46c38e3915c010b011ff91a7e34c194c195cf83fd9a18c385b21c5b781bfe900

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
03/02/2024, 03:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-03_58df9882dd29217ba5b4336299d637f9_ryuk.exe
Size

1.1MB
MD5

58df9882dd29217ba5b4336299d637f9
SHA1

ed1aa6ca60973aed5145411fcfcaaf24614da7b4
SHA256

46c38e3915c010b011ff91a7e34c194c195cf83fd9a18c385b21c5b781bfe900
SHA512

5280d467cbbc3e9eed422f6fd73d4ba3efcc66e2e18d63c9b558c9e03823d1d8144f525f2e6fc69ec25d2457d18cf87f62f953036c4c331b9538fc8a4e11caac
SSDEEP

24576:0Si1SoCU5qJSr1eWPSCsP0MugC6eTFMPQcGEdy22cbjW+F0VUreAa+EXBq:cS7PLjeTFMPQcGLtIrF0VUryXE

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4124	alg.exe
3180	DiagnosticsHub.StandardCollector.Service.exe
672	fxssvc.exe
4632	elevation_service.exe
3256	elevation_service.exe
740	maintenanceservice.exe
868	msdtc.exe
3924	OSE.EXE
2936	PerceptionSimulationService.exe
1200	perfhost.exe
2940	locator.exe
3532	SensorDataService.exe
4776	snmptrap.exe
1884	spectrum.exe
3636	ssh-agent.exe
3684	TieringEngineService.exe
3156	AgentService.exe
404	vds.exe
3640	vssvc.exe
3288	wbengine.exe
4380	WmiApSrv.exe
3748	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-02-03_58df9882dd29217ba5b4336299d637f9_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-02-03_58df9882dd29217ba5b4336299d637f9_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-02-03_58df9882dd29217ba5b4336299d637f9_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-02-03_58df9882dd29217ba5b4336299d637f9_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-02-03_58df9882dd29217ba5b4336299d637f9_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-02-03_58df9882dd29217ba5b4336299d637f9_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-02-03_58df9882dd29217ba5b4336299d637f9_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-02-03_58df9882dd29217ba5b4336299d637f9_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-02-03_58df9882dd29217ba5b4336299d637f9_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-02-03_58df9882dd29217ba5b4336299d637f9_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-02-03_58df9882dd29217ba5b4336299d637f9_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-02-03_58df9882dd29217ba5b4336299d637f9_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-02-03_58df9882dd29217ba5b4336299d637f9_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-02-03_58df9882dd29217ba5b4336299d637f9_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\39a754ea1f063bd9.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-02-03_58df9882dd29217ba5b4336299d637f9_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-02-03_58df9882dd29217ba5b4336299d637f9_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-02-03_58df9882dd29217ba5b4336299d637f9_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-02-03_58df9882dd29217ba5b4336299d637f9_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-02-03_58df9882dd29217ba5b4336299d637f9_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-02-03_58df9882dd29217ba5b4336299d637f9_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-02-03_58df9882dd29217ba5b4336299d637f9_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-02-03_58df9882dd29217ba5b4336299d637f9_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-02-03_58df9882dd29217ba5b4336299d637f9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-02-03_58df9882dd29217ba5b4336299d637f9_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-02-03_58df9882dd29217ba5b4336299d637f9_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-02-03_58df9882dd29217ba5b4336299d637f9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-02-03_58df9882dd29217ba5b4336299d637f9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-02-03_58df9882dd29217ba5b4336299d637f9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-02-03_58df9882dd29217ba5b4336299d637f9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	2024-02-03_58df9882dd29217ba5b4336299d637f9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-02-03_58df9882dd29217ba5b4336299d637f9_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-02-03_58df9882dd29217ba5b4336299d637f9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-02-03_58df9882dd29217ba5b4336299d637f9_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-02-03_58df9882dd29217ba5b4336299d637f9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-02-03_58df9882dd29217ba5b4336299d637f9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-02-03_58df9882dd29217ba5b4336299d637f9_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-02-03_58df9882dd29217ba5b4336299d637f9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-02-03_58df9882dd29217ba5b4336299d637f9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-02-03_58df9882dd29217ba5b4336299d637f9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	2024-02-03_58df9882dd29217ba5b4336299d637f9_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-02-03_58df9882dd29217ba5b4336299d637f9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-02-03_58df9882dd29217ba5b4336299d637f9_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-02-03_58df9882dd29217ba5b4336299d637f9_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-02-03_58df9882dd29217ba5b4336299d637f9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-02-03_58df9882dd29217ba5b4336299d637f9_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000009d3c5155256da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008f97e9155256da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000b0232155256da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fb1183155256da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007c9246165256da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dd3b4c155256da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dae7b9155256da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d049bc155256da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d235c8155256da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3180	DiagnosticsHub.StandardCollector.Service.exe
3180	DiagnosticsHub.StandardCollector.Service.exe
3180	DiagnosticsHub.StandardCollector.Service.exe
3180	DiagnosticsHub.StandardCollector.Service.exe
3180	DiagnosticsHub.StandardCollector.Service.exe
3180	DiagnosticsHub.StandardCollector.Service.exe
3180	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	5100	2024-02-03_58df9882dd29217ba5b4336299d637f9_ryuk.exe
Token: SeAuditPrivilege	672	fxssvc.exe
Token: SeRestorePrivilege	3684	TieringEngineService.exe
Token: SeManageVolumePrivilege	3684	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3156	AgentService.exe
Token: SeBackupPrivilege	3640	vssvc.exe
Token: SeRestorePrivilege	3640	vssvc.exe
Token: SeAuditPrivilege	3640	vssvc.exe
Token: SeBackupPrivilege	3288	wbengine.exe
Token: SeRestorePrivilege	3288	wbengine.exe
Token: SeSecurityPrivilege	3288	wbengine.exe
Token: 33	3748	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3748	SearchIndexer.exe
Token: SeDebugPrivilege	4124	alg.exe
Token: SeDebugPrivilege	4124	alg.exe
Token: SeDebugPrivilege	4124	alg.exe
Token: SeDebugPrivilege	3180	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3748 wrote to memory of 2132	3748	SearchIndexer.exe	116
PID 3748 wrote to memory of 2132	3748	SearchIndexer.exe	116
PID 3748 wrote to memory of 4552	3748	SearchIndexer.exe	117
PID 3748 wrote to memory of 4552	3748	SearchIndexer.exe	117

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-02-03_58df9882dd29217ba5b4336299d637f9_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-03_58df9882dd29217ba5b4336299d637f9_ryuk.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5100

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4124

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3180

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2528

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:672

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3924

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:868

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1200

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3532

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4776

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3636

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2128

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3640

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3288

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4380

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3748
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2132
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4552

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:404

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3156

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3684

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1884

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2940

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2936

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:740

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3256

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
538KB

MD5
20365be395f37a34229786db9c378a9b

SHA1
1c85cc78df2b66db2866f97846aa25e7c3ece07c

SHA256
b1aa1d98a1554bd97910f0005c2d638fcdad6e68e6c6ca3824fc4a5ea98e1259

SHA512
56ef9f7a5aa443ac2f91c49f82abcb6f82896ed2246846921dda811cb63b5f06f141e9b8c1701bfae3ba1622b71103f24ff9bca17c553886d8155ee870ddcad6

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
85KB

MD5
6ace1d4d9e98d07881d7970bf006cb7b

SHA1
8b024d18724080daa89d81224074baf954f0a5ec

SHA256
9802d49371a55ce88f6c5cfe7ec4787bf1addcb13acd88599eed71bb264a09fd

SHA512
d4fe99e1f5f7b97b9a749f54077b989fd1a380cb28cb36ae3d2f3593b454b03827b4b4ba8a5ab2b51708432b2e812097a58fa27d9bd1b9c48349c43d8947456a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
62KB

MD5
7bb1b094f74ae354e9ec0c1cff12d4e9

SHA1
1ab241d17e324072c5ed69d72fad35722774752b

SHA256
adfc7ce883ef23c91522a5ca5ef678556a951203f219d78ec5775331e839099e

SHA512
a6585533db00069423c2b446af48c2220b7a7633953ce0b237cbe376009fc0d367f91df4863f5d164fd572aa637169d3ebe52ab2173b170d908246786a592ea2

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
196KB

MD5
b524f98b97d5b9ed2506ca67533f30c9

SHA1
01bb04a110ab555bd6b0f9604db02844dd558858

SHA256
cb736a02e4f371416bcb5e30b83c6a96bbc89690e0bb187ade33865510988333

SHA512
8b24ad854426e4be351686d07908f3dd5948fe28cb377ddab6c1ba9b68365c06d89c2e0d71402943643175f2bee495f97f401ab03ea53043e90cdf8d6bca4913

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
121KB

MD5
0586ceaebcf097caad7b173367cabfb9

SHA1
65ce59694bda746ec6566d621ae77bf73d0ee913

SHA256
f67f5effed611bd96a3895cb12b1db7accce198a76b31742475bdaee7e6886b3

SHA512
e4809ea5aafd266872e86f4400a2b1b2288495afcfe2bdd63374c6a15f0e8b56db94e5a02f1885b61f0c82093ab0f928da8dd7a04005248e40550d72d9012b0c

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
203KB

MD5
cb8f94159d1bae9b70f41e9aca66c163

SHA1
418fc5fca1662d98b308e343fabd00020478a038

SHA256
785d83d784851685294f79755a510a63e625f11714aa8420814c2bd8724259e8

SHA512
8a503d275f1e83e9396f7a9998c13d8200a48c973ae371b81e7a417adfbab570261cfa6f4f668cff3125aa0c52a31f6a8eaf6b76c0d258ef3d3d907545f985f0

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
114KB

MD5
3bfcb4ca66764a8c541b9e6be3c7d55d

SHA1
a10845cf7430ae38e20963172f79c8cdd6f185d8

SHA256
ea699bc3ac6ec0c68f3bae5387e7cc526276a19e8b140a00e879bca79f6e6f73

SHA512
75acd1a83e84d297c4eed4a9d6dba32cf917184005ad6f34dbff391e88546b1940b71d2616dab4d99edd152fd34e5ded0115f8fc2f5f4b8ac5a09ccb9c3ce1cc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
118KB

MD5
8da19cbd6799aa2f6c63ce33c0b5f7ad

SHA1
f2e1809ec8c1f9355afc34fa59e0f9d91f9b45f8

SHA256
52cecf5f4d5a7680186828f8249e46186b69f92a1f6fa412c083dc86622fb15a

SHA512
741cd90b76942f2524ec1a19a9bab2a6a0aea8544de14d086b8283354e2491023c7c60bdba0b4f0f048dfadb65834c4cd7c369681b36392a82f17ba5c191042b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
149KB

MD5
bd55e43f4f90b9bed4a33b6fc413951b

SHA1
91f02fe863eb385d52cee918ab37063d259b3c1d

SHA256
9d7f499ba5c2ef6489bacb9c8d7b93ddb233a9ade7c5b8feb6c99302d28d8ade

SHA512
71f120e3526ab21cbffb177edb3971bc36eab0acb49c6dc9c41aba731e93e3fbb674f2b62bc22afec4a718e46ea9c1418af17c8d104528f85f6ebd90f795766c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
120KB

MD5
0b08686ec949fa8712d64e727479ed57

SHA1
04dfb63c6db08abfdf2a77746e3f2b8e43633076

SHA256
1c1ccfdc10c61676766b9ab989cb9a740d87d07ddb026adbbc17002d30f99952

SHA512
a32caddde888540af58d3f6f8c76232cb693ce6634baa52d184d7b4b19c2efd05fbc53640d78bb1ffeb4fb1da1330b45069ba7af00e2f49179291d24513f49fd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
64KB

MD5
563ef094bf7e560de5d677d07a25aed6

SHA1
df6f236353a48580d4cc9aa8537911279006a336

SHA256
23de95e3ba40d6aaaf475e775c057d1f360c069fe9198355951bb0fd34cf1d37

SHA512
3756372be2412773efe5a02ed7acde7d85c9010b6cb3645006577eb16904d35f5ed986ea3443e1f62ff553d077984d300bc5f2b2297cc787519e019fee36d9c0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
88KB

MD5
dc818c64292f5c0d800e75c2bce623de

SHA1
047bde2d3e725d1562a8cb72998f2e116bc66db8

SHA256
1aa4fed80ccbeccb30e92ec92c4c250e3a93b42511a2bc6560cc47a576bf29c9

SHA512
721ae7bb02a554230ef2a66469e9a676214c29263dbeb94a2723bd56f273186bceb6921265ab720fdfcc06e862e346a80f9bb9ed5402f5b085497df5f6034f41

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
73KB

MD5
468cef398e67629fec716014488e768b

SHA1
fa276bc94fa8cafc248f7aa76042b74d95e802d5

SHA256
8e06b63066a6f032df2bec8704f3be5cf2451575c62ad12b7f2eefb5335e5750

SHA512
d751c5650b562924efaa576a323049e13b21715cd21d3b47a6416ff3e722baa4a4b7026659c51308e51300901bde717c4890b96a6481bc3f482dcd16abe7832e

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
111KB

MD5
347f946cce7b7e32dce53724d6b534bd

SHA1
d8b656dee4566888cb42b6d7dd95cf48d30fd41b

SHA256
1b9afc88bfe5c317a38d6d2228aac1a58f1c084c19998e9692cd6b192d235b67

SHA512
05b47239173747ebd99936d95b2a6762ebddbc97c36ed7a76a1722edcf30c6e9f9af34310933038938847dba46d98e7a017e4307af8dcdbab5e794d9b5c07a5f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
153KB

MD5
6a92ad8ca06e115d3ebfc8335aa3b235

SHA1
de00d39fe9c88aff198ad3f9b158844255f697b6

SHA256
a3afc64d27a12928c5199f0c2fabb47b0f64df87fd7dca5699743b2a2549a3a9

SHA512
349c26974619828659d24769de02fa89c1ff9e3e1fb70e0c47c3b5098d8dcc674daaa60ac9fabdcc1b2d1130817b4bae9004e087df8eb95d87a126cf058ed346

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
195KB

MD5
6115ca135a9e452b61018f2a8417d22d

SHA1
3ce255e486f787b7958dd6b3f7914244d1c5ad07

SHA256
4ccdb1109e09ec8ed15926ccdbed99eb9641e7f98e21f61908568ea06b6e04bf

SHA512
608b3616ebb6982a50a904557cfb5d07cd25a493482c27be98d91bd3ddf0c432bb78be01ce5d4f78d91b5be949c3f5501e3bf767c496a8790f8576c42f780757

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
131KB

MD5
9e49f73beb3e0235135c0e931873dca5

SHA1
e7fff364b4edf1483ecb726361f8c1967d894380

SHA256
d76fb95f151a113606d63a8745d311e770c32c5c74c3ad558d29768caee347cb

SHA512
df79286300e0de8f92c98390dc91622fbd13b0e1a3f4a0bb879f65f6eb163a7dfc2ba9f76b580c094952c41da9c15106872daf65e56076962fa0b9cecc9b8e19

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
298KB

MD5
16e9185c48c25070c03dcb0f1bd088bf

SHA1
10fb4ae6efb2be3b580e95e57193415e7abbb6ab

SHA256
71a6a368787cba34b59baaac1247edf6ae8bfcdc5d77be1da7c879503876cff8

SHA512
4564fa8dbead58d116b44af63db928a1f04fce1981c456cfc871834a0c05a97e3f67fd08af4785319ecfdaa13949c06e4cdfc0f894b8466ef380b9280a2b7204

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
119KB

MD5
e787de82f820b4eac17a375a16af4b9b

SHA1
5991a4191e10a915ae6c957838fbb3b5c0e7fcda

SHA256
956dd130a930ad0952aded758dd21a612e1a1dddd86bc222fc3072407ff7b4fe

SHA512
74c9d80efde1a7a5c620b1cbc387af60d364cd726b60ee97b90c8cb2767b530939cce49147d51cfb87c623331b0a80ba9ee93af1e88be166087c7a1329fc4781

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
46KB

MD5
cea4d5a557c86edd98e02067821d5c71

SHA1
93e2863552b292a0c6d040fc820efc79812f7650

SHA256
6a5ddf799bf3c782a5b24c51cff84f58deecb873a05f6b2bc784c602b1265da9

SHA512
e407ae85b4f87df44f45dda74c0d9d6982dacc93d1bc2cdbf83e94274eb7286f1667081f02db34d477e2dd6d0038ca9b29b9b2745ae4d69bef699a6288c1392c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
87KB

MD5
548dd96670c5a08439ba6ec738e88a6f

SHA1
711477605a6c9284724131ca8a8ee3d3ff87e65d

SHA256
e505015a48d880ef77ee8d64f1f28ad1dbc0c25ee3aac94684d37b897001e943

SHA512
f19e9bc17d7b42b7a0b7cc53b9555a8f780580f579b7cd16837d8c2599a10bf98f51b1bcb61417f7a6e842d24dde38dd34e338f6ef7ae9dbd57aae3a3b2f41ec

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
146KB

MD5
0df2a6aeda4076d99628e6bed75645c9

SHA1
d0bd112a7987e08063e767ad30f11e7d073d396e

SHA256
148f09599cb9f2c221eb124a703cc02b6772ab3358dce561007fb7d4977cc65c

SHA512
f4b6fe983ce1196b4b0c8844ab8b3b23dc923a0e6b83633af37ba20d66e5cc0aaf83fc22b2850c4378f99e9560175909ab076a3f11480c9b54605e2e44a61830

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
135KB

MD5
70177ec8d34c7cbce22776f802721a65

SHA1
7d58a57db0a0531c742627e2d36662ab2c6484dd

SHA256
1c6a60bd042d58cff3d9e122e10cfe8b94160950878af576ba5dfc9be1bc94f1

SHA512
7f9172516412e67127fc4724f3ca09a91864616f2698ed4e9529bc7381a62d4e3ffb694ce74349d61a69e6bfaa3dea87c19436664d31f37d5cdf4c7ed672af1e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
145KB

MD5
d317882dde4e37c34448619e8390fc47

SHA1
2e0c739ef2170b4b7f79c917cfb5b3d82b1d6dfe

SHA256
b7965e49023f205441e3da204fabbe0e74e9c9c3b0b9c65fb040828783a36419

SHA512
30015f866c51c00b57c30950d3d40b4895a4a951cb7db196166369694017b8c751d62e4cb8048a161354bb2063b9cb4d35abff0c04955cf365d4ec433ac9f8d7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
92KB

MD5
1ded80a277441f5add81e3bed1332b5f

SHA1
c393ada3fc4273aff765b5c0049007fffc9c1557

SHA256
5e28cea3bd620c3d4bd5c4990150ea3f0757591f2858329db7858a5546f766a9

SHA512
dba8542fdbecf8b39f553ec9dcbbcc64c40b7ba57f829f37a5b80187503cf5b6a55b9636cd37de6cf45003fd73424dc38fc1b8373d00796b99ad66f68189c106

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
30KB

MD5
53b5c3e7e5b4b43aaf6d50e964eff1bf

SHA1
ed3067a23dab3175e352964c5cc5409070811d7a

SHA256
b6dad63407b8ec448297358e90223b619b50b1895f577be12379e716a22b5de1

SHA512
171550e995937c390842835447c4532705c1abd20a17d26b25288adf2a5bad91cabfd3828f224196b8eef583aa2a45a6aa88d04ec56b478ff8d94ea2cdfeb00b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
85KB

MD5
f56f91c25e3a8f557d47eefa1646618d

SHA1
d3a444c295595a01f9474f114c4e095c821b812b

SHA256
3fc90d4d4e4f8418b49629baf7d4c1df4c0d93fce3e837c9541b188c26039978

SHA512
49f263ba07c53b35edd30cc95424ae832f3f0967932d098f8998a215453a68b1411c570db7e3142f9fd57f59fbbd937ab3099538a284d938af47c55fc9f8d228

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
100KB

MD5
7031c5d3fbc294dd5c83a8e310c33159

SHA1
5dd38776ac26e9240bca9e92f977f97dbfcdda63

SHA256
84f2350ae8c3be427cd3559c917dd6761413d73ac4567b58c2a4d46c4dbf639c

SHA512
a96e9e35400c80d65aff41b5dc96b7a6caba09da9d358a1bfe9f829fa922de5b219098fc99aa1532868828f91bbdfce9081ecca2e0ec11d4983bb9321c1865e5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
5KB

MD5
3dfa9f9099834bed385b1a2b4c4b692a

SHA1
4c834da0bb444fd0000cbf64d1c8d488ffac5664

SHA256
48826678fd5dbc20b480966a1ebc215c659d4e23b493fd89d8205b8e308331eb

SHA512
5f87984a58700d3758e0daaa63157eb3d9608ec9ceca44bdc964a7551ef6e89f7832ac7a39930d2a3f63fc5a116b84aead12d45f61b9dce3616dc7cc35ac5bda

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
41KB

MD5
464e0ebf82f5002406d2fb9a99d20b5c

SHA1
e7a6c566cea211c7b4986a1a506f313aa06ad187

SHA256
3c72add2cc402fc2f24bd312f975662097262d0eb68c9080940acef6ae8482cc

SHA512
8cf15011f300a8a32c26e3851c40e4aa7466fbc344791bf3aa9ab3edf14d1ba8974915ef50c68d48c157de7c73fb01a667bf819efe5ff1a8b3dc4454c4b1da84

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
43KB

MD5
413193a81e8d75207b28ce8eaa5b13e8

SHA1
6a1e908653775ce90ffc16d642ca67d9b066f6af

SHA256
fee1979821d0bf614ae72599bd7244473199db25fed88981584afcc4c646dd28

SHA512
b8114a72cb8eaa18026e46e3178c4854bdc05f127c0d319fdd3a37bf5e9a813ed2d86bbb1e2037c42b4f03a49fb5ac5e24cbc647ea3047591a1cabdc2d7b541b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
5KB

MD5
8b71606fda0a517707c9cdc0b395465f

SHA1
af545dcc3afd31997cf702f8614c15243d920531

SHA256
f9ce7afdd4d0617a0ec6c675a2263c66efe75b0d65dd359eb5080316c952893a

SHA512
01a846cf5694aa396e4c3b96c36d6f2d5f8d76c0c62dd89c5592c2fa0b5132bd772b5fba07b8e065e72feceeba43542af22323f1494b5c7323196942ce129cf5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
13KB

MD5
6ec73d1e952d2bca735bd1964a2545ab

SHA1
251a71361e0b8e27ee00ae8b930982668cdae7f1

SHA256
cc3f980f1fedfa9595b921ad99bcc5e51155cd81cf38a0ccbf61ca7e4b758b6e

SHA512
53981aca30f3374b1e7df02b1104466052a9dedd9499c84e7d287895fe4b80141e4e71432ef629a04f68d555687f9f0cd61bc70f47327107cde3d5d51c45038f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
26KB

MD5
12094f2bc2208a69a9052d4b0d0ef07d

SHA1
4ed653fbd03edf5f30c54e0de2bfaa347f76db56

SHA256
ccfe83beb34388e02f02607094b74e9077e663b972ec282ebfb901c800e64784

SHA512
68872d687f0f7849ee6ad56bae4726990055e3014d6de966fdd6c210959ba2860e85bfab73c58bb219ed02e9e6a962f6ea0e0969c84102b5569c23adfb0d2eef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
60KB

MD5
4a43b4a7eac222fbb6e8a984bb513e1f

SHA1
fe7dcf0009ba6f073cd89437140e5eb10b18c5b0

SHA256
2caff13bf5a5a3188e3b312b56b22dafb41adea86616b0054cfdeddff50f91c5

SHA512
d1b548d6daf751fb8c7aa2951f3d79af23d118a9f7b9b43f21e217bb768deea5606af7226158466fba32cd519d59ed427d4f64f50f5edc0092fcc526b3182eb0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
49KB

MD5
2521c1a68f464da668a67885437edce6

SHA1
90abbdbea76e7ce25a28f9ceeaab39601a3025d9

SHA256
927d7dd291c7bcbb529c28a5328dafb7216b0d08326606e0a4e3e5cb6bb96378

SHA512
c1ce4dd29d7367c44e4d1150288971eaf4138a7b1f538c280062ba22e11e6fca21ce4544f58518c96c309d8dd5811bbeb1ef8d7bf92f8e35e8ece27f5ff644d5

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
192KB

MD5
8495984176a30e7e2825f1c08f4f3860

SHA1
7228404417d12dab618444516c5895d305fca415

SHA256
1651237928e1c8cb4917e9c0425a433cee1bd3997b779eeb130c2ebf19c76260

SHA512
cdbeb0d847736b0a64274472d616a2f5b7e7929228a23e7cb8da9abe19703027b37666477cbb544f6556ddebcd8a1125c8c4a3b84c3c3e09788bf7bc65585bdb

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
92KB

MD5
6ceac087212ca9819a3440dd4af40337

SHA1
53c88fd55c5de1edd50b3caacc0676056381ade0

SHA256
c2eb73b2958cf14d7ba72a256c98732090f93996076387fea577f4e0c5efd5ea

SHA512
fbfa6d797b9bf6359b0276e89c2f86a04e5c6341ea0d14168bab4cd3248983db2064d67832f513e432766f852420d48c8ff2e78e60b3186f3dc275afc54a79f9

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
100KB

MD5
b6e39eba3e7a7008f43262d86805b873

SHA1
13139c748d1e72b8fbf1643aeae99d9e988b99d6

SHA256
f3e9591af77b9e31341ae9e624d4ebece860aa82bca5c53b8ae998dcd2e3aeb1

SHA512
ccd4d4cd2dc38da8049e33d58f98d93a51438c7f80bc39ff4568762ad40125f340e0aeab030b55692b6adaa67ff9d1b2cca774dc87a35c02b77ec8aedd83d147

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
86KB

MD5
5bbaa03d8f03bbff6890d5b47e8fb869

SHA1
c6c6adb4b635a04b26bda1b7b783d591d525d640

SHA256
95bc4508a28e80f1d6f763a31b8d7cec62a05b3d39514a18c4b2008b75954f06

SHA512
314c41213d485cb34168b059859791b37d8a4896ff5381897e69c9c12c758f8fd60010a82d43185fa6d40a35076d34ffbe0ae221c2c5939a9a803c5dba765441

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
497KB

MD5
0ac4eb774b96cc055925a64cfcd8d235

SHA1
bb20451ccfd61e474c8c9a3c7cc392acd0844e33

SHA256
14257e5c37a6906eb12ddb0f97928c1443619621360f177eaa741b14c640af22

SHA512
eb95e52beb495873cc3bece443a302c86d5fe8d4d56a63e6c0aab9ed1efb5c0c21237df7074a9271d58b4aca661b0f8588fb7ea0b460901df858012ab99f0d38

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
500KB

MD5
bab45141e6234bf89314c1c2d91539a0

SHA1
8dd073588d67bd4cadd1a3b67d80de18149c6ce6

SHA256
56b9f22e979da1c3f54570e413884e1f7db9610fe1608fb505930b1163645f9a

SHA512
7939215118621d0bb20b8ed42a5aa17eaabe648fdcc53528e94c00b182ebcf2116215829e7329c1e33148fcee23e55b884103f5121dea330921359c95cd17a43

Download Submit
C:\Windows\System32\Locator.exe

Filesize
83KB

MD5
aabc704f07d9c8440b82103c9b8d85bf

SHA1
a7437fbece1441b1a897dcb51bb09e455991d89e

SHA256
103c9f9e2957a9f9fba82bb67dcdde9282973508b3f13865397247ebaf034ed8

SHA512
6cb32c73ef425951474da86f6c31af01044667e4396e7db1686646572f1cf13c69c3f39a9d83be94f26aa6dcfb79ddc1a511b76b0dcadb2d20de447bbebfadee

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1KB

MD5
df8f9411658945077ea48b287fc9a44b

SHA1
c8d13ef2429113c994f5265f5124d576185be4f1

SHA256
58b5f53f0dc542864e379cff09f6630c149cabba64a61d518198f71c507457d5

SHA512
dc5548eb81d9e77ad3db85dca90c4b1a5d92f4b62ae964506c7b54607480ec2f70454b43249a9cae0e6810706ed0e61b0447d53fbf631de2af16d75d142d27a1

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
28KB

MD5
c899bb137b73d736549bc04515371c57

SHA1
60b8d829b28792a110d276c2d04bc034b51d657e

SHA256
65adc8fead8ebeaa95096075741391da1a1cccce557305b12be8c9ccbe4f0d6c

SHA512
2e963caf4ef21f1fbddc6efa89ca5d51ba5b3b81227f0ff5e4720e05ea57794671cf721c75be5b98822dce7ed33cee63a3c903f767c966f59099b45de214070f

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
25KB

MD5
64a67faa7317dc34c66893aded72c72f

SHA1
142c69ece2465ad155b0af0265e380176b75d4b4

SHA256
5610b6b0d760e4ac55ac28384481b0ea6f251bf387241096f9560a06ad436402

SHA512
5f85bdf62d9dad61f14de3e03d29126f0b0d6a2530210911395575457ad37ec3cda5ab22b5e682673e9cea828dd693724152c94b00e664edb3e2d1c6769b4616

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
32KB

MD5
5efeac757a7495cf5be6940a5ab9ef2f

SHA1
c602b857dd037c099cc079197ce1067cc8f2c703

SHA256
35b769527848d6de61fbe8964a3d2391ea5017b3fdde522593d449fd7e3870a2

SHA512
ac629bbcbf47678e482ee8ee91aff94494eb50dda1ef565e84b576ae941469054131aa76ea2eed11df9fa08c7c737ddd24a674d61d15000066c0d15034a2f273

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
137KB

MD5
f1018f0de1da63645ef769d40f1c1eb3

SHA1
e34868c989015c20a03133bd3d3edd99952827e0

SHA256
e19b4ded66912da43cbb3e2184c8decb97201beb465e09d2cff602ba0fad6c85

SHA512
a23e647be666768f111ae6fe723499fef766714bd0991ee214ebd90c5306cd64f2aed80bb28fc77b4097101d0883646ee9348f92857043d167203aac02c9a5f2

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
15KB

MD5
94914d8c7e4c8525b6dda20534d86044

SHA1
0f697a06af99f8c58a47cffddd6e34840fc97f22

SHA256
da115a8241d7765dd6168ac234ceb2bb09b8c682689ce5958634dc3074a4d477

SHA512
b602c091abf06799628f2b0b933bf2245f0c61187fdba33fbfddefe9b3cdb8866282e54dccc7ce3edb47ae61c9392bf251b669028c3f7fc11a6dda1237522ac8

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
21KB

MD5
38b05e0b75c11ea6042fc74be59341aa

SHA1
2569d74c820fcbe04be184c4603996a33a0369ac

SHA256
7146ba3e3e25ce833ab77e67d241538219fb00c96f1416170ef2eef4837c97cf

SHA512
895a8ce1eb4e6db77a1e5c5fea391ef5655dbbb1bb5fb98de8034b3db7b190b6ce44d63d0e200198cc56bf2f44d7c5ea4cd8fcca4f6d0c322bb79ffd20120bc4

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
140KB

MD5
b1882d509b0d625de9b423373892c98a

SHA1
f1e520c24e3b8a0392b053c6f76605ec03a50274

SHA256
8787a63782c9945689f80081c35aef83679fdd1cd8ec9a2393b6ce8e2b3384cd

SHA512
db34d93afb496db6107e84d4452e245205933ea82fc2cf6cc9f17be9f40712dd44a7eb785d65bdcbb5850c6de6be1715d214b49534854578ff29736fdd55be54

Download Submit
C:\Windows\System32\alg.exe

Filesize
735KB

MD5
70a414bc6f7daff9e174b4f62d30aebd

SHA1
1b97211e0e0738b4b178d0d0f3325ed61db28010

SHA256
8c8ba6f721e6051e16e4bc4d414e2fb2662c5afb746d4809cd09339be9ee32a4

SHA512
916a6407bba7f85294c166fb5915f5a8474fd180f7b6bfb8c05db408d507a19763343c3f45b7068454b590742954516b1e01b415ae68fd3c208c9d7e903c0cff

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
232KB

MD5
8c3dda683108ab19a28a1457445568d2

SHA1
c1ffd0bfb97939b93d0442ce3cd4c77b4801a99d

SHA256
0effd597d50914a0a022ee9cbef8e2ca82e9d20e21d401845745c246e5539016

SHA512
0ea80f097ea441a79c1595f294fc8ca4e24b2d1a45611ce62229dadb827c854a6834b61c9213dee1c59412f8e2d30f69519da8f245470867791a4f50153c8948

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
64KB

MD5
c5d909ef613a8b934c8ee54b49268187

SHA1
500206fca709bee7bff979e56600bebe4ced03af

SHA256
94bd7a9d0f0f9188b68fa84b053b59056146745a919d107d1eccad3e6355f902

SHA512
d195cae4ab13d8b827a69b5a4da9520ce692451aa6918676cab8fcedc77acb3a89c97bc5040eb71c6097b88a07d57bf747c7249ec822f3f74f4f0ce01b83d339

Download Submit
C:\Windows\System32\vds.exe

Filesize
157KB

MD5
16714651f87270fbcead7a82e148afe8

SHA1
37a99e2b2ea15a33837c6f484a58c1468d38658a

SHA256
631ab81e4f59d265a8c14ed43d9ea2788ac5a251066d2ac5735b20f015f84df8

SHA512
dd4b2a970c4c3fcd84363cc00bec37f105d6cf0baf7d8dc6e6d5bdde1289700d1062cfcf896ae7db9069f39471d3634e92f6626fb4443858406b9bcef7be818f

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
57KB

MD5
5d4e6c1b34dff0e3b9d54a2a8f687aab

SHA1
7764d9070145d6ca14fa3ea23e1f811a9a70c7d0

SHA256
2d96b6bc104d58b208781180e6c2054d025e213144c1762dd48a70c423c10c95

SHA512
40405277ffa2f9d5ffafab8b1a5ea423b09919d8efce4be00854f47fc32b93be68f48542891c94b40795aa0d5fa99825fa2329672c9490d6db5520f24ed91b5e

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
57KB

MD5
527e693be4f42467388e2bb5c8702dab

SHA1
dd5041320e6b34117f7fd531fd0a556f3ba704a1

SHA256
35ef823077a6b6ecd85a9f0c48b5bffb4b638483612970ae9ed774dbb665d617

SHA512
800435cb77d307e96b4f307ff2e8ddc7615491e56eb8e9fdc0e4b363da097f0cc09cd7f6710f60688dec0e6dd16701d05d8cad22618a85d072eaed51c79cd0a5

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
106KB

MD5
80521244286c6ad3bd786a1d775ba335

SHA1
9f142025ab96588501817d7196d8ca180364a1b8

SHA256
a832a37fa3c03ffb8603916e0dc0debf3fae51758682cd3a157aee92b159b00e

SHA512
8c43b8b0dd62b5630971b948422c98b925f13cc2dcd6cbf20c23ad5f360a6567d0dfcd36e46893667c8c3ac6e0af8196cc137d2cc3f4dfa93d953f66f0309d6b

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
50KB

MD5
8afa44f477c7754f556e6c8534557b46

SHA1
514369e78b8ebc243218f291d09a2c342cf5ce2f

SHA256
f25590969cfc1e069de9f238fcf426a3870e471a5782f527e6f6090fbf4f5810

SHA512
628787188d344f89f61c1dc1dc1fab2278cb82a80a22d9f4bc046330f0b91944bd887e8619893a5157904b0d5c7389a60f1b44e466b8cd12fc0f4e03b0815499

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
88KB

MD5
a5849235c8b581820a312b9f3ed1a679

SHA1
2c2a589334e19555bbff9d58a3cb47d8fa7aa55a

SHA256
a5f1156763bd577af4ce5c4da2fe6a310a3f8544822a811c8b92d2a840d5897d

SHA512
25c5bea3df091ef3b2e8484398fadfdd0ba1bc411bd420199efda480db7dc200aef2d5fec716d34d0d162853662cb4123d12c1a1d1a6fd850dd6bd2ac134ead7

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
109KB

MD5
5087ca9c9541c0010435696e18703790

SHA1
d9d18a953c798f0b0721fa4331e13bfd4792863f

SHA256
870e192506113db39cd52b52fcdaba5eafdf097b43206f74e61782872e0ac76d

SHA512
52457df7dbf9835d5e0e27b3695026921c79eeb8ca923cd4e8e5af9572fbb1d646045ad0e8a634dd396c4e7894eee1fe2919037c08d5bf2006e713fb27e391ff

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
110KB

MD5
cd90124c016b7f20c078d565728ab505

SHA1
1a0106e0c946c40c2d474c207a59373e6b4ddc29

SHA256
9b2d92332bf8411a2409940f3392c9345bb5982303eec66018fef8393c12125e

SHA512
d77b740fe87b7b9c73334ff5a984f1f6994c364bf98d99639bdcab486464a5b3bc6f26fae59d99860e6f6b3fc32c11e2b6b8b4981c1ce0ad03c429f5e5e8ae80

Download Submit
C:\odt\office2016setup.exe

Filesize
181KB

MD5
a32eaadb4ba37b2cd4034318f5211ce7

SHA1
5cdaf894d75be3967a66b450e0471d39ac9242d2

SHA256
718bbca5cc76a2dec4012eedbccace156e2079b9e54493f0c1a2e38075d75944

SHA512
21a5091898cbca7518e1c2d4b0ef813c62a4021886f8aa1338a1d4b21e557821c29dd580da028c432723c7bb3b958650e72f782c58e0f8cca938b5d219ed6033

Download Submit
memory/404-237-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/404-531-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/404-244-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/672-37-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/672-50-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/672-49-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/672-44-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/672-36-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/740-78-0x0000000140000000-0x0000000140261000-memory.dmp

Filesize
2.4MB

Download
memory/740-83-0x00000000022B0000-0x0000000002310000-memory.dmp

Filesize
384KB

Download
memory/740-76-0x00000000022B0000-0x0000000002310000-memory.dmp

Filesize
384KB

Download
memory/740-90-0x0000000140000000-0x0000000140261000-memory.dmp

Filesize
2.4MB

Download
memory/740-87-0x00000000022B0000-0x0000000002310000-memory.dmp

Filesize
384KB

Download
memory/868-159-0x0000000140000000-0x0000000140250000-memory.dmp

Filesize
2.3MB

Download
memory/868-101-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/868-93-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/868-94-0x0000000140000000-0x0000000140250000-memory.dmp

Filesize
2.3MB

Download
memory/1200-135-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/1200-200-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/1884-247-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1884-186-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/1884-177-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2936-185-0x0000000140000000-0x0000000140242000-memory.dmp

Filesize
2.3MB

Download
memory/2936-124-0x0000000140000000-0x0000000140242000-memory.dmp

Filesize
2.3MB

Download
memory/2936-131-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/2940-139-0x0000000140000000-0x000000014022C000-memory.dmp

Filesize
2.2MB

Download
memory/2940-205-0x0000000140000000-0x000000014022C000-memory.dmp

Filesize
2.2MB

Download
memory/2940-147-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/3156-220-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3156-227-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3156-231-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3156-232-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3180-92-0x0000000140000000-0x0000000140240000-memory.dmp

Filesize
2.2MB

Download
memory/3180-32-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3180-26-0x0000000140000000-0x0000000140240000-memory.dmp

Filesize
2.2MB

Download
memory/3180-25-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3256-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3256-134-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3256-66-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3256-71-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3288-270-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/3288-263-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3532-160-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/3532-150-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3532-217-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3636-192-0x0000000140000000-0x0000000140299000-memory.dmp

Filesize
2.6MB

Download
memory/3636-260-0x0000000140000000-0x0000000140299000-memory.dmp

Filesize
2.6MB

Download
memory/3636-201-0x0000000000920000-0x0000000000980000-memory.dmp

Filesize
384KB

Download
memory/3640-248-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3640-257-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/3684-274-0x0000000140000000-0x0000000140279000-memory.dmp

Filesize
2.5MB

Download
memory/3684-283-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/3684-212-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/3684-207-0x0000000140000000-0x0000000140279000-memory.dmp

Filesize
2.5MB

Download
memory/3748-297-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/3748-289-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3924-172-0x0000000140000000-0x0000000140266000-memory.dmp

Filesize
2.4MB

Download
memory/3924-106-0x0000000140000000-0x0000000140266000-memory.dmp

Filesize
2.4MB

Download
memory/3924-114-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/4124-13-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4124-12-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4124-19-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4124-75-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4380-276-0x0000000140000000-0x000000014025D000-memory.dmp

Filesize
2.4MB

Download
memory/4380-284-0x00000000005B0000-0x0000000000610000-memory.dmp

Filesize
384KB

Download
memory/4632-51-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4632-59-0x0000000000550000-0x00000000005B0000-memory.dmp

Filesize
384KB

Download
memory/4632-52-0x0000000000550000-0x00000000005B0000-memory.dmp

Filesize
384KB

Download
memory/4632-121-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4776-234-0x0000000140000000-0x000000014022D000-memory.dmp

Filesize
2.2MB

Download
memory/4776-165-0x0000000140000000-0x000000014022D000-memory.dmp

Filesize
2.2MB

Download
memory/4776-174-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/5100-64-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/5100-463-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/5100-1-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/5100-459-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/5100-7-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/5100-0-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download