7b35946b2100aa2e75355c7b718d8da538110d79f0923bdc13f8121f527715a1

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/01/2024, 17:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-26_d8f204d4ed294531537fa20c17811c57_ryuk.exe
Size

1.1MB
MD5

d8f204d4ed294531537fa20c17811c57
SHA1

a8bf282d32ea2945d29ba2d8bf27a039ebbcb12c
SHA256

7b35946b2100aa2e75355c7b718d8da538110d79f0923bdc13f8121f527715a1
SHA512

cfc3acd64f3427237534aa69de72ac25045e0d63c320ae1a965de61c5bfd883e96493881a42cdf72509fc84e9134dab1a80d62a04c7a8f9d664e39ae5b7fa809
SSDEEP

24576:VSi1SoCU5qJSr1eWPSCsP0MugC6eTDqMrfUgYbkhqfj8uqw:NS7PLjeTJrfPOkhqvq

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3932	alg.exe
4512	DiagnosticsHub.StandardCollector.Service.exe
3260	fxssvc.exe
5112	elevation_service.exe
5000	elevation_service.exe
1976	maintenanceservice.exe
3504	msdtc.exe
2652	OSE.EXE
2244	PerceptionSimulationService.exe
1172	perfhost.exe
2540	locator.exe
4508	SensorDataService.exe
2136	snmptrap.exe
1692	spectrum.exe
2072	ssh-agent.exe
2528	TieringEngineService.exe
4924	AgentService.exe
1716	vds.exe
4940	vssvc.exe
404	wbengine.exe
1524	WmiApSrv.exe
4124	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-01-26_d8f204d4ed294531537fa20c17811c57_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-01-26_d8f204d4ed294531537fa20c17811c57_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-01-26_d8f204d4ed294531537fa20c17811c57_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-01-26_d8f204d4ed294531537fa20c17811c57_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-01-26_d8f204d4ed294531537fa20c17811c57_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-01-26_d8f204d4ed294531537fa20c17811c57_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-01-26_d8f204d4ed294531537fa20c17811c57_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-01-26_d8f204d4ed294531537fa20c17811c57_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-01-26_d8f204d4ed294531537fa20c17811c57_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-01-26_d8f204d4ed294531537fa20c17811c57_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-01-26_d8f204d4ed294531537fa20c17811c57_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-01-26_d8f204d4ed294531537fa20c17811c57_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-01-26_d8f204d4ed294531537fa20c17811c57_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-01-26_d8f204d4ed294531537fa20c17811c57_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-01-26_d8f204d4ed294531537fa20c17811c57_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-01-26_d8f204d4ed294531537fa20c17811c57_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-01-26_d8f204d4ed294531537fa20c17811c57_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-01-26_d8f204d4ed294531537fa20c17811c57_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-01-26_d8f204d4ed294531537fa20c17811c57_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\2dd87627726fd8b7.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-01-26_d8f204d4ed294531537fa20c17811c57_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-01-26_d8f204d4ed294531537fa20c17811c57_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-01-26_d8f204d4ed294531537fa20c17811c57_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-01-26_d8f204d4ed294531537fa20c17811c57_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-01-26_d8f204d4ed294531537fa20c17811c57_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-01-26_d8f204d4ed294531537fa20c17811c57_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-01-26_d8f204d4ed294531537fa20c17811c57_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-01-26_d8f204d4ed294531537fa20c17811c57_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-01-26_d8f204d4ed294531537fa20c17811c57_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-01-26_d8f204d4ed294531537fa20c17811c57_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-01-26_d8f204d4ed294531537fa20c17811c57_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_75437\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-01-26_d8f204d4ed294531537fa20c17811c57_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-01-26_d8f204d4ed294531537fa20c17811c57_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-01-26_d8f204d4ed294531537fa20c17811c57_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_75437\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-01-26_d8f204d4ed294531537fa20c17811c57_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-01-26_d8f204d4ed294531537fa20c17811c57_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-01-26_d8f204d4ed294531537fa20c17811c57_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-01-26_d8f204d4ed294531537fa20c17811c57_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-01-26_d8f204d4ed294531537fa20c17811c57_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-01-26_d8f204d4ed294531537fa20c17811c57_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-01-26_d8f204d4ed294531537fa20c17811c57_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-01-26_d8f204d4ed294531537fa20c17811c57_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-01-26_d8f204d4ed294531537fa20c17811c57_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-01-26_d8f204d4ed294531537fa20c17811c57_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000c77923d8150da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001ec5a03d8150da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000909f7a3d8150da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001b4eaa3d8150da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005913af3d8150da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000063f4933e8150da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4512	DiagnosticsHub.StandardCollector.Service.exe
4512	DiagnosticsHub.StandardCollector.Service.exe
4512	DiagnosticsHub.StandardCollector.Service.exe
4512	DiagnosticsHub.StandardCollector.Service.exe
4512	DiagnosticsHub.StandardCollector.Service.exe
4512	DiagnosticsHub.StandardCollector.Service.exe
4512	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3292	2024-01-26_d8f204d4ed294531537fa20c17811c57_ryuk.exe
Token: SeAuditPrivilege	3260	fxssvc.exe
Token: SeRestorePrivilege	2528	TieringEngineService.exe
Token: SeManageVolumePrivilege	2528	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4924	AgentService.exe
Token: SeBackupPrivilege	4940	vssvc.exe
Token: SeRestorePrivilege	4940	vssvc.exe
Token: SeAuditPrivilege	4940	vssvc.exe
Token: SeBackupPrivilege	404	wbengine.exe
Token: SeRestorePrivilege	404	wbengine.exe
Token: SeSecurityPrivilege	404	wbengine.exe
Token: 33	4124	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4124	SearchIndexer.exe
Token: SeDebugPrivilege	3932	alg.exe
Token: SeDebugPrivilege	3932	alg.exe
Token: SeDebugPrivilege	3932	alg.exe
Token: SeDebugPrivilege	4512	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4124 wrote to memory of 4372	4124	SearchIndexer.exe	111
PID 4124 wrote to memory of 4372	4124	SearchIndexer.exe	111
PID 4124 wrote to memory of 3224	4124	SearchIndexer.exe	112
PID 4124 wrote to memory of 3224	4124	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-01-26_d8f204d4ed294531537fa20c17811c57_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-26_d8f204d4ed294531537fa20c17811c57_ryuk.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3292

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3932

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4512

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:396

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1976

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3504

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2652

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2244

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5000

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1172

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2540

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2136

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2072

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4784

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2528

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4924

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4940

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4124
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4372
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3224

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1524

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:404

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1716

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1692

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4508

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5112

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
216KB

MD5
d1dbf765fc6364540b291520ce19057a

SHA1
d8903a11972576eedab1b6d36a865eadf5d1b19a

SHA256
9ef456aae2c58753770a191bf9bab9b38a1490d8a0698170a603515300ff7eda

SHA512
e7cb78adcbc0f42e9083fea1d7d986f98b4f345e19b6eb90312381b7e74f6d27fef48c3d1d9994d09beaf70bdc3ee00287314533473daf35fb9726c4318c28f1

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
220KB

MD5
cb06f6fa664f4648e76bf994ffaa2f1d

SHA1
871a70c225a927daf813d25189929f942458b6f9

SHA256
802e3f401e92e60729aadf1dd413da6dc6e2a3d9fd03bc4659cc482953a8fcaf

SHA512
d7e8d753c38501ce14de3978bed4967fe88f084522090d07b0f4a45055b068cf98e0a47924a6b0d388ee24c049d9f78a3599f19140e68cc0d124c72619906ddd

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
203KB

MD5
ccb040a16cf967eea2ffea1856dd4e5f

SHA1
289e18749e1c286f359401004e7fd0d194736ac3

SHA256
846744321ac716fa04d28eb95ca1387eaf5a825c5d2a078fee5d272f4f577d1c

SHA512
0501b01b7cee00d4b5b27c1f2967ffa1ecb28a92287999afb782b28eb3a781f66dfa83a05bf74e749202f85aa07b8ce57859bb4d857835f760e14d75b4589de5

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
126KB

MD5
770f8319556814e97cb6722eda973634

SHA1
ec5ee885d9a6b93e0c30946158d2a963a5fdf619

SHA256
e54525dbebfefea5f822a4c184ca8b4010096a8e58ae9e83d6d8f51a92d275df

SHA512
f5ce18d12965c98243eabfe79f1d03a0d1fee551c0eb388f0582adf4165fdee0bbb7863bec9158f757cc422463da4d12f5c9a45cbda58e109c6e36f55b53a03a

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
88KB

MD5
c1e81f4bff187662030b632cc58215be

SHA1
01f982b71bea8239a0f87bd5292b5f132dcd153e

SHA256
2c4b3fa472cd96cdd196dea26a059d36a2e8147a27a77dde08fa6ebf81002714

SHA512
b0fae2ca6bb3cf66b4ccb90ba6e624f1c85dd917f7a60408ec8fd586888314d140b1b24ab3f104419bfe79c3476c32b8e981e8d5a0f1ba2018f4939e79abe2a5

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
161KB

MD5
df43a743ef387a5a706d4c4841bfef0b

SHA1
5bbd7c44a29054f2c822c88860aade09dc750f1b

SHA256
151bf63a6e1ce43e29a1b35a97d5cd138120024f11318ed1131f62f072905e35

SHA512
6fecdbbfdcbc31ec6dc610bda9ec2c96aba257fd3c36ed7f2ef9684d15e15cee4272a81623714923a16d332b70bdb944bdbad1e5cb6f0a967b5ba708eaa34a58

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
155KB

MD5
95f2d1c84fbfb91d5c34fbe69f79bdbb

SHA1
7afff55a4171435903097c8df270a319e734901d

SHA256
d43909607744a2b0447e84d9bd7d3866fb13b951cf549b7759fc1e2fecdbbe2f

SHA512
5a2a3f6a806c3c99b12d522d9fad2893550228ee49c6236439801d14f769bfd84141ea7520602db37c463d6aed1cfcbad5d989ec2322cbb9fdd6d973888fa002

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
128KB

MD5
a3f922afe963efcacc79b566c1851a29

SHA1
72a559da3822d49297dccf6db60a69835406e520

SHA256
25feee375c37a8cae8015e014878c83e6b1a2c79f988a6fe5a790087e56047a3

SHA512
6e239fb59b27a41fdc67a2b9cb2c593f69ba5245bc9366c62dec17ef3aaec20afd35b0d4206092a1ea143d06e2ac8c174f0c6fec6b539876f52ce7f1d2886180

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
149KB

MD5
8f7084bec93b0715277805e353a903a3

SHA1
168034b19454f646b1ab39dce9b9d205cdaf4c4a

SHA256
ec030bbad08e7d206b9b515905be8c72b814937844c4cfea9605b25e3c65bb09

SHA512
60f48c95902e7de7b4b879dbb880d60226e9a1fc6caf59baad9dc55bec9f08c784a86f089eec6609d36b15dc6466d8732cdfc6e9df2d23feafb3945d8d4bbe0c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
161KB

MD5
e7365d36fa301362df182d9a4535adf1

SHA1
ed5baae401c23dc2a3da12bae38523fe0c255068

SHA256
969b6bf919af7ddb4ec8b470bb1c5a925c19f85fc23b2485cd77f1c5c49cb0bc

SHA512
48792ae61d27dafcd1e6d365fda1c238e1894b714b208776da8e6554a1e9862b48fd601547e0cfb210a7cee8f1a0139be0636b52a2a5a022a1ddb23ef9baef7e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
142KB

MD5
f30aff5538a47e3a2bdcd9f420f02a91

SHA1
9d1c75a2f4b67294a8f5524d021e1731e35ca252

SHA256
2ba305f4081b8b37317af32de3451ee1b750273f00b52c64ed689d5b3ff71a78

SHA512
33106ea2d9597c99e412635e84ca21c0fe794c75c01e27ad73a60f78c05c637f83eaccf92c921d1a455b24276b55e55cafa27b872948f8ba63e8ea4ecd93b35b

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
190KB

MD5
22aa9044c4aed6cb64273593f980234f

SHA1
dcaf5854561bf06b73b61e935b2b7e3c4db98421

SHA256
5f3a9113569a22c191995b3f18c8451672a414db0a21b665e351e17ae22885d2

SHA512
aedadb5ba1e6777ff725d2ee1883e312d240e000c668872267a06f7bc0c64c238a80a387a92053e587a6ca166dbe3c23ca08895100318bab7d67573b174ec134

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
157KB

MD5
dc37b8b6feb90249b600f23359c88396

SHA1
bc6876c7c6fc5c5c344587fa51516654dc73ac2d

SHA256
84648914bf3a060dabd54c5821b03cad27b335248c6d31cfe54941c5430927d6

SHA512
bbacc0de26f1e866008f37fdd40c7310f3302e3d766b2aaa9474bb6468a98b45cd49d0646e5a62d5515e41184a597a87010f052be8b3e97ab71e451b8cb37b41

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
149KB

MD5
7a02afacfc94fd6bdd9573d870a53b0e

SHA1
14176c88a1fe8870ac2a652575f618813bb2c875

SHA256
e80a5eb74adbca3b0816f4d54737f484bf34a04c327c6ae3550689f90f1a2437

SHA512
594cb5b9ed719dddf318e64b5e8ec7b0a60878c4bdab90a7999486e9d0491c3ed4c685355fe321da300139202eb09d60dbd11e0ce60632b4e4f1a7f3f32a9973

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
181KB

MD5
cf0c46ee45652dc9c4a58af1ededb472

SHA1
9d38960a51e00b16cb80c091c44aabbf5bd00665

SHA256
01f55e7c1ff332a7445e44bb06c785274cf23095fc9409abbe3ec3ed1661c22b

SHA512
6f81da341bd5fcc34b518f2192678158d8c26a1f54dc6986060987425c127f45a551fb3a08fde30c5e90dd52473c7f4a35502f53f65f23ca4152e0e006845396

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
108KB

MD5
f13fca65be97e95091bcd883540b7f1a

SHA1
cdb5d7b8fe85ce07e14d8b2c3931fd0a8fa45369

SHA256
3614872214279e50e855561ba46d5ded65325b1c656f02bea40ac82be0e35342

SHA512
5c0aa3cd42cd4b741f88f38dade1f0d9dfdd81af5586154313afa62b3de1ffb3d338b320b243f8220fc8327d29b03f092fcabf9583174706290f71e5b380e75c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
119KB

MD5
0ae004c4218ae618e831cd0a8b76e686

SHA1
534b0698b857ce0f096e1e51d902ac0d8355962e

SHA256
de358b8811754dc12532791c2bfc222c7a3c12172ab960667a11ab943e3bd4f8

SHA512
ceef7a0123999f5e943100d7d3a07179dd895e139a0ac1ed4cbdffc9cdc9de75ab771811f1cda2a8b8a4494ab696cf9865c3150661f15afc6d030d296f2d08fb

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
734KB

MD5
f9760dc3fb881a56568d968d51f2166d

SHA1
d5402ec0a9b2e2f9a8373e13efbb9076ccfaaa8f

SHA256
8ae3ac16c667e5d50a4b9d6ca3f4a75b52300ab7b7ad5aa81852b9689da20b15

SHA512
563de83100b53134649698bc140bb28aae12130dc89997bfac29815393385372b4731a373fdaaf76c8d79b37543c10a4caddac31953cee396161b19fa58a505c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
97KB

MD5
efdcce2b1a13b7ede24ea7931b4dec75

SHA1
5f68e9b07c595d33962d86a2ec71d14b2bedb160

SHA256
55d7ebfeaf583f999ac89655de67c111f4bfcad0e7c58b012a158fc2ef29ff13

SHA512
b2365183f01015913637be0be511fd273564cd13b05211f8f5200f9c11e132996371c0091e748431dd79beb67b70ae7155a5ba340aeccbd6f12530440163b54b

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
149KB

MD5
9e26be2b69ebea5d372314a108582139

SHA1
5772bef7ecc13aad2d685dedfc9d43cf92e7a527

SHA256
5d4420a4875a92cc83a5ef857fb530347b7ae9a8c541c0dfe93b12f56e358648

SHA512
870b3bb620001bbbbaad597054f9d4c8f1a93b63fa0ab2af5a5d5a40ede12bbe26f65f5a2da22d0523fc57cdc94d7d8037732e968f49de12212e46891411626b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
71KB

MD5
9c940bdf19ee4d4924ecc3dc5341afa4

SHA1
11382258e03e79bc435b3dcf923ac8f13c16a817

SHA256
7e7064bea627356ce01577c4a69ab4e70c10d21e6adf9a65234497eb6cd00317

SHA512
18bd6b22e7cad74bb125b12ef72213deafa98f63e0e2864619314c35f4ee1441a334579f8bbc31d16c4115ca52363ffa01c6835e86aebc6bf0b06b0bf4d8d05f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
106KB

MD5
dcd8ca1a1dc5e140354fca63939a4ee4

SHA1
6e737f9a5764e00aa347916d960272e22b86c508

SHA256
3cf9251c86c4346ed9ac24512862335ed1d56d48b2af5b09d1a7b70c596da9c2

SHA512
10a8188c08a7b349c02f07519a3aa0df872d6cc9499a49c08123d7b6e5e84ca8b10a38a666ff6e9ca6dddf5af8822e74b8f76eef7c53c54fe077f2127f6f3b6e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
107KB

MD5
4134b81b25bcca7b8cac3230ff5d2d02

SHA1
09685cc1d287fc0bab79ceef73be54341f9f4a84

SHA256
eaf6b989e7b8b9ba84f1afe316bc6ac4ea72c656b4d73eb61998619852e00f66

SHA512
763863a5302d91247f2083802565c4d65003ec5b850b690c794428dcaea4569a711fb52ab536ba1f3e97d3bd7e57674aa7febbc5b8f6b16ebbb4cc449cae0fd1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
81KB

MD5
b118210c41db2b644a95858a753edb38

SHA1
d41d20c6b7452c19fd6088c9199f13a61591c7c6

SHA256
5899e97ef5ec2dea5ce98f3af9548311e84aae52215b49f707d6fc796bfcb2da

SHA512
03082dcb2e1d16376027c592a69d4c1921954c906fe46f9e78d9008231a966a3636f192753ce5253074118ad6dc93691187853d01b6e91a1b13b52043b52839e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
144KB

MD5
6f724c5349412de76f2a6ac870c0fccd

SHA1
0d4c85a62f97e29a169ae1f0dcee8351ad17754d

SHA256
89fd1afe2ce6dc50d8227c4979ca4ef6997d18c6845384654be0ceef505086bd

SHA512
3f521da0e156d1ed85769774bc94764dd2ca5c812951d42f79f62615b05fe907774a835ab0943c8be213a9b4219fe8abe61adf7bf35ccc04ecf858e619ce8217

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
126KB

MD5
2873fb1b0f5a1fb2f42de69b17193e54

SHA1
fc9c958fa0921361b98c8d7fdb09a65b77ffc506

SHA256
d34d88452e5687204f0e237a4406a2371753b5de68ea2afb44176edc73f02e5a

SHA512
5824f5fa3cfa90bdcbe95392e9567157d91500846b6f4c4243372b2970902652b17478f41b6ffdaa4eff11f7befeb695d66644c5e6bf7eea4977ded46058eb0f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
95KB

MD5
e3e4c025212ad55068966ac4311a2da0

SHA1
26a2db82f304a3e18125139578a9aae628cbfe46

SHA256
dbedd5988f845a83821866e2f35c0cb509d56aa69458f3157ced0591a5ed20c4

SHA512
99d73584bca2a1123b17e2dd0b3652da568bac8119871b6b6554ef9dcf5c9f38ff110d151693e2d6b145e75a100897f174a209f61ee669fe004fbbbea213f987

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
140KB

MD5
06fa14dfbdc8f252288c35ebad0bc2ca

SHA1
b749a803b8b7bb3b1e41792e8ddc0346dfecfa9b

SHA256
76aa629b02c0d3dfae5f2c527b5e83aab52ef66b8713adbae834d7f62466463e

SHA512
129383fafbc928056c82be32d26a3dcde527eb82c243cd6d8e8fde176e2ea034268a2619c0eb3b4510acc8f6df3240e4319aef2289e70404dcefbd6f9870cd2d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
176KB

MD5
08c969da2a8895c836061415e6c3dfb6

SHA1
7672419d6c04e9e6dc445f9dc92a0cdbecd37964

SHA256
d84424d99887a39cd416421cd27b0a0c5d13aed3a12442640a9614aed8e879c4

SHA512
4b2fe3e5e9f3d72ee1a4adb0610f845c635a83613954f012e769070753329a55dc993b425890456fff64690e7d4bb65019e8535625ec0cff5b1a008c4aed75e0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
222KB

MD5
f800a0834bdb79fe46f22c120f8c2f4d

SHA1
b4c697bb7ba0660bc2ed5f3e9a514c2623c5df54

SHA256
53326d1e7b5638805188a6734f66a1c02403c121bdeab88d621e53c2f0706ff7

SHA512
75179b8371e8fcda63af52464e4c391ec977cad9b7d52981100df212ec238d5bc852e5d63f93090a0ed49276061e0737dadcd3dec95280d405071ba5d25277a1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
117KB

MD5
8df5d25b3641e01181daa6fbd4ab6e7c

SHA1
3a748d1c871be2c2fac8d0d88b6552506fdf3491

SHA256
d73953e9e8f7032a61c2f1a666037d258062687c907a2a19eeca5e69b7cb7f96

SHA512
feae5a660f9fb98173810a7b92a857b2712785aeba7e8c2b2cd05a579d7eb9648eba8b612b433d78cb1137cb7aef543e34037ff98c529cf340ce9b246b8afa9e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
194KB

MD5
960db55cfff2037ab34de07d667b736d

SHA1
ca6197467462201e8e01449c8cbcf775cab5ca8a

SHA256
b7db5237b2fe7681afbe43fbf653e1760c211a89b5de1bef36478db4dcb94f44

SHA512
88b56b875cf7d23d86efd1f2851658a18affba9fc0fb36fcb3294279a013c0e680d072be067893a47b3a6cfaecf748a80d7a7a34a602e3e3eed419acbef91d5e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
76KB

MD5
db5d793e0f07b653ba084281486e3ab0

SHA1
b983132c4f6e3a7d92de5d9117a6e5e2114cf34d

SHA256
0744345f19074c344773281285bd0e5579e5f4524ef0c771ceb731e154a8edf1

SHA512
865a3eb2a62d76002c3b914fb2467c0f47cda534f32d6055abbf351c3279f0ceb4ff09dba9ac1f50eaf76bbbdb3c72a2020e2419f895c9794eacb2f281217b58

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
77KB

MD5
a752a439cf81f386d0f5bc2a74e4fae9

SHA1
86d71441fb35b83639ca431e5656f943aafbd41f

SHA256
66b60e91138e615a6bb17c6950c3f32eefa8b8f214522f0c75af05e5d2c9bca5

SHA512
b8a124aec1c046a8529d7204dabe14cbbc34d252af41dba762229d69a90b84e058081beef326931eccf23fdf22350f74ed3de5d7d98a24d4af79f6990c185b00

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
5KB

MD5
7d6f6b6fd976319a4fc8a368c8c7681d

SHA1
ca3841cd08c5da3e5f6a407bac96c89f935c529f

SHA256
f7784864f522d074a66bd31db499501bbbf43eb5555fb9ed167a452a8ab42fc1

SHA512
44f68a244b5fa7d082feb42a88a372494556fdbfd875628043be40d94c5a435c39bef75a39a4294e5f44cd749e91707d2c12640ed7a540afd48b255a7c105bb7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
19KB

MD5
f13beff7225bd9f36c0df637110ea173

SHA1
c0d8d875c7d922e6002ef689309874f45608fae2

SHA256
a32417f0264681b5ea691332413acdf4f2773d81009ca09cc5d789ae2c86fc76

SHA512
d96bdfb1d20f69a3c40423c62bb5265cc0720b5b1f4317f993109146872b5bc75a55646e7788f542d5d3be20c3edec4a6e0db0a98d14bb61e7ce51947b1a9896

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
49KB

MD5
1ffdf65426ff647aab16494f8c72ed90

SHA1
40e7f108e5b2eefb2585dcedb0bc763fe4b1aae6

SHA256
05af7ed0e48656073f7960586435315e4157973385f0e28ba055f368dcc12839

SHA512
79e49e4c0b3a94391ad97012aa7412acc85dc289a7175162c937dac36c4f7205b34b87dbaba4d9e3b23b9af3463bfcf405e17f0b6e15ba1e1c8ced62d5128d6a

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
114KB

MD5
88ea45b1ecf049e1a0df1cab8c063daa

SHA1
91cfd50ea9ce7ae8aa1e7f96cb7eae9bed225d2a

SHA256
d409429f5ed8fcc71e862dca718902aa814c23f88a1a05da9dbac1e385763dfe

SHA512
e9b1c2da84a04745af83f1085335c460def556ffa310181b89f4a9f23d7e3cc80c3b5a0ef4beb0f2cdaa5e5a55c67ff59a6624fc09b9242697af8e3270d277ba

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
106KB

MD5
a4ddb2193eed5f2887646ae30856bc7b

SHA1
c1bd0f0017cc22bde7d983a1ce85cca545f4040b

SHA256
6a558e13c41c69f454acab3ac05491ebfad13a363eeda273d8be659aad32a91a

SHA512
1fbf643861159e7e83b47267deaf883307799e1443f58d9e1ea02a168c4224629d7ffbc0a0830d4483563ab186f4ac502a57ae401f18cb0aeaba2e5006e1eff4

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
56KB

MD5
2d8062d79f524bc589f47d9007a7f8f4

SHA1
ee8c7984962a45a0f85c9a4a7bc2eb1cd00e8bcf

SHA256
5b6fca26d31b443fd3b55165ec4053b59b8752b513950ac2bd0ec3b22e0630e8

SHA512
510a321ded170fd5b5cf83a711de70d1653a587991e2243828d9889d36fe1a132d562736cf1bc146f5533acfc365b148d8dd4807c2dfc976c9c89b60251d57e1

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
164KB

MD5
0e1f2c79b500571c52ed8908539bc37a

SHA1
a296d684039669539580786664c95ec89c4de89a

SHA256
85d5d8a09aad42c580acaa2ee5190bbe3a5a324e0d58c9981ac5cbff274d003a

SHA512
b961b05b441278c75b13c57777762317ad05550efaed3734bffc598e050148622afacfdada5bd122eb192b2e37d3a096802406b7a497e14c822938eb310cbfd4

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
740KB

MD5
8e29138e6a07b996f62e4f1aab13c5ee

SHA1
8d25213c897f905c0853f6d10a33ff66f4c1e8e5

SHA256
bc3585a8a2c7f2e70742d4738fc9b154445feb76670d57fc37b15db396099646

SHA512
adac08cb6082007e4218f0a9e6176219a1348ae11d7c59c56f478e1e12c32f7345ce1d29e8f03bcae7689ea67994f1d7daebd42466ccedc4be8aa7bc8ae56618

Download Submit
C:\Windows\System32\Locator.exe

Filesize
151KB

MD5
43bb99a1d037469658dfa184d3a278dd

SHA1
7ab3e0f3ddb41971709d90a30298773fd7e9e415

SHA256
b75b6e2d080c74ccf41157378a8f98009ff86c51be8f2e7a0e3676cbd4a53acb

SHA512
e86f2b04d1db86a23880e935a1c1154bd0acc12fe48339e25439bab06c5ba79a6944f3f3d67ef189d9f092e59d1d7dac034454b1a365c26f152e270c2db84b67

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
256KB

MD5
d673db90649ee46bd5a485bfde903331

SHA1
42a6f18037de99433e90a6516fd2ff1c9e2a79b4

SHA256
d24a8f03da7fcb5272b738192cabe2ad3f8253b8df0d05ff24d35e6d0b171c86

SHA512
ed54afe2b6481259460bbec11bcffd456d3d1f6e5a49d450eee54471bb96dcdf6ae514458986e92696334baf21cc4787c53443beb124a341d73db3ea27a06652

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
298KB

MD5
3bbb728dfc0b2d53501a71e815ffc020

SHA1
6847b98bfbd80415313dc5d05d1f7dc150d1ab23

SHA256
a335ce3fe543c4d41b44cc5933caf46d9fe96d82db9778866b442ac11093dee3

SHA512
644f46eab6fc1fa15c09a2f382ff9c514cc1874b59be89dc9c2528d27b09bcf1dbf207a4981af578679e3b621376eae9002a08b631c2aaa8266412417701d02f

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
127KB

MD5
5323c9728ae3d829cdbedebb07b39e05

SHA1
138df18202d1c60daa22ede9b8571c0f348e672e

SHA256
8ed3f0f1773ead862436fbc440d94ae863ad22a70a39433c81a53c8fa463385e

SHA512
067dbe91b9b438c3b5c5d703ca4ae8c2a324ac210500f4eb4dd81ca65fc4645a2bb70af2897cd9bb2c43d2bafc6ae9b134310e63b20d5c313cc353ea420cc806

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
662KB

MD5
31dcfcd1dd38008c801eb86d72f102b3

SHA1
191dc5826bb8ec7cbd490b5fcd78bb10501c9696

SHA256
fec75bf1698828f1c46fe1aedb0ba4313e4cf1e2e33b9c463682f794fd682708

SHA512
5c5e84ebb33f114206162f4a4535c231131a3d7d66a6ad5e69c27f402796b28ac3ef9972317b275a3210a5fd65fce5b2c173c90b48c4793075504b6c68de329f

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
447KB

MD5
4a70043113d0bf71990ca16b203f18db

SHA1
a62c593b3938dae2ffc847ccd546235d74de6a54

SHA256
8e99165e1b7ae18172c6ad6e2d15945c6409aee7cf633a340182863fd46cd139

SHA512
fb3efb887ddbcf9f31b8530d63628117b4fe5fd3f9774a6ab1f7b14a4f3d9d55f1bfd4321d1c41b77f41b7d4c9cc8082e41b8788571ea8a550edccc2b628af4f

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
61KB

MD5
5174cabe89cc4d88b88b9ae861d09208

SHA1
8640026e7cf668bd704f8f86282c994c32441442

SHA256
35097e0f461c3728b234c2057499deb134df32e77d571a5aececbc4f3cddca3d

SHA512
5e4032e39b8ea98779da50c90b59a1b79faa5045109aca6f0c8a27cf023f84714e079c1242792a8747172c568b02fcef85d15729ba63b2a9f4886d13bc34c4a1

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
69KB

MD5
5e2e2c4c801e4c17f3fcfafb5341c7d9

SHA1
412f5b523669b9fb08461cb9217126701ba8faa9

SHA256
006634d5fb16e80e32288e1ec906960ebd7f96d6bfe4e94d1d2bfa7331553b22

SHA512
79e586fd17c08dce77644bf021adbf4b7af5ce13a41648ad11368d164827a2341781cadf66a4bfdd2efa02d6184b2d124cebc5511291f8a754ddf0625bbd28d5

Download Submit
C:\Windows\System32\alg.exe

Filesize
208KB

MD5
2ce8df2c9c93ccf72304e4ffddd54341

SHA1
db493614412d8173d43d36cfb87c2aca4e20a867

SHA256
3379e37f1886121f9dc9328bc6cb590a07b9a2711b34efce225ec933e8513db3

SHA512
092b71225c072635040729423404861da897e83d35e848bb0fa70cab20c5f989ddb7132a148f00df49cd0ec3e15a77af14cb2665b05a25308c6f12b92640c0f1

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
148KB

MD5
fd01a5b8bfa1deadc1bc9f24b91402ef

SHA1
4ab5eedade09ca366df7f46814d524d715e749bd

SHA256
797c2104d4c5e12e7db4f7e1b4dd4dbb7fa8d432fb7c6090255dada30abc7508

SHA512
0263f67b5d110435728372ce08a87f59b0d96326479f505f1d6c5bf03772b565aa6434902fba4e9be4a5ddd1d419bca1262e0aa7b6a6b4301e7742d3c73da44e

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
84KB

MD5
b8accec7cedeb840f8fc480d2d2495e4

SHA1
18b9ba99093d1fa404c7a5a10cdc63375f55d380

SHA256
e9fba439ed5e68a472458227ed875317b0f0c513c52fa324f05159e0435ffc71

SHA512
05c248644b9372c0792b5a5b5f5ee826baea287e3dc95451448bcb77152b4fc8d08079a657651b3b317a52161e75594ae57b6ec2bcef8247860bc0038cc5785c

Download Submit
C:\Windows\System32\vds.exe

Filesize
92KB

MD5
a1cc27ce5e5a0faa65111e47ce1ed668

SHA1
89dd0edda4c7eb59f1a3ab6c055b91992ba65044

SHA256
8f1b83bc91f8e9d647c3d80f413453fd3ffb96465f5b3a08b8f9e2537db1b934

SHA512
58e4aec127b1d10aa279f52b98a30df7b21cbbbe13b29404d45e885f1475c62fb38f8afb3b518211eb5116eb30dee44ec918760a12fd8e2dcc2fbbc6d07aa91b

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
182KB

MD5
fea4050e1a95e20be3e47930635e457c

SHA1
f13ed2b6c43ca90d5496d5e3013cfcf167e8d247

SHA256
1539f3318345d4a0c24ff289d2689bc32a7e32ea93d905f04431dcf74b6f2c9d

SHA512
d460d142ecaaf0de6e3768b2fa519768ebf2ef0f5f474e66d33038918ffba26a87738ee6e39d1ee2334353aa13927adaf949d593d3d9e256476ac8437aa4e93b

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
113KB

MD5
6c809a5002a9ee36f27086218307ea92

SHA1
4c0553bff7e113bf96879b3ed93d1c21beac24f1

SHA256
ff0e93b73b573ad06d8197e7b63bf90aca1ce5ba18daa040e9bd2c6bcb44bfaa

SHA512
46dc5bf28fdb973ded8825926a4de6b11a5fdb40e8a1953cccab656bb09f11bd1defde5fc54f4043c8b4df1cabc3ea71c6ac3acb518748cb28e7f99890ce7d7e

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
130KB

MD5
fd91f81249d6e133766caf0a321b572a

SHA1
33f35b4d594aa529705ae3f5b22f7b036a500e21

SHA256
0320719b8d468129b60b81e97a97f964ddf90c2b6a990c4b25359e7516ac0ddf

SHA512
b437e37a32bd6bd5c365ce84619ae581d21b06540d79ee1271e4b782d960febcd353fc80eb7106ef9da1310a588f2a185b752ed716002f13c7687f318ccae5e1

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
157KB

MD5
a5c091463150442da5d1e0f12981cbbe

SHA1
e86b356f5096f2ea0fa181a5da8ed753deefd3ef

SHA256
709ee3f97e443580fb07c8d4b0236ed228d8f5a5e46b7ec3f1da6c8dfe12ddc4

SHA512
1c6273ac8805d137ffd503692b188d91e93666d5e86a9d479b629ae5bc6e42ae7711073669acc22dcc58fb9551016d9407bb5e6c6f1368c0f8d84fa217186d96

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
220KB

MD5
9e9f9683b85fa6fb0a1b7cff9a442c21

SHA1
c9f2569d7d50b4c46539b3bc79a07eace3832e43

SHA256
007167ce210113be2c6b07166a8162e3a47e3bf64e82785c7a0e978ac42c1d7a

SHA512
ea84f5065f82592cfc53d21c5e73722de81387917392a5fefc4c85e334a7dd5861143924f1fcf8a0991ed469522742fac59b8b91702d8320fcbcc3bfba5551dd

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
227KB

MD5
97b388fe04d204190def44785f6c3b57

SHA1
abb965975d94f6ea42b09d1fd3532f56cbb7583d

SHA256
ba6f366544c1f5d95521d2ea6c114fe3afe344a1843007fdd41aa63baaeca521

SHA512
afb9c2621b7e83654a35aa2cf7f025a69d1676dbda06069d5bd46720e54da9b9d358b03ece28cb0d02e7b042c20dea4000c2d0782d6c403ed6d363fccb247979

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
228KB

MD5
dc0ee1910501affb34af32049aaabab4

SHA1
aeb1523e53ff68a85535446eb3529fdea78b8fa3

SHA256
a7c9430809de3bb55f46da6b926b7cacc6b9a6f049fb30bc6187c2b7ecd5fb8e

SHA512
d023248329387ffcd1ae2b6839e536f65e4c19c4e69cf4da749cac461dba553ebd9d560eccc3a0c9fd743a1e026a0064c485591b5858a7a4b497c99a7da135cb

Download Submit
C:\odt\office2016setup.exe

Filesize
126KB

MD5
3c6404c445f65bfd889a35aa01d3b3ee

SHA1
e31e2341dfb01c4c72fc65becec82e6d158abcac

SHA256
361ac5f00b94799fe1d03cadd678f2a1ec0a0c77a05faff1b3349d72cb867007

SHA512
b3ca67f0f3ac20754a173c3658584479786c12925f98d8628955c2e880b319fcc35769086db8982721f0eaec71e401e434dde3e3fbebed89725f38ba0a4a271e

Download Submit
memory/404-268-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/404-277-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/1172-198-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1172-134-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1172-143-0x00000000007D0000-0x0000000000837000-memory.dmp

Filesize
412KB

Download
memory/1524-289-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/1524-282-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1692-187-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1692-253-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1692-194-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/1716-242-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1716-494-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1716-250-0x0000000000C30000-0x0000000000C90000-memory.dmp

Filesize
384KB

Download
memory/1976-89-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1976-87-0x0000000001690000-0x00000000016F0000-memory.dmp

Filesize
384KB

Download
memory/1976-83-0x0000000001690000-0x00000000016F0000-memory.dmp

Filesize
384KB

Download
memory/1976-79-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1976-75-0x0000000001690000-0x00000000016F0000-memory.dmp

Filesize
384KB

Download
memory/2072-199-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2072-209-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2072-266-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2136-181-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/2136-174-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2136-240-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2244-123-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2244-130-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/2244-185-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2528-221-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2528-279-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2528-214-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2540-145-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2540-154-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2540-211-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2652-172-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2652-107-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2652-113-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/3224-508-0x00000151F4B10000-0x00000151F4B20000-memory.dmp

Filesize
64KB

Download
memory/3224-520-0x00000151F4B10000-0x00000151F4B20000-memory.dmp

Filesize
64KB

Download
memory/3224-525-0x00000151F4B10000-0x00000151F4B20000-memory.dmp

Filesize
64KB

Download
memory/3260-40-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3260-37-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/3260-54-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3260-49-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/3260-45-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/3292-64-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/3292-8-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/3292-3-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/3292-0-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/3504-157-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3504-93-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/3504-92-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3504-100-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/3932-20-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3932-13-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3932-14-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3932-77-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4124-302-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/4124-293-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4508-159-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4508-167-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4508-224-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4512-26-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/4512-27-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4512-91-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4512-33-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/4924-226-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4924-238-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4924-236-0x0000000000C10000-0x0000000000C70000-memory.dmp

Filesize
384KB

Download
memory/4940-254-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4940-262-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4940-519-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5000-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5000-133-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5000-67-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5000-71-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5112-51-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/5112-52-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/5112-59-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/5112-121-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download