kinsing | 635bbbe254e983f1181094d011d33b3961c53e99493ea65ebfcbcc3f1c52cd3c

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 17:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exe
Size

1.5MB
MD5

de27529b17db2e2656778f67876900b6
SHA1

aa3107ae1ccd629c57dd70298c1482a9edf858c4
SHA256

635bbbe254e983f1181094d011d33b3961c53e99493ea65ebfcbcc3f1c52cd3c
SHA512

5b1fa47ab30fafc431ffe33d26f4c69921d65421d6b347ba163461ac636d7dd67e98b4debfe22919d1e1e4e0ee599d1d7f6d95a7f5569ad9073dfaa52786ca2d
SSDEEP

24576:kZ7+quEOtqZpp0YYtwlGhNsof2e7A+ebC:kZ7+xHmpSK8hWomh

Score

10^/10

kinsing loader spyware stealer

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
908	alg.exe
4048	DiagnosticsHub.StandardCollector.Service.exe
4280	fxssvc.exe
3696	elevation_service.exe
2688	elevation_service.exe
5088	maintenanceservice.exe
2968	msdtc.exe
1212	OSE.EXE
3652	PerceptionSimulationService.exe
3852	perfhost.exe
2440	locator.exe
2716	SensorDataService.exe
2004	snmptrap.exe
2456	spectrum.exe
3640	ssh-agent.exe
2752	TieringEngineService.exe
4208	AgentService.exe
2020	vds.exe
1140	vssvc.exe
2060	wbengine.exe
1728	WmiApSrv.exe
1156	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exealg.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\vssvc.exe	2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\5db8386e726fd8b7.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exe2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_75437\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_75437\java.exe	2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exe

Drops file in Windows directory 4 IoCs

Processes:

2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exemsdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ed4d135cb04fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e40c945cb04fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000041b6995bb04fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bfced65cb04fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000079eb105cb04fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000091349b5cb04fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b7478f5cb04fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006fd71c5cb04fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e40c945cb04fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
4048	DiagnosticsHub.StandardCollector.Service.exe
4048	DiagnosticsHub.StandardCollector.Service.exe
4048	DiagnosticsHub.StandardCollector.Service.exe
4048	DiagnosticsHub.StandardCollector.Service.exe
4048	DiagnosticsHub.StandardCollector.Service.exe
4048	DiagnosticsHub.StandardCollector.Service.exe
4048	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	992	2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exe
Token: SeAuditPrivilege	4280	fxssvc.exe
Token: SeRestorePrivilege	2752	TieringEngineService.exe
Token: SeManageVolumePrivilege	2752	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4208	AgentService.exe
Token: SeBackupPrivilege	1140	vssvc.exe
Token: SeRestorePrivilege	1140	vssvc.exe
Token: SeAuditPrivilege	1140	vssvc.exe
Token: SeBackupPrivilege	2060	wbengine.exe
Token: SeRestorePrivilege	2060	wbengine.exe
Token: SeSecurityPrivilege	2060	wbengine.exe
Token: 33	1156	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1156	SearchIndexer.exe
Token: SeDebugPrivilege	908	alg.exe
Token: SeDebugPrivilege	908	alg.exe
Token: SeDebugPrivilege	908	alg.exe
Token: SeDebugPrivilege	4048	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 1156 wrote to memory of 1716	1156	SearchIndexer.exe	SearchProtocolHost.exe
PID 1156 wrote to memory of 1716	1156	SearchIndexer.exe	SearchProtocolHost.exe
PID 1156 wrote to memory of 3076	1156	SearchIndexer.exe	SearchFilterHost.exe
PID 1156 wrote to memory of 3076	1156	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_de27529b17db2e2656778f67876900b6_ryuk.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:992

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:908

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4048

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4476

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4280

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2968

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:5088

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2688

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3696

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1212

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3652

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3852

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2440

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2716

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2004

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3640

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3176

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2752

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4208

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1140

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1728

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2060

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1156

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:3076

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:1716

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2020

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
211KB

MD5
dcdf68b0e2fcefc0541a69dd9afd87b0

SHA1
73713d8c967b4b334f607f0aeb19d7bfff038f8b

SHA256
904fe5998a71045364815705193e96939f6406b69b44effad197bdc0fff3363e

SHA512
0b8f5697a3d37eecc1698fb7dd394560f1ae05a3237b2c1e9e922cfe8f6a2a3c6896bda9b9bb9fde0eb9e3dfeb19420b7547f12158466cf455a3079235b686ca

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
103KB

MD5
ae8b1c90d9144ce3a1da392fead41dae

SHA1
db7039589919bd572b4bcc281a4189f53f8ca6c8

SHA256
e92afd2c8334e6f5fd0d31f284c165dd3d6d3e46bb7a875ba117b1b9e892bb52

SHA512
a06aad74ac7b7d80f722a767d48ce16e6eb71040a51bf0648e50158411d545a59c16403b8a51a89d3e2d8062ee557d2cb579f68cecff06ac336f3c7e3926b90b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
271KB

MD5
f8045725ddbf1ce66fbd77361143b106

SHA1
62e1d5da24284cc0d2a2ec076305bbe7f12e3f6b

SHA256
16d752491c9964296f72fcb37e084b9206cc70701841a7b39e653610f5ca734f

SHA512
8a68337c246e004fb00fa176fff4a28b0a25a5a9b149383344ceaeb3520e44a8c9b43c02e32da66cea7068538d3971249ead95e9fe356479ac5ae25ad4244b90

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
21KB

MD5
1b766bbd7ddca70a2e2c499a69c17d3d

SHA1
a7c837d40241cd46b346655fa4c22899dffa0b2d

SHA256
132c72a0d282eb736e2b57b99b6c596eb55f8bf32d9921165ebf8d7383016696

SHA512
3461ffad277ded0f370667d51f43f039cb28297f4102e2c5918e4a2b5c6c3f3c71a878c73bfee4b3600684813bef8baa3d97bb969d9491bcdfb7cf64e4c6fc66

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
43KB

MD5
c76a6fad3e0898dcb097de58f5ed47bc

SHA1
4246dae2e59abb7bcd0c953d7bf5726dc3481bcd

SHA256
b7f5ad90a81849c75a94cd734cfcf07ebca78ca57547b36665d333fd8b54c8bf

SHA512
6f9680a3281058561c30e2ce4eb80c08f2f46725062f2199ba0046e3f89e585f927d56807392d1b8714b6aa5d5f24b6bfd8bedf714f422b9293aa96907344c36

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
85KB

MD5
053a3f79b8932784f301b1ae7a314fa5

SHA1
a2ce33f08774994f27c1031edb9356479836c1a2

SHA256
ac7697457390478f6b9ca85ec889b3c221af7c1f168c1ad890828193f4168b70

SHA512
0589ceb68825da56ee5775d010c360f6ed96afbe876987a158c59fa9e81eeec05a8a779e878b69f05a936703eb824e1272a5046baa90ae80633b74531ff65889

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
34KB

MD5
df3d8adb9bbdd467d2607319dc739ea9

SHA1
eb583b064fcd12953c5c852761887c74402b940e

SHA256
9127fd3c41d0c3e0c87f2aaef766cdbd685a6821c252a45d69d1e51b1bef2ad2

SHA512
50084d2002569e37cb048af34e5d50a5ea16736d959e3c02a96485f3ab1e907bd9d447df20ad54ea08efaba022afd9caced3f52ee13ee3591f65cc0fc923c815

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
70KB

MD5
934db00600247e2abccd423f0a7b6326

SHA1
74400782b7196396da10fcc8b88840d7d384a7f6

SHA256
4b753ab3b80961857dfab67e72c64ca11bfb70fdddaf32b22f6b2361ac6665be

SHA512
a1e9a78a095035a524ff7d3770a7beb28de27eb95dd258f3bfd0092282993073777cd1003c9689268b670afbf24afc0c0ab4606196a887d8add4d1ea1a5bf43d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
81KB

MD5
db7aae189590e49d51573f27620aa0bd

SHA1
d883b19670f6dd0c1d63ccfa858e294fef38cf5b

SHA256
f04da81325343e8653ba4edaa3085d17c18533a374ae9ba2a5e7f77aa7894dc6

SHA512
123238abcd4f5fef0d6795c6a9f8e0dc1b99f6c38ca8e293e7b0b65f9c85212ea646cb74179778155e2e3a80e0991e3958ddf351c090563859401e436c722c55

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
56KB

MD5
835d78c9827f1d648f1f8a2a14096245

SHA1
e3a2dbb85dc018e3c9cbbce6e5fb0117596b12ca

SHA256
3efe8e9ca6f2a40b57663d5dc8e57b0ef0d8ed44d66557fb68572f406030a420

SHA512
c6786c26a81865f6d6dad8944777071bb85095729c4d8bb1f92a4c1bb51735476723f656b986856093f427c9c879a7948ec9ed317b4a42f5be7b780ff16cd8d9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
23KB

MD5
584a6e40f467a6130054d3cff5675454

SHA1
17fa227c9bf2ec03cc673d473e54899ae8ca0c2e

SHA256
4b2cd056730a9f4a9607d6176d16419da5df42473c3d2eb02c03ecdfe52e5b9a

SHA512
2380b4f22f85762ac0ffd2344d7d2b2f383f9f17165488c99a6111c12a7dbd749f7e7fc7e5b9f28ca453101e3f1d12a4fca8996f6f2e5ff2b4c9f3e3d81ecb62

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
88KB

MD5
e7c2822c47187ee9b5a486ce4d311e40

SHA1
11f197d01fc3c6c26812b7e0c54fbd07be7a26ae

SHA256
fbb15b35e3e8ef04b494c9ec0e45306b81a1a19ef2f8d2ec3120b06812c475a3

SHA512
95712f19469a0e7707c186fe1f907b6c9cf7037501d0bd9bb95a949268b6ac78a05b10050ee717e6db534198376bdd09b847612a0ba7da4fbb1849d8d1c136f1

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
46KB

MD5
0b29e0bd77e57c3788770860b074c319

SHA1
a61c4d2eba346715d8677491aa0e9f7088e2d532

SHA256
2832279a5af5514ddb2769eb1f3ec09bee3e757791fe327c39b99441a876d552

SHA512
43f8ce66527240952a92e3ae359ce2b22ad4428efc16362b1a79f1cdac8597c1148600773bfd8cf6269efe19f6938256592b2e93e79725b50d92f2a481eeebac

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
158KB

MD5
d88c6a40c457ffe3aa67e2bbf7f7e74a

SHA1
cbdfb46d6f0a8a44a6585cfc363cb365b9d0508b

SHA256
c34de6dd3e9caaff807d6fbcd6f9165280e915d829c69b5960a038a766c305c3

SHA512
4ecc0638b9983cf8eb7e195dda043ee4717a5dbe6a572e9ed65f6e5e4f77ddc07d5d6bcc33e6a2c474a711eccd61407f587307d1b3040f014692ffd5168044df

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
47KB

MD5
7731c8cdb87d53ead31b063b6e03807d

SHA1
6a3f479051ad924e47d76c60e3ac1e555b9c51ef

SHA256
ab0bfc5897614d269bf808e4dd10bb1d91477396ae7f0bd60f20d63854c275df

SHA512
9c13f65eb490152b3b4b5e3a369ea79894eda02d3e891f2f6862509cb20692687fbae944c4ef3a09013824a676fb38fb51fccd0e46244e2cf0bbf51ab6c4ed7b

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
Filesize
65KB

MD5
3a5dda8d1acc1f8a707831c8bc42dbf8

SHA1
defe79cb1c7d64c3e828975e7370683cd0322c20

SHA256
66c9991aad797405546a2f1a49870e7b02eaa0a488a55d3b0bd82a92095f45be

SHA512
8dd5cb89025171036cf0b830908556d63c3ae55b7ad7390a7442a86103641b64b5f746229a8afc5c3662a32754932c5fc0e701684b7bcd8601fe91eb120323ea

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
Filesize
62KB

MD5
110dfd9539a7c0ebbe1cefe8d4595b07

SHA1
f63fc5795ea5c47c83e257d6468f9828e5d13b89

SHA256
0cd09318611e6263dde303925b69787b635b81eac56c3338f04531435bf4719a

SHA512
d37afd9789cd6e86dd26b1e5a664500570da4e0dc930891a1a443c3423fd22fd6a2b9fd5b66bbc920cf79a2d4e4aa3956a47f4015a892441e12af65fee2ddbb4

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe
Filesize
85KB

MD5
4b86d56af52f8c8bba1ac989d8bca063

SHA1
0db491495a3799123ffc7a8ad170ccdc2aeebc92

SHA256
838ed788cc4db49380be01d43524445fb8454c243b2d7c762e1de7b6c68f40fe

SHA512
917a816abc0163ab0fd44a0e5abde10548fcbbf194b9764b739380310ebccaadae080b8a148b4e8523434f4a29bef9247d213bd5e68813410b8b3de7aa8f3c3e

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
Filesize
267KB

MD5
f27d5e8a2f1d5ad3fc8c502f8a225ab3

SHA1
a9879c8e860ace1b4af73f09e007d6b6f4ab006c

SHA256
47a1b13a3019383546f44a34afd1cbae093c01c9a22d01eeda581c267545e8df

SHA512
e2162464300201ea747bdcd8b17708ef01e8458da292b0cf0ee017f75890e4158d7fc914c08ebebc4e9645ae40ca874d6bbaa086104d2112a5c033392a9b768e

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe
Filesize
4KB

MD5
54975e94fa0a7d9ed304282766da9359

SHA1
598ae79f38b5a52e0663e2e08d683e8cfe92d7e4

SHA256
4acab7b4913a9e759fff6f30449aea0e13d44a7ff5810db040616084dae1cfb0

SHA512
3c15237f454e718a6286a70c539c22f4d696cfe5c9e7d70441698649821e67fbd151e9191a03c7a081889c322fe5b5f50d2d5450365870160017457be6cbb957

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
78KB

MD5
f71889e5576076c209ab1f2bdccfdcc3

SHA1
13cc683f757c4c6f519ed9d9cca81a49c429cda4

SHA256
2112c76e20f2ee6a27642552a60992e6d07c87309e4e7e295bf62ac967e0752e

SHA512
8b5c3e01cac3707f14330e490de18b26240eed780b4cc9ec5585c61146bafdd9847c49e0a938390094e1fffa10da650d7034acbb47ea21d392ba91b56bde85a9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
31KB

MD5
3dc65398113b9ec07292eb0c53fe3bfd

SHA1
fc01675a3343cf327798a48768afa015d2951fa4

SHA256
7ddc9543352f787fc7e876f494413614644c847e19fcc9eadb26e90c37f4af72

SHA512
ef525e8771f802faca61cd0893e1772662d6b289a794edb150503d070496cfa72e024e9e5764d823a3b909bce4dbf98fd2d564134f07776e8e38fd0a67757529

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
97KB

MD5
abdab019ade9572f6c3735076b0bec54

SHA1
44ba9ad8d1786c9e8ffd22742133ef63acc8d8e6

SHA256
75327012441df6fff16be143366f8e2cf8023d616bf10c20338089c64eee113b

SHA512
ad454427f203e416b577cc60c3010928b2155b7f6b1b43e993235de6444d4e36901413310e8118bdde2e2859133dace3661841e3461ada4041c151f42c192459

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
9KB

MD5
b9d29b24fdf10609819f6feab4f484b0

SHA1
f9d8cc1756b12ebc3ee642ba29a72f58cc3095d2

SHA256
6886eed5217a94bc96835fb4ace0bb701ccafa10601ecf868910f76a4988e189

SHA512
71f0d6509cde558d73321a261fe2d5b878ebdd9c218c6daee12f72b9bcd8891ca8eb12ed27c23efdaea961c6269bb787fd00f6c2bbd7ce3dcf37753bb334f401

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
71KB

MD5
d056bb9526dcb09ca6a252fcbe4bffb4

SHA1
eca271554c886cc55c8f45517f0cea54f4385179

SHA256
7352c4ae030efc72d240972bca7e41533ecb46fd8453d6e59cef55e57224257f

SHA512
cca9b3633ac4eff503328115e08e548f99953d4048531ba27f21b131c02606ed6b2a5a4becab66eeffe58e3154e00073f0af46de7937869b40da9be95e78db16

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
7KB

MD5
c5c7674e8acf49af6e35638c18e920a4

SHA1
68ff6af417ecef8a2cc88ff98d648c5f316244d3

SHA256
2c5e2ea2c7c783f90c156308584e5997f6c1ea3a0ea5f971f35be2dbeaaf75a5

SHA512
fc5ee4c96d28b4b2ce0eeea0776404ec6e0b71487257f6753b1a29818809f4bace2fd7e3720c02a322105cc134f947c6d9ddfac14c4a0585b3974231b0a1e7c8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
9KB

MD5
0699a56c7031b8849873cde0e38adb36

SHA1
4f8581597ea720087e923ef83d279995a69e157b

SHA256
9af6ea73d61dd593de990cd80e51b6dd1abad7a52c665bf849fbd8d560edd58a

SHA512
db68d9229a97e13ef7d833de44c8ea6eb6335c68618650865f2fcc6f8fcfb50030a049c72d2df90af0789e0f23fa87906a72df7e33d60fcd2fdf4e035cfd286e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
52KB

MD5
2ab3268f9cf9135bbac8567122b6a008

SHA1
3b31c7e3f4f4e7d86d05a671fce780c4baecc5b3

SHA256
3282ed941f249da7fad278562afd05de22fee509a018f7c5caf6d73ea2b4fe58

SHA512
8e41dd1827b09c1be9a3131f9ecacb551ddc673a7f12711bb404088eed8fcd1e43427b9333bc42f76aff9e94b6b3ab953dc3f878d5287a8663068bf0b18b40a8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
90KB

MD5
9cda9ff0aa3c2f86ac7f67bc68a869c1

SHA1
51b4458be877d0b11375edae086d0e9ee6b82d1c

SHA256
d4fc8423d75bcf41eec6c26116d11edd41988cd094ff926abd3936ec1fec5217

SHA512
ee8d915daf6e9ef7319dd65bcb88fb6e7e99660555e6df1a648efa805772b06923e88a724cda0cf5ab306d0e258bc0913b19385de72aeba756ca144de2291a80

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
13KB

MD5
8c31c523abf3bf3edfadf73014835de9

SHA1
a0d2910a56d0defb7eb54e91db67876f274a1d6d

SHA256
2dddcb45ccfc0744ca4c2fa1b9ad232d0dc802319634a3d07c57e3628e16022d

SHA512
51272369820a25f5c01a272f8da155c29180df6ce1da8ee8b326eabacbacc475e9c262ba700f0c4a0eda3e3b32974108afc4f605268c9a605784a60650e5dfc9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
44KB

MD5
d8b056cbd215ba8828fa7b8523d4fcee

SHA1
9ef22042f0ac31f06fa50ec7c582b79743150208

SHA256
dd27e35c54404e0f226bcf21972e69de0a53e5f9e6be37557aed1920c36b6f5a

SHA512
f60669c08e0e01d62951a539a95b0589054e4f866c02e4f46f5ef1ed27819ff62f97bb75393373abf1ff1c14cf58c27e59bf5847f673e25fda49e25834479c75

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
45KB

MD5
f0bcbd061edb277fd5ba8f1b328f8c4c

SHA1
3fc528af1de8ff29abba120895a75f033a064152

SHA256
7d6c58b82e01b09474620d6f8bb05e01dba6bdce36c20a77e4cd53ab814052c3

SHA512
e8b5853c48afdf47bc248ce9a52aa1bc815f22ccb939418b9c9478eb7699f76ec3ba29e69db5254d4477b8b3042a11b23a94fa88f5303770774460711b8b0452

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
9KB

MD5
2d62485428067a1100dd2b1f613a2bdc

SHA1
6f7e56823a5cc3fa8d2104be4b8ca08fb24756b2

SHA256
9259b3079f49a9e2db20a0be45bb1f051a735aa67667618d3c763d2590a6d621

SHA512
7d1dd96b17b68243075cd2dcdcc4b56be22b68013a7c5add65d9b89cb216b786ba0abef145c5799113476fe50ece3a1e7cd6d754366a728921bceae9564f9cf5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
5KB

MD5
76dba0eb88e9c8a9851c05a977a8071e

SHA1
13e19602d6fd1a68a28f6ed07aee3797bd7c0468

SHA256
4a631f10695c768cd67a15577c45b4e93fc96fa2064d78921e040fdbdb5f25d6

SHA512
1937a818cc1fe5109fe0330ef9dc207dfad6a10353aba47d934137a62288ec9d0f425b01d995f3a9704e4fee67c35cd341d991f1df58234214b0de5bfd8b659e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
13KB

MD5
3fd3ef86a4672e48a7ecfd75d3630264

SHA1
d105702d139adafff82c23dfe6bd94494814c39c

SHA256
6c3eb4c0e17b3e021a7f40941de535014894eec86d989ca3e07b2add3e19d401

SHA512
eec6e313e40677ff580e2d74333279c67473b921fbd37a55b0ab0a1145ed0bc188b9026b94bb14b620c13bfd12f57dd910c8eb0fe838f6a274a6dc6bf4d4c17a

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
85KB

MD5
553de64122400e02303197cb6d235951

SHA1
a05033a70ce4216a8b3e25e2d9b14e627eadbef9

SHA256
e5e681c76f6ee3f64d9cbfae51878bb252c88726f8af55e0a5bd1beb1e0f100c

SHA512
bf772e8c42c430968644c7476b6271b607a0f8fdc1bc538ea05a9cc2e20517b82006f088417f35d5052d14585399067d7aab2be6daac91b1d370ff11defee62e

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
64KB

MD5
8b6ca4ea363c762430204123cae24fb7

SHA1
7c75bb329ca616daac621aef7658a81511299e00

SHA256
c1c8898b0ba482b151c31dd1d3dc8daa7dc43962caab705840b595415124777e

SHA512
898f5bf0b6efb6dd980c38c61dbadc6ef3918cb73bc4bb40646cf35020e609321f5f99874b6a62fb64aa9aa5727ee73a59edd1fa655e2cf1f57cbe7d9f892dc9

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
30KB

MD5
edd66b1b180b43b0aa802f8cd68f3924

SHA1
db08e4fc0d1e10861a194697aec7cfcdae949eb1

SHA256
fe5b7004607097c75fc97e71c0ee242e81a1ee4b03fa0dce450b5f2840f04dda

SHA512
2362dab789dfa5c5dd97dcfe24dcffed06958343b41589b7965f0edc9988eef7bac0be6a92fc13d781cc0191f2b20cfee56db81481c1d4fca05c96cef3570b54

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
99KB

MD5
17439ae769d4b98c968bf9bf2191b404

SHA1
1f0e6a4014c1b605b5aa204a7c653e07d89be5d1

SHA256
94c13bcf1655ffe7977110e5cdcf97fb742145c58bf8c5993e80f499a4b28698

SHA512
db4b8440939f521484edda8d72181089784ba53f70e83543663e737af8f5e196e1bd407f9f0a0f9ffd32594efde3efb2b74ffbf90f031418bea50b5f516be159

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
67KB

MD5
3b7ea02db102d4f46dd2eefd50b1bd3d

SHA1
7450f1d50a6d8f79dd0e50f9c9f31427221321b8

SHA256
c3bfc80f5c2529f929503ea54f6b067f66faa519a412697efd613479ad08bd02

SHA512
5ce1e55d73d51e8a1d732abe63515b3164e50fa9eea32f430bd0852f46e89820f3b2896fc42f4022ad1c8decf5c410f957017b996d7857e98fc1f1ac9553ed70

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
36KB

MD5
afe47e4d881b327e7a3cac0c188f26bb

SHA1
8db203b1c714aa29b65758b5557d17a061bd6526

SHA256
8c85346c5a4f164ec15777d051d5ba5d2ad22191d9f612aad5143a5c096825de

SHA512
5a5c28aeca0e056f2dd5366088a59ff4e00224563579f21f8375591d39f57475dec543613a74338448f008541625637e1d6ce5952b4a52450f4211d339cf1a93

Download Submit
C:\Windows\System32\Locator.exe
Filesize
52KB

MD5
e0236a1f2c946cb4373d793343fef776

SHA1
bc8b1afb3cf19554946d2157e8a723d1458b103a

SHA256
62af0e2bb2dfc886558dd87d07aab7b23e13242b9cf80ea2510fa399b52a72d9

SHA512
c09535f0256e33df8f29e85f938e08d2d6584abd218ac739f505cb34daa442b77576e6ef8ea0518bd50a3b5982d3ce49941210e9d458be809dd99ebd32126b7c

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
106KB

MD5
4b03dc498d2655c1e1c6a819f1c8865c

SHA1
c48756ec0e118b97150cee4bada685e7bd62ba95

SHA256
d874c9e97fe00c2b07f83e91ffd6655e6680f37f7d6b435f79c2d65d532eae6f

SHA512
84380e9dabafaf0122aca1a2d0dc30e47463107739077efb1902c59a1b91cfb1bea0a96637c97e97396dc8ae0627ba8d1e7be98322903a740b552664331c3568

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
148KB

MD5
e8fad9823d2a5e6ae3ef6ca634ed4850

SHA1
29c0a76f072b3dca4ac2149ac96324a643f1417f

SHA256
9e0eac6089d72bc60782f5a7ef063a9176b45d351252337b85ee575db4f9fbdd

SHA512
b8cd3f19028832319e7e08bb10f94ac5061e71d7635322aa81517a67a7b41e57cfe0612022a5d107182779dd45a767d7e0d3d8710434f7b82efa8457ad71dc5f

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
25KB

MD5
b45f20c9e84594135a415b3ab5e65dbd

SHA1
0435978bbabbb3d6130f7e9d581c9286e9fd693f

SHA256
fe34d87bf3d2ef03cf5c7d852deb9608b4178c8d09ef3e533cea3139a6a62c7d

SHA512
c670ff52dcb01d16e2db5605af3876e17c05adad29bc94bea81e2e6562e05be205e5afd66b4f6a31762be55c837695fbe1d6ef62f0a6e8537369b8d338c25b95

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
52KB

MD5
e17eb3c2d8123879a3b6478d14ab7593

SHA1
09eee0907a74016b5c792f1f274fd57f4d989e08

SHA256
72ea66180e6794cc4bc5956afcc082d0603c24c96d425a082686e633a7411c1c

SHA512
8a3e5870eee0ef5cecf2e267a6b76f379dcbd115a8bc9a4dc2f0acc750f23e685ff26dabf8f3438cd38e1ef12d04b16c84845307dd3e21996cdfdc98b7caf28e

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
89KB

MD5
e04f87cfbd16e30406070e3621f6741b

SHA1
8cb264175111ad57ee06aad272c7ccc9b8f7a9bd

SHA256
f5368a4f0e9d3f8d47a56a1dde55944f580570e0b6f2f8cb0e92df07c354ce0e

SHA512
e6b69b5c7241deb58895ba7c603868170ebb53940be17ed45ff44aead8ab4baf3d642f740494b2b459925e4fac68e2ce3b054307f9594a33b0e982bf0fb823b2

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
295KB

MD5
6fe7437314b00166131d12cdd116a20c

SHA1
82cbd1f04756fc1a535cd039a1138d3b205f8d50

SHA256
43f12614540699b530cc1f626030d53f285c82151c3fab3fb648783610e1d7ed

SHA512
af194ad832750d3f502c6e9137b4cf571960f9abfec50ed7395c9c5fb02a234ccbdd7ca5eb271f088aeee8937e370f85c994b19a715fae7add7cc3854e670045

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
87KB

MD5
9fe20d26a81edb054a496ded3cdbde86

SHA1
06e743aaca90508caa916d700b39ba98f970a7f0

SHA256
621441fdb241b56e8d74f879486844b0ffea15fbea7b060942011e1ffd6862dd

SHA512
a2fbaaab0f570a752b9876c76aced0b4dc1164f73a44958ce80bed730fff6761d8e1d91694b01047616ca6dce6eb192d1cd477f12def305f218b65a66cdb4765

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
106KB

MD5
7d16382781dc33c5388cd8cb09e7a47d

SHA1
e4dba31bb9be2474add8100cad4bc351b78beeb8

SHA256
14a81302e12f173ce620eccbd74f2d2aa72ee9639708508400f9ad44374be314

SHA512
91b1dc664bb2805481c5150a74de1cdcfac30065fe5ecf2575f3aa8ecd80a80d2374d1015b7f2fd0f2aa91360665ccb0c155a685e52d2b51195b9a92c2a6ef53

Download Submit
C:\Windows\System32\alg.exe
Filesize
116KB

MD5
a23508d08c22c5bbfc144c88363b91dd

SHA1
79c10c2cf3097f5a76c5faf24f7b128974f398ef

SHA256
49084fd0a54021fbd668ca9b1650304e8d1db3efc2da45e986e7f419821c451e

SHA512
34091320f3b1c6b6648b5f45164eba987a1b7cd6000c15684a9c4bbbdbfd40844383afe455a23b3c8e3b30240f64d71a6c5f825b1bd884891d210ef23d8e2ed8

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
74KB

MD5
0ce319a7c48bebdb7d99d43bac0155e1

SHA1
c545008d5abb248f3ab37ee97eadc8d6e11b2884

SHA256
41c37525047a183a82d49b409b74e66721c1fc33d8a4b7c7ce08bc78d32827ad

SHA512
31b7131712f8a8d0b517e6ed5b5db6026ae28d73734b856864facecab47f1ce3dcdd8b8a07c18881193c203c98bf3556fa81db9a0a60bbf018c86c6214fe9286

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
250KB

MD5
c49599f084ddd602f6bb440f9bdae616

SHA1
7cdfac23e03bc2fef3cafa96b7d795be59a4c7e0

SHA256
06a084150fb6ffe87c90b79f91bd224544cc78a344cbbafc2148183e6a682427

SHA512
25e5221c461760f92827b8c18526a3398a8df3231e8f889251fa9670313f85cadb4aaa5993229759c2c938d7e9bfc980bbd2ac7ae41976c5d1cc6e90d7d93263

Download Submit
C:\Windows\System32\vds.exe
Filesize
74KB

MD5
0f30e08e587300511e23fd59e7441146

SHA1
eae77bb8b0e5c040a901a94eae6e4e011a68bf1e

SHA256
3636accc270ba2e57b1c69a5f47ef7c3af25c74bc88279bbb6e48ea4f9183cc9

SHA512
a89df5cb4aeb680724e9647265e297d86d1674bf931efcc5ed1b9581036125530e4434675aaed242f459021c6be40fab28ed4415a60f49602211fd0105909e46

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
75KB

MD5
782a3b32652a51ef0f3f1d5db09bca85

SHA1
b023a0314327d4650e4e1821ef0d84c4aa09af79

SHA256
e42287de52b6a68df705e586796bdc4babaf9d8a09c8afb578051834830350ff

SHA512
3e7d76b1a96727129fe7d7952a1fe0c0f80326bf2ed8034905db624104db4e440fcb8962da87998b735702466f6b49228a801e6ee53dee3a26065299e8e331f9

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
63KB

MD5
3fb82dbbaef67ba7334b43f94849e62e

SHA1
7501cd3da230ac4c27f79d47ed60ac4f9ab39ac0

SHA256
29c5a9ea64f08c3d91bffdb15e40df45cc86709d0a85ec19d61cc78eea4aab18

SHA512
a7bd959a5b0bd0821104e99ffef4b2e885e97c91bd0b3899b69b0b925f3f8e76afcbf60c1acfdd227e97bc78fa08ecdde2f5986d866f5f1071d90032d77d34e0

Download Submit
C:\Windows\system32\AgentService.exe
Filesize
24KB

MD5
f1c629fde5759813e76c8db06af1f42d

SHA1
83ef3f9e101a13d6ab9b43566a8c0285beec4c9a

SHA256
f99ac7726f994a5e527389241382b335c07704a3a077206ef547c37e7eb1d066

SHA512
305b6161f7f098e1f7ee9823e1cf1ef4a2496d4742901fced09649c970e825cc9dd9ea6ab5d4e1787ae3698e26fa8a39946116770b72d064b1d8f04ae17d06c0

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
92KB

MD5
7b6434cbc24c07afed8e74538ad1f393

SHA1
1a0108c64013298d8cad4c147ca89646ca2a259e

SHA256
a5bdc181017fbf002e41541306760a4bec44f28c6bcd6a185f368da7ac561164

SHA512
b67f029344d981cf948a95d2b6eba1dc53977d383f541d611f50ad47bf5d4870132f1868dac17dafefcfee6f1169f796730211d56172f89303e8bc6af258fa7e

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
92KB

MD5
a6c718cfc1579a5c94f2ee509feb8e5d

SHA1
fb408ffa2065ceac76a47c2c3183dcc09f472dd0

SHA256
7c9a9565b3dcc6709468640b68590154b6f93b0a6e645daa165bd319e7d1be46

SHA512
f7af756d74acff02d057d9ac249a5d5d219ad381ad3726385b0ccb29f386560a9356fa524efbe45464585623eac20e970fa50f2d66553f71c8a46e43fc17dd8f

Download Submit
C:\Windows\system32\fxssvc.exe
Filesize
98KB

MD5
a042830e96fe451e496676b997b3f0f0

SHA1
e355e81a5abd3a552e5c77b9ffb63c0eede548ff

SHA256
2bf47c031bd9d1fcf05e1701c3755f9f34e5742b4b31413fdd1a4d6e7bab112b

SHA512
1604eea8072d2f5a2a2d4dbefd6671a67533edc5d05763f2ce197c67f9388ee2d4adf80546269f5e90fb78c3673e22213c14dcff499fce84367834c97b33b5c7

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
184KB

MD5
77c8596d8c7e868fcba331d94afc6164

SHA1
ac137309e34d257c2abdca0065fc0c1e4074d7dc

SHA256
da891bb5de03778f76f3ffd66a8193ecf6dfbd1ee8e8013e582159778869e158

SHA512
42d3f2d55b93ec50099f9fdee9854e3ca80790be7c2a767cef6ae01c8cbc1c0c8bb99fb481e9b249d47b8b711ef34b350b5835f0473641a7623533fec50f3422

Download Submit
C:\odt\office2016setup.exe
Filesize
90KB

MD5
cbadb8164723ee573a52796aabe094d7

SHA1
44c9c4020e0ced0079bdcdccc436ad8e7afcf38c

SHA256
4832aa14021f7c32596c24c90464de76c100d3c52695386809fc5d35a6e4363b

SHA512
7210f5b1a47329481a03599dd601a917fd022bd446b79c5db331c80f3a700b758d1fc60d965e09205c4d657d9d8229ae3f716ccf7ae21903e8b83450c322147f

Download Submit
memory/908-13-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/908-14-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/908-20-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/908-74-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/992-493-0x0000000140000000-0x000000014017E000-memory.dmp

Filesize
1.5MB

Download
memory/992-0-0x0000000001EB0000-0x0000000001F10000-memory.dmp

Filesize
384KB

Download
memory/992-1-0x0000000140000000-0x000000014017E000-memory.dmp

Filesize
1.5MB

Download
memory/992-8-0x0000000001EB0000-0x0000000001F10000-memory.dmp

Filesize
384KB

Download
memory/992-497-0x0000000001EB0000-0x0000000001F10000-memory.dmp

Filesize
384KB

Download
memory/992-62-0x0000000140000000-0x000000014017E000-memory.dmp

Filesize
1.5MB

Download
memory/1140-255-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/1140-544-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1140-246-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1156-294-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/1156-285-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1212-108-0x0000000140000000-0x00000001401A4000-memory.dmp

Filesize
1.6MB

Download
memory/1212-115-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/1212-172-0x0000000140000000-0x00000001401A4000-memory.dmp

Filesize
1.6MB

Download
memory/1728-281-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1728-274-0x0000000140000000-0x000000014019B000-memory.dmp

Filesize
1.6MB

Download
memory/2004-232-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/2004-173-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2004-163-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/2020-486-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2020-242-0x0000000000B10000-0x0000000000B70000-memory.dmp

Filesize
384KB

Download
memory/2020-233-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2060-262-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2060-268-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2440-203-0x0000000140000000-0x000000014016A000-memory.dmp

Filesize
1.4MB

Download
memory/2440-144-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/2440-136-0x0000000140000000-0x000000014016A000-memory.dmp

Filesize
1.4MB

Download
memory/2456-176-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2456-245-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2456-186-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/2688-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2688-64-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2688-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2688-132-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2716-160-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/2716-216-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2716-149-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2752-213-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/2752-205-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/2752-271-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/2968-158-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2968-99-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/2968-91-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2968-162-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/3076-538-0x0000024B5C260000-0x0000024B5C270000-memory.dmp

Filesize
64KB

Download
memory/3076-539-0x0000024B5C380000-0x0000024B5C390000-memory.dmp

Filesize
64KB

Download
memory/3640-191-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3640-200-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/3640-259-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3652-129-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/3652-122-0x0000000140000000-0x0000000140180000-memory.dmp

Filesize
1.5MB

Download
memory/3652-185-0x0000000140000000-0x0000000140180000-memory.dmp

Filesize
1.5MB

Download
memory/3696-120-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3696-57-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/3696-49-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3696-48-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/3852-199-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/3852-133-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/4048-26-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/4048-90-0x0000000140000000-0x000000014017E000-memory.dmp

Filesize
1.5MB

Download
memory/4048-27-0x0000000140000000-0x000000014017E000-memory.dmp

Filesize
1.5MB

Download
memory/4048-33-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/4208-218-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4208-230-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4208-228-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/4280-59-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4280-44-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/4280-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4280-38-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/4280-55-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/5088-82-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/5088-76-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/5088-75-0x0000000140000000-0x000000014019F000-memory.dmp

Filesize
1.6MB

Download
memory/5088-88-0x0000000140000000-0x000000014019F000-memory.dmp

Filesize
1.6MB

Download
memory/5088-85-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download