884ff64231bc65db71fd93a421311

SHA512
58339e09b4e00993773e4bd2915ee83db8f256d8ef44cc015402f86b0a469e2fbcc0a75d2610de93193945dd419806158b75129bed25398b6d1413327ba88386

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
169KB

MD5
5692adc4283076ab174b974b26b441e4

SHA1
5ba76a9ec7670a771c66a53274d0b8c46bb9e007

SHA256
33b26e23d564f6c87e3702fe662504080025b22f440d427e406b6a63f2bb06bc

SHA512
596d96d0c82568d88c9a955c5a2872bef8b4133b56df4b4165c12584f19e1b49fe1a113b069b269098081b7c96c9d90a0c35ad613aad1c2d6c810357b7a35c04

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
170KB

MD5
3bd67dab0ba5af1bc4310e33d6455b15

SHA1
34270ac094503ed0e824bc2752dcb36116ec2980

SHA256
53b37c051748650ad062e70136b0aef153ac16c6413815ad8b03ac78847de425

SHA512
146d468d5260475dd498e9f239c6cbbf2e233c204c0e74c8aba4f9f6461a113d532efea78e95f2422b7e0cdcaa9c0a472ab048e868fed416983d193e153fbf24

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
92KB

MD5
025c87458132b16df0b72ff8f9458609

SHA1
8ac66637d43df0c4aae50f57fc0a79e1034de958

SHA256
e6c4aaf43e98a76f568d3517955cf9008523ea9910343069b12decf0de798da5

SHA512
af3280734d307b816befc96fd17427c8dc18e052639c2da08a3ec7492c45e90a74cd21ddaed6b2f01e93eb69ebb8526a21608b40ab9cd8b950619598d04310a3

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
66KB

MD5
7cfb6233e1e0a5a9c6ea585da0198f4e

SHA1
fe25b0ced00c61825c9c9bbfd5753970fe5a9136

SHA256
f76acfe5ca1985d36635948ceabbe1a154050eb2ba1a0cd9081c6fcb9dfa09da

SHA512
8ed7b2fbfd6763ae1e1bb7a52c876c9d1010ad9f41d0116809b1019fc6bda5dd17ab3004f9c7055244263252164c181d53b51e8e3905a302d54701163d12279f

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
66KB

MD5
c9ab0631550070adbff94d99f70fc9bd

SHA1
56f6891be0db1297329fc283d91609cc7dc1a49a

SHA256
8c4999e814dc6d56215e70cff4dd2e61dbace9769e5c1234b1f08c4852f32d6b

SHA512
0ba4cbe225ecc156436414c9ca623014c73d8ad0b6115c8826729ed0b7c679da94e2ba9c2ea4260c048a8c8b56caea5f6162db70bfebec4dce442da787742107

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
126KB

MD5
40b8dffb218e9f15c3303719d61adabf

SHA1
2d37693b2fbd5686222bfb482bd4856d4e8c93e7

SHA256
5d6f957da734687e4536825bd2106e1da3f65b9ab80ba5fe24db27b3b90f7cbf

SHA512
47423ae56399300eb9f2b4ef2d7bfc91c024e820a28420e79aa8972b18c5ab9d1a327f50950f4ad7994fc365918f2418dcbde77170e06e5783f512daa472d3ba

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
81KB

MD5
f94e34e79ae3cc52e3357ff4adc90ff7

SHA1
916e30766372b4df66f67c427c7474a95c832ebd

SHA256
2dd26724bb2d4f78abef14f06254da93ba7409db26cd589e927c5dd7b20636e9

SHA512
01e26078d2de0849cf9ca6784d717675a984bb661d92d079f85254e0e0d95853badf58111092a2854e8a6006bedd1668004ce55165cf923837a94aba2bc8b339

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
101KB

MD5
bc96a9ef8dc42365beefee670858dce5

SHA1
cb13fc82e84142cf9f082cbbfcaf001d28a71778

SHA256
66e05663542ddb7a01c2991aaecab8bb28b1afd03484f1f96f7011eb81704a25

SHA512
e6841986eebf7594ac74da217d1034d1e2622f80f0e064bece3e999aaa3d4f3816873da6f6c0236284a8c1588ac3e443f37ab103797742bd413b2c4f3c6614fe

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
59KB

MD5
e0ae310c45327e9481ee69e0bc3518de

SHA1
c1699d4b7eaebc3cb03a1d0fe9c2a89c7a715e86

SHA256
37c8aad9507d9d40cbc06baf7d606ff5ff7e965616da6e74db367f62a151e9b8

SHA512
bc2c09f5c0db0db30aee1c3c4ae30d3c950745b3e23edf015214da1be4d3f62dbf167615dd8fb6fcd4fe9aa8a03b892999bea9dc35c7e04ac2fee8df66587d4e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
5KB

MD5
7d9bc1ad240afa97623fbe8dd1a73f62

SHA1
354f64f02e3730cd1e4ab5ed1e4a3c2b8a09c9a6

SHA256
e7886db8944fa6b395a737226c52f5adea232cb3e6c8830cf49db4c1bf678fae

SHA512
967724c3c08293f149720437b9d7b99c1db6836f90c86621c0aa054e22e62114c5d9be2e16a2d1bdd3f25f694312c2306acc625f69d6ac425da8b7c000213a84

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
124KB

MD5
415f8e19cb43165c981f9a2e2992bc98

SHA1
97d42529b1916693e41787e867739be56fc4899e

SHA256
26f5e30919ed6fa74d68063f6b0d3ad66ded2092872a2f11a50f848f235a5d6d

SHA512
87feee856c5a3a731412f773bc95a50e505306ce9352a5ef92c3cd7f64169d29f8f3b646141215396dd4162eb0a50867765cbfd916b5bd083f65af4657417f59

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
138KB

MD5
bef7b677c6c26a4ae65c16d5728bf7e3

SHA1
72a1ce1c5deceb94edc42e6cefbdda3e42cd38a2

SHA256
12fe5103ee1be65608de82e05c9ffa1b4618c23fd98181e66fe02926f3b0a3ba

SHA512
50f957a691f624ade34de47974d6e65a54c5f2c874a5d2802a2ea602626eef0fe5d87b6fdfe9496a63436ffde52f29e9babc30cd0754b2bfb3b1292c8789da44

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
81KB

MD5
f6165c14ef865aa776f6a84414d0d326

SHA1
5cff7c74760636d4a91ded33ce01baa0835d2dd9

SHA256
ed6e077327a6d996ffd3bd7632c1142109bd9e374760b94f5a679627c25412bc

SHA512
a60fd453303342286c8679964cee9d16889e66ae919e2970244ea6d5d909700897f34fe6c697892b66078bdb83165b81dd8dc24e106f5571419a470603916d5e

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
179KB

MD5
75e4882f604a36bf81fdb76dc787f507

SHA1
9bd38abf930c479d708865d0a09df569f83b322a

SHA256
23bd8ebc53650440a6111f0054d18a1e7ebb8d9125e8f6e8b076b29cf1cb10d2

SHA512
04309f705cc2c28dde0619e48bc4fa93e8fe0f62f029228ddc3645fb36d6999f753a3ec696b2e9e28d0e6f43551b5426b5353fde8ebf7c02f789ef255a28998b

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
Filesize
53KB

MD5
51cda33d5343476c2f4e155eafa26e9a

SHA1
e88eb465bbb266aa904e93fdfb5d179366caadc5

SHA256
98f442279fa21a264f59be980c92dd299ff3d1abe3c1648e733e2e9f558e32ef

SHA512
0c759e1505b286fa0c3f8f44afd8240499378ef65714ba130ff9dc6bd472fb8eabd1a5a8952d4b9e9807976f35bcfe8a82728b7dc135ee8acf6863ba774a6452

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
Filesize
72KB

MD5
08af92620ea35e05ecbde3457687ee2a

SHA1
2b4fb93cf1635a9bda3dc12c4a9ab60c9c81f0f9

SHA256
553bb19626fe5e17b104c10ea3aae10a90ff9de9465d0a87dcfb9f5e3f729f53

SHA512
d3e26a4f30ce364149922de81d9c0127c4da8990bd4890de6d6757ddf32799d113f79c35fff6143d895b463f366671d3d47bfd9c96dd7d54a9278843e6933bb1

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe
Filesize
123KB

MD5
40639936fa1bf2c841bdec800ce039cc

SHA1
9087c26d77e9bf57408d13a466256d171abf769e

SHA256
93bdce3ebb4e6ba0eb09bca2561f59358543488c62e1591dc1c317c8e7eec996

SHA512
29825b33ed7ccf6ebda983f23f7b23ab85efe4c774c30d877c118426992779ad3a77575c76ccebb9727d18985ea01866458e277022665745224a80c80288801d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
Filesize
393KB

MD5
1596c0043c679121cce2168d6322f4b7

SHA1
cf5d409d45718108064cc3f0e530986048bd8f70

SHA256
eaaa00004ee6c29fd330aa9328324999f247a9f1326c72e81216416508213d35

SHA512
e8b160ff8748bcc52841578057ce9cb0567299261a0caf3c824a3a66c3b6ff8ab9a47629df90c08616e1afd69f84c144092d544079163991a0408a1eeb4fb761

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe
Filesize
78KB

MD5
ca4d86a458f557984e7cb4a8561b19eb

SHA1
6359737eb03dde6d526b073cd63b32e078d30339

SHA256
e388ca77eb1a4671fa45e4f7d255eb823d8ca21bf1f25257c076395bee7ad2ad

SHA512
3f4cc34e1d21c0d1db995f52fc83d666d1119312f1d64b843f012bef021afe5acee314475048f8f7fc27e0d6681211b39444ac174b1541d9f73df1222d93be34

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
46KB

MD5
5308d9a45c8192c0e72e99fa30398f98

SHA1
3d0a7f9fc6fb5e42b8ecd74b5f7171b76924a410

SHA256
41eaa8765bd74b4b0d30e29340be69a8525fca7234318e5797f626273c6af835

SHA512
5ae4089d74e1012a857720996ccff8a367ac3598834107333fe947b3b0fee99a8d64f5c2a177d379d9cb6d76682200c5a09ae3aa43bf55984f2facd79c23a5f4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
109KB

MD5
78cf5eb3d063261e570db631b7baba85

SHA1
b347a94ddc148b6c82b317e83712937d1fef7aa2

SHA256
a8f1fdf15c056459347244282d1a44e5ef2d85e6018461920af14113ff58342d

SHA512
c7448c6d1455fc832f73b21843bd5dffcf60e291104f0eb2852f52469c49b608ba573e40ce69b0d5013ebcdb1c18e8085e49d80376addc04bddccff36f6b729d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
120KB

MD5
f8228499838a6896a8175cf2055edcd0

SHA1
423347c5f9b9ad449b6c8a327cb0e4be1853825c

SHA256
75e5b2a4c3c61d706779e693e02e5acedac9f50c36abe5c7ddbaae0639b87444

SHA512
bd5b2f5d94445c74cb93a5de201abab1ed85a86bc6425985deb320379d470afe3daa08781c02530c879071d46586e417fcf6eac4702e6377ef598befba75b71d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
135KB

MD5
84eabd34f573a7249d350eb5d5691c57

SHA1
803dfd8a45fe1afdfd628f0bf8c7ec595a9fa2a6

SHA256
fa9ec64c7ddc435c4be99348dea0e473579023ef3fe174a3b777123a6524f7b8

SHA512
7e886603a058074d9e7b0ee0acfa8e9139c8dde8bd297c2155c6cbaed76dadbb3a56d30ad914f94b4cb868604bf33edd92f63bf24ec613684b53a8af5a76884b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
51KB

MD5
5901873300438c21f6ba768ecfa594c8

SHA1
9ff092d9359345651c518abb47cffdabd8cf9d35

SHA256
648d77d71b860f3d3a4c21d49c53a396f906d55ba1004f006a47160e2a537594

SHA512
43f396f280dedbaa9ac00f352e3826f03ffbe501e8191859b766b367b45ba6e50847e34296023c2a4c955cb8b12245acde5de6705751ba88c88c2fa071e71bcb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
182KB

MD5
8c08d9cc7fa7790a7548c588f27dac18

SHA1
3ff5d60d6c9f495510da05beb4bc08f112482b0c

SHA256
65d9d6a4daf1d83c276350f770a8d173b5c3025ef4cc929a258eb3d526265a8c

SHA512
15abfb68d883aa630fb519d3429d0536819f2e4e4c89ee23a86c2446e8e76d00a03e41c58fa3322f3f4380457a9a6d7295fa82298fca5ebe005c41a1366b66fd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
76KB

MD5
7938a43eda2567610bc2a09cd0ca19bc

SHA1
4c3ed0b6054f1aa0fb6c0f761d696c63c092b7dc

SHA256
89dd571bb53e3d569facb3acc0a5408013d67d531615ff3f0196fe4922998594

SHA512
80c4f41cc54ef3063ea91127a549b68525452e47d299ddd7eb4bb17dc42c5db5983e94daed0a437a7b2a96eaaed2d971c73f6108de63b41d7d8ba66daab4df40

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
114KB

MD5
c79c25d4902283c2a6c1bfea3981fe12

SHA1
1bffa3088e1df9e4a3c8ad96d114d2cccf8ce268

SHA256
aa802a94285b60906c9f3591f13f07a547eb06877ea8deaaaf35ba31086fb38b

SHA512
907ff43da45c6e2cfdb33b2770e593492ed61528ffad7066491d41b39e6db0ee1edb639526f62a70379a29b868cf0c38acb81aaaeed49b58151a43b571906331

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
98KB

MD5
13a4f11a6347a6a81daf54c6e1dda26e

SHA1
f5d9f379d5cbd92c10bd49b3cba87a285428f3ea

SHA256
8e6e2d7faa64c9bdd0fb2c8874dac8ba87559566599bc98e40f8599178bac4a7

SHA512
c958430558ec3c09bb2561dcde89b2497501dad068029c3fd044204a0d493e70fc6460bfb63cad1f46e9998af2395bde7556e11863ea903b575b9f64d3f5b443

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
88KB

MD5
fd314628320f75be6955e15036adfc1e

SHA1
397c19dc28e3157f237b9ff6c5004ca208fe633a

SHA256
c1007f0059b3b13561b6c706157a767d4454ad47c0ab08a5b8c550007af0b939

SHA512
5674f7f27e61a522a03eba34c86ab5c5f115f313b6a75ef56d883b19bc923d4ef2f647125407d65d5bed9e6b2edb2e34f1c80b8c3a4b3bce19d6973b1b29e37a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
111KB

MD5
b67b6add4064563f9a9ae9ce27cce084

SHA1
38d40e132537ef4a62b6c6d47c1e19adaeab42ff

SHA256
098abb1eb7e219d2b7722be8f9fe203d656c6e4e421e436dd57084ff1e53883c

SHA512
ca917a74e66749a893016fd480a6567383697a3ec584419215255f5d74248c33052f808497dd00a4675001d821f17267663ef8089ab01421730be6e7762099d6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
158KB

MD5
0af5a3121d732db732da16f250cfe4c1

SHA1
aa211521afa5b5ef1f49206596555b0b4971a128

SHA256
07cff07b68997d848d7f42c4b62f0a87ffcda6f9458c66e24ea8ba2167336bff

SHA512
f3397a42130af71f177780d096edf4259c2cb9e15dc9b1410e97a3e1129751bc6a184aadaf8acf662bfe4bef9a0a33a36aab506944eabb8a1e3923a726dac063

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
158KB

MD5
3ef15c9adf6fe1843dc0954cccbf40b1

SHA1
8017cff7e52bd6c5d9c334e83e5d23e2e487835e

SHA256
1984a46ae86bcf62c1e3a532fd28df5086564a278c7303ccfbf7bd8c928fb724

SHA512
3ca29b7f80e3cd3cf3c76d3ef07e455f80190ad65ae758223dfa46728b4c3150a532334bf557613d3940a708331ad284a4053d4d78056e1ad6f98f8b018fe08e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
100KB

MD5
04e275bd59a21fa374f0f6ee1d5dd49c

SHA1
ecf7840b2dd1489c49029d9d0e0f74382295897a

SHA256
d4da40f742d4ec6ed3c2212df2227f144859086b7b43ac3c436d1f8c50057505

SHA512
11a37ed3173b42236723798a8412abd92bdf21c6b9264e2b5bf37c9e00d2b022e3dabc5bcfc48d8dd67d05083262218cdebc30d7fa31434afb2f2dd722a57f96

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
125KB

MD5
e9eb4e7c542cc4b6ba261a92df0d7c80

SHA1
402ea465451ffab149167c5e786e2413c1e92cee

SHA256
304b09dd0b77208565991a275727f05b27f476a5e7b6c4fd13d9c6ab256cbc91

SHA512
1415183c6bb3498474272a79a9451f69b2fe9e963f4a4459d0d4d80bd6581f707a24504f956f92a6a9566f88549d78eb352c919b95895bbcf9e855fd28f4f197

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
15KB

MD5
bd13453f2f8087cafd42c1fe4413b1ab

SHA1
ec59d8af9ab37cc669949a41f0f3ed3cc5b16f4b

SHA256
3272b38f77137a2822af7f580e208a14d7c25ea1e61c1be558a98c70a2718820

SHA512
cd8063e33e164020a41d9d2e767754cca6d5a4c275c08137feda6c6897e12cff197ef71326dd20567ea02633853adceee55d8f7e4bba2527531c87f555823aea

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
7KB

MD5
4d23057f835a241f154fa7cba749f6f0

SHA1
9215d0e6d0321502558d4dd9d20051aca13c380a

SHA256
fc7d11cd09d685aa155bf97eb1ed6157060767be59a7e701bd68c0c16fdedf70

SHA512
69485630c8ad76cf535f530d66202e30f3ab02c343c23f28c43a63c8dbf6e8ce67e6e29888b3a3217a394f1b97c3ec04dab24fbeeaec8b971f996b30e063eaf0

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
92KB

MD5
b46c616e3be70f250240f73442110d98

SHA1
5d1056b6abca92a52bb55fdb10f0cd09baba5825

SHA256
fb340b6a2c286db0e9f175cec3c310cbeeb81f8b47ac323915a8086caee3cba9

SHA512
1cfc0ff681c1ccf7856493cacdb69874b41d4357f050756f85b7765970478e130a658eda8accd952a45bbea6c40af565b7a74d37e87886e560eb0f56efae7f10

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
125KB

MD5
a6f75ab3d8f89caf26b2fa4733e7df69

SHA1
58414e9087cc9e7b29997b7ec9d0f6ce2935e323

SHA256
866310f396683bf0f4ec04f2c24a75d8f41939546cb9bae1ba3988489e548113

SHA512
3a37f581206a51a1574511b892f12f05d2ba9292625835a52f662f8678e2293db364d64a3011bb9ba9835df747ee55659b514d381ce269e24078540e56117a17

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
92KB

MD5
d6df0cad0df5c124fc47f89fe3ad2689

SHA1
25b2decc28a7b54f53c34adccad0fcd6822da537

SHA256
0cec5d7f50ea2de08370cd8d2e14b3bd131f726a23676f4edb1a4304542dc0a9

SHA512
a7749dd8a7733e67f107935ccdac071b8e770597f0ced6a21f2c4250b475e64da32ffa8131dd8bfba6d4db674155ec4d23f6669a2692928a26b2da063e9f4fca

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
85KB

MD5
6bd0c76c30ae7a99b55c6b62ee7209eb

SHA1
bce9b90fd3f959f43a11fad2371861126d89c2c1

SHA256
a8fe44bb8bab35d7173aaf33ea9dfc855a13ab21ea75740cc2ecc8aed0143ccf

SHA512
f310d64596f01acb056fc95802185ab40c884640f08299eac9172ede7ac318bb9b9abd99c8ef5decfa8b953dccbf8e6cf92ea48cec20706a74f34ddad9b4fe9e

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
64KB

MD5
d5776f4b178f7e589409012b339cc96b

SHA1
db3e76a44f34676feb7e251bda290d457f123a03

SHA256
8c34c2dc3a53c7c2feadb0e844e21295a3c508503d0c033208716dc24b3d3909

SHA512
5c3a300b978c425dd80b625c9221dfb4389c10a9dcc078a3a09c33210d1c1f7c13532dc56cdce5da6f6cebd151873bbac1949d49800135c77b99263eda1e8da3

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
10KB

MD5
e8a9a8ae9b3f0bd77a041451f958d3bd

SHA1
b98864b5fece8d5efffac9e3d904e152b0520f8d

SHA256
f5001f24ef89489bfea55305f4c84ebfb4e1f1280dbae3cdaa5511e5a8435258

SHA512
40baf80d6c432aa6360c62358ae56728ac958ed0a13e909d64d411ce7bc9444f02604a91de8908755715b4b700dce7f31bfeb3e7d441e4d59f5e6362e7cbc9af

Download Submit
C:\Windows\System32\Locator.exe
Filesize
62KB

MD5
a58ee59194a3ef8cdeb6e22dafaca6fd

SHA1
0b24d616ffafc8baf6466c1d0dd59740470c48a7

SHA256
08a94ec2ac500bac8ad2bf78077961cf54af958565a59923956d2f828234ff4b

SHA512
95b1fdc34281db8f576a168424c6eb19af804c0d536ae3f987d56e0b4c3091c0e420967a9647dc86844520b9f10993dfa29f015acb5d481b2b179e86da834e86

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
92KB

MD5
7222f68b99b70d8d67fe7d63e21a714e

SHA1
36eeaf4c1ea2cb4df718f6a60f632f63507068e1

SHA256
07b432e53c8755c729d014b4f7b73fd3376147c46dcdeca17c095f4f089d4dfc

SHA512
2186e4778fc7bc28dd51b93a4df43eead35d18b435fb61c303fa2dba3d9a8a4a7eac51a63dca5890c5fd043041dd838e556ab43d08412c422149f3953c1242fe

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
141KB

MD5
3db955413b16f3c80bcda519a6349351

SHA1
099c6f7d9b385df65db6787fd2b98006007db807

SHA256
282fd856d4206927a1ef46d4a181f09bba17a0870924068202bf7f18c8c6948d

SHA512
42256f96b9e679a3129e31b8d63334de1d054bec26ac1e1910f616da356705765863db04006037626ca66223031d979a958ba0d5e987340184a1403c361adb36

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
69KB

MD5
e52c3dc0c3a3b0d804436524229f11f3

SHA1
6604c209ea8f9c63982dbe46dd5e8c48f79d57bb

SHA256
1768d48b137dd86e82ec782f0c2a9f8d9edc67e537ab43714ed4f85e28912767

SHA512
b1e92973ec76fd6b53582f7b56d480ec7f4ff75eb659f16d64a922091cf0f85fd32636267513f3f5843416cb95792a4ebbe2691a4800d569d6445ff7e563b345

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
108KB

MD5
d5c472ed665e8217cdea84c07856b76b

SHA1
18456fbfc38c7346da2f835d528f4a705179eaa7

SHA256
2bc8efde72aff0962483e47132995e71f9b4b56a2fa8fb3276fd7297d4d883d4

SHA512
706c66c02252680dd6477e015f036ef86341585994610dad3db87c4a04f685cc01d481220464fa560c6b49b7f3d42099d8821650c072516e84ee3dfdfb9ed377

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
23KB

MD5
5fcbb8aa4c2c02ecfde65ff85ef49363

SHA1
5e45ce40a4c051cb910abaccfad7d87744125017

SHA256
8d52c44241c3dc9e28a5cce484dd9e6574c1c9eb50943fe8c7c13ad6dc2cf683

SHA512
710a7e46d2eb4ca9ace5306d51fca3fc46217434fbefd890e30e925701d01e0648babbc7ac59bdae9b7e818d77b2e6043a6e66f647ba88aac2d7a92717c6895c

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
152KB

MD5
25d9ad41d3a0df3838defae318adaead

SHA1
e72d95dabb16065f74cf2737554641bdf74877fe

SHA256
bcde5b09b913506a16704354a4ccc3333bf913b1037473589e668c4106075a57

SHA512
e504e0e74cb5f44f02b0789da5171e68f20ac55a97a160b5f9e2fc9175c1ea2fd7e725056f3a4de3746d9c999f814f7f80ef574fd138a7d83b8b741d86b658ff

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
56KB

MD5
34fee9fcc29b34e8ba9631c0197090be

SHA1
a6c6ebdd303423fd5a1517fbee8ba20de999de3a

SHA256
5d75b522ab33655151f0c7c80ea38d458f0138ad4965c9fb890c88b9f3652c1e

SHA512
b402b7c4885e35f8ebf8e80294ab81d366b5c9cc0d548032d3991aa338c95b7f910305111bf76f3a2570f7fc8a5ce9dcae3fd9a60734d111af66590acaf1a3ec

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
46KB

MD5
211ed650c6c5b5974b97dc44440fcb95

SHA1
298f31ae219ab611f9015b96e527b5592f7e9b74

SHA256
12a3213ac6c32cb1405136d080d622626bd99847fe2c22ce01db3c12ed5e762d

SHA512
66eb485192ad0fda0f716f6bd8237c8dfb47676ab3efcda7784ddf33f7beb630897cc10d36b175a016274e77a55db32e9d4ddc16f0bc5c358799b4e1bd46ac42

Download Submit
C:\Windows\System32\alg.exe
Filesize
91KB

MD5
cee6c8495949c56ee310bf1a7fdeb8a5

SHA1
fec8deaca1c4bfb5093170d67f8f9ce3390a9098

SHA256
d92da0bb2ea89e88f61055a1e878e6c2486b22e0193e5e1041cec50b9187aa16

SHA512
1d73d49a45591cdf5989c8db3fb560691c984b5d9486b7c78d4422a26e008b959823afe3f58c2c908ad2db207b45b39132d0090cfabce1731303e840f485d91a

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
151KB

MD5
dc1e99f93e0642a2f73b7d93f31ad38d

SHA1
91654a3c0e4048833bb85fd3a4dc4116d7ce076c

SHA256
a56059fcdc73c3fbddd9ae765da9eeacb928303b6cefded4526b0b3c9a428e28

SHA512
127ca017a9cd1f8a22d078cb305e0fba37fbe3173b706651fbf146d6b99ff555109c6bf89a6e0714d69f333faa2890966cd62163095f7fb07d1eb1c17708317e

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
94KB

MD5
b30155dbec56292d923847f4a9204379

SHA1
f358d680066df2ef6d0f28b5ff57888863dcf466

SHA256
bc816b9edd6e0762d078e051bd298060bd26610d788e051e94d7ca653176cc88

SHA512
e77637d1dea1cded021ca48e32807e6c9c4bf9f6e42640e2b89615fb533ff41b46bb5e6c684419158faa994bdc2c3a1ea50680d1f328fc76f2ff97b3746e5a46

Download Submit
C:\Windows\System32\vds.exe
Filesize
44KB

MD5
11495d66af06fbd94bbaf14895ba0bf7

SHA1
e9eddf209d8b672d1241bb8576cf39c35970eb6c

SHA256
45c8211b4dde55548c6ac71b0c4770f9a2a5d9dbd08b6b21da12942c29d1e04f

SHA512
2763dd8984a3886f069cdbddfbfb2bc2f5185d611c83f0943dcee14ebd12da13a8fc6b0ef5fb3b27a728ad7d2b0d345c98d906f8190e0e267d4f70644ae1c908

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
128KB

MD5
b7751f0ab8cc151c2c6abfbf627cfddd

SHA1
136dd49180ef903d84981303adbbb6cb3889ec1f

SHA256
fcaad3aa7082362a8a05b1ba8aa77a07f742bdaedd631200f34cdc11bdaf5d45

SHA512
22fec2515fc4164752f1ad4380dbe018c8e22fd274f8cc6930c5475432cd99c0accef2d668bec3fea40bfd7bbb98fdbc4d51bcab0fd0cb93d3d97b6cf2c8188f

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
30KB

MD5
acb22bc4f0d3775715486f5c027d728d

SHA1
2561d0f67d55d77a5c3c805a9e1005ff58c59758

SHA256
544ef4fbb8dddaa15c08eb5353cbc996559d1035a4172ab970d1a13fcedfbb96

SHA512
cc51970ec743e445193143b28dd49793290691f30fa7422c59aeb94fa1bb111cd23136df177a519bf99fcd5acab70faea6b188ca47134bcc3e9f8984740932f1

Download Submit
C:\Windows\system32\AgentService.exe
Filesize
90KB

MD5
e8e7f745de946b3abea612707e335471

SHA1
b1b8ff7dc0e28edbc2bd98d44d7c8106d65228a9

SHA256
b426f7131534d06c3da839ba7f5b0608bc9f5abc1411711c653da3b687e3480d

SHA512
701a3f5077c28eeab1e57807b79f9e1ec147af6749d27cd28cab4535a136b64de4254e6c2eb366e2e165b8b78eb9deb1f3eca32806ee1a3195d8967402c341ef

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
10KB

MD5
42e3fb1241f5c5bbaa29c45c6f8aef46

SHA1
ceaa9a29a3aced0b7f1daa91d732605ec4368674

SHA256
397fdbcd809b9a9df6abc6f24dfebe703e4647e1f5508a85527632016680c9f5

SHA512
33e116440c8e6304c3c0470c5eed5e156bca304c861dde570718fbc2bb1493dcd62d828a1a76258cad8e1381210b0a63cc1429f33e118e29f56031c48d28eddc

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
137KB

MD5
a7b5db2964469f0756db68963a411450

SHA1
be255ef0a2c72e34989624167ad904e2c7af68cc

SHA256
47d49b7892d5cf814d5f38534892d6ccd29dc508fe6b0ca16138e25944830a8d

SHA512
ba5433cf6a7963030741e8f5e193b2f7b2173ef13376d43c0cecd895dbccf103658961e641f5859893a342da47bd7787251338af6104427018f8917e64f2948d

Download Submit
C:\Windows\system32\fxssvc.exe
Filesize
68KB

MD5
c80f666200d63e80ec63d8280509dca4

SHA1
8ba887a8019ece0ab308ab604315851e532f7019

SHA256
ea58391c214af437a3d5b43f2defa7c9be317718a0a5cf37bc4dc124e34e7c94

SHA512
b1cd2f7e402d195da1cde0076d899ea010727e97102f5bbb8d1f325726e74e6803978a6c26db898632cbe49ec57e4df6efd7a1ae67f92ccb50b177132a691a4b

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
149KB

MD5
028e27b924c62f4f5c89f2fe2c75e6ed

SHA1
8860ded1d0759c0649a6db30c0806c2640bdc69e

SHA256
8ffcc9bdd3709226f8de41cfb4ac4193571b63a84982464965827cff6d50641a

SHA512
3c0a94388499be4f3fe754441f16cb18c4f885906b65467e8b881fd6e6c0a5d1e2c58c0b1eba0ec5554665a178f73baf329ace5553d4b7963558416ddf408d92

Download Submit
C:\odt\office2016setup.exe
Filesize
118KB

MD5
8d5bdab348752a80ce65db49af0dcee9

SHA1
b54bc11f5d1b9fb6f3eaa47964407ccb3d256170

SHA256
3ed45a49f531b85d6133fc0c8ab5a53231ac037a0554d6e487b0d97bded5aa61

SHA512
1280f416da3fe434c55f425fa2d0c1935d3f5d733ea277c0080bf6bd789e3713f75e473c1ab3f1f9ba5613dbf60a003b3e142823ecb32f869c7b8f031b2e67d8

Download Submit
memory/916-233-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/916-242-0x0000000000C30000-0x0000000000C90000-memory.dmp

Filesize
384KB

Download
memory/916-486-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1620-535-0x000001C1707F0000-0x000001C170800000-memory.dmp

Filesize
64KB

Download
memory/1620-539-0x000001C1707F0000-0x000001C170800000-memory.dmp

Filesize
64KB

Download
memory/1640-76-0x0000000140000000-0x000000014019F000-memory.dmp

Filesize
1.6MB

Download
memory/1640-75-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1640-88-0x0000000140000000-0x000000014019F000-memory.dmp

Filesize
1.6MB

Download
memory/1640-82-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1640-85-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1772-219-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1772-231-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1772-230-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/2276-172-0x0000000140000000-0x00000001401A4000-memory.dmp

Filesize
1.6MB

Download
memory/2276-115-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/2276-105-0x0000000140000000-0x00000001401A4000-memory.dmp

Filesize
1.6MB

Download
memory/2308-25-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2308-90-0x0000000140000000-0x000000014017E000-memory.dmp

Filesize
1.5MB

Download
memory/2308-26-0x0000000140000000-0x000000014017E000-memory.dmp

Filesize
1.5MB

Download
memory/2308-32-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2440-200-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/2440-258-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2440-190-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2484-281-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/2484-274-0x0000000140000000-0x000000014019B000-memory.dmp

Filesize
1.6MB

Download
memory/2692-213-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2692-205-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/2692-272-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/2816-132-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2816-64-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2816-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2816-61-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3380-185-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/3380-175-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3380-245-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3412-119-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3412-57-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/3412-51-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3412-49-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/3440-294-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/3440-285-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3516-12-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3516-13-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/3516-19-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3516-74-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/3548-199-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/3548-133-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/3608-47-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/3608-54-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3608-37-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/3608-43-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/3608-36-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4052-260-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4052-268-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4080-163-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/4080-174-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/4080-228-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/4468-184-0x0000000140000000-0x0000000140180000-memory.dmp

Filesize
1.5MB

Download
memory/4468-122-0x0000000140000000-0x0000000140180000-memory.dmp

Filesize
1.5MB

Download
memory/4468-129-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/4484-92-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/4484-91-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4484-157-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/4484-99-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4580-149-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4580-159-0x0000000000660000-0x00000000006C0000-memory.dmp

Filesize
384KB

Download
memory/4580-217-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4664-137-0x0000000140000000-0x000000014016A000-memory.dmp

Filesize
1.4MB

Download
memory/4664-143-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4664-210-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4664-202-0x0000000140000000-0x000000014016A000-memory.dmp

Filesize
1.4MB

Download
memory/4796-496-0x0000000001FC0000-0x0000000002020000-memory.dmp

Filesize
384KB

Download
memory/4796-7-0x0000000001FC0000-0x0000000002020000-memory.dmp

Filesize
384KB

Download
memory/4796-0-0x0000000001FC0000-0x0000000002020000-memory.dmp

Filesize
384KB

Download
memory/4796-493-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/4796-3-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/4796-62-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/4988-246-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4988-254-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4988-538-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download