b435d144865fbb2f05fc13239fe1cf8445853761d351d76ba440cc43df76d02d

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15/03/2024, 06:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
Size

10.0MB
MD5

27b212a4dd85e1489a319e5bffb8e8e4
SHA1

f9ce83e4558a068ed6392eeb56c8d24fd7d491b8
SHA256

b435d144865fbb2f05fc13239fe1cf8445853761d351d76ba440cc43df76d02d
SHA512

36119d9086798196338472164d9aed832c3bce733a5b3b66fa79e25c3826be52d9d47379e7bc1ad97b9d980fef2b27f22520a17b90759ef351e746602b1cbd62
SSDEEP

98304:9OIT75iBU3es/zYKQphi4v0tEpYJCvVn/IHqudk5K35KFhcaP2rzzALYlz1ELvR+:sIT+k/nIBvt0dkAJK+ALYCt+

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2132	alg.exe
3640	DiagnosticsHub.StandardCollector.Service.exe
4488	fxssvc.exe
4228	elevation_service.exe
3132	elevation_service.exe
1848	maintenanceservice.exe
3496	msdtc.exe
4740	OSE.EXE
540	PerceptionSimulationService.exe
4456	perfhost.exe
948	locator.exe
3176	SensorDataService.exe
4032	snmptrap.exe
4248	spectrum.exe
1376	ssh-agent.exe
2380	TieringEngineService.exe
3972	AgentService.exe
4100	vds.exe
1264	vssvc.exe
1580	wbengine.exe
4368	WmiApSrv.exe
5036	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\56aa1ba612041754.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000819f2779a176da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c73b7f77a176da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000030feee7aa176da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000057c46977a176da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002e52627aa176da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003e0e1378a176da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002024f67aa176da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
376	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
376	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
376	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
376	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
376	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
376	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
376	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
376	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
376	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
376	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
376	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
376	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
376	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
376	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
376	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
376	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
376	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
376	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
376	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
376	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
376	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
376	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
376	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
376	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
376	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
376	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
376	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
376	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
376	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
376	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
376	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
376	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
376	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
376	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
376	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
3640	DiagnosticsHub.StandardCollector.Service.exe
3640	DiagnosticsHub.StandardCollector.Service.exe
3640	DiagnosticsHub.StandardCollector.Service.exe
3640	DiagnosticsHub.StandardCollector.Service.exe
3640	DiagnosticsHub.StandardCollector.Service.exe
3640	DiagnosticsHub.StandardCollector.Service.exe
3640	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	376	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
Token: SeAuditPrivilege	4488	fxssvc.exe
Token: SeRestorePrivilege	2380	TieringEngineService.exe
Token: SeManageVolumePrivilege	2380	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3972	AgentService.exe
Token: SeBackupPrivilege	1264	vssvc.exe
Token: SeRestorePrivilege	1264	vssvc.exe
Token: SeAuditPrivilege	1264	vssvc.exe
Token: SeBackupPrivilege	1580	wbengine.exe
Token: SeRestorePrivilege	1580	wbengine.exe
Token: SeSecurityPrivilege	1580	wbengine.exe
Token: 33	5036	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5036	SearchIndexer.exe
Token: SeDebugPrivilege	376	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
Token: SeDebugPrivilege	376	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
Token: SeDebugPrivilege	376	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
Token: SeDebugPrivilege	376	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
Token: SeDebugPrivilege	376	2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
Token: SeDebugPrivilege	3640	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 5036 wrote to memory of 5952	5036	SearchIndexer.exe	126
PID 5036 wrote to memory of 5952	5036	SearchIndexer.exe	126
PID 5036 wrote to memory of 6012	5036	SearchIndexer.exe	127
PID 5036 wrote to memory of 6012	5036	SearchIndexer.exe	127

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-15_27b212a4dd85e1489a319e5bffb8e8e4_ryuk.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:376

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2132

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3640

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2576

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4488

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4228

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3132

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1848

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3496

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4740

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:540

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4456

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:948

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3176

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4032

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4248

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2364

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2380

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3972

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4100

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1264

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1580

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4368

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5036
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5952
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:6012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
1.8MB

MD5
685e5d1d57c7bbf671950c0c2cb50628

SHA1
fec9f7d880957493ccfe0db86b431c2253f1423b

SHA256
4a8dddced73f032b57db9297835312d4a39ed90d3c30ed5437f0115f9c7b2932

SHA512
c9cda99658e3de62b2bef298f6d4a90c99d6bad6a36b63acbc9842437a835994ad0c0059a80bb8e1e265c6ebc039b008bf224e5558c4fd25621a426e134b3209

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
56dff08dab64c22008495816fcb4cc94

SHA1
09f15ed33389377dd777838f0ba2eaf6e6a73e1b

SHA256
757847a6816bfc8ed6939b83c5d6193e2c6f3f26924c076531942ac637fd4732

SHA512
2e30cb8c45c106405e9e38988e05f8d73935dff9b4a28d46b0d74f6b1448c932f5756ec5d9cab4801fdcc14a775ce64150b09604a585d3d5f975bfc233481c3e

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
cf1df73a9d790c0a62e018c92b7e7038

SHA1
bca962f129ab82635d4d8852c5f16e0c101a0414

SHA256
6e54a91591cc383b41eaae2fe919f0accf1c3322f6d42b052af4232039dccadb

SHA512
62bcc9cadf65cd438816e59473cb9f0312a74cde961c941a37d3448de6d64c8358edb44aa79820d85b9027200f22592e1a857e4480e01ab5c4f12d3e640cd67d

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
138f436bfd561afc7f06e7ba70306d12

SHA1
a9218da53472cbf0d357f53f34580bbc66e3c051

SHA256
723b35cf857174eb3986decff7e94481f4a007a38aa439e12c301cb29470c107

SHA512
0a3444824bde76fc24ecaff3db4b70b82ca1ad9af928203560790d0dcbf7d309ea1c3a49570d7bc8043717bd4b7e4a079691af9f329e14ea12bd3414fb4d1e17

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
fccfecd961a38ad14d54d9f4fa05e982

SHA1
69bcd8242d0e69b6f2999654bcb624e0954627d7

SHA256
1132a57aba199b5fc3714b019ca17c0f5c8291a55a71b23f7e649a82826e46ac

SHA512
ff45b144c64b5b4b1245d42d8465e07fc54b0d2a833a7bfe86b0401383640d1b6cf2f7f95641a7aed7e405763fca1c1794725a2a3f908160224c284d21a3e8d5

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
776a400bb9e6db487759b269b4eae016

SHA1
4c5a28fb7af25be421f022cee9ecf1eaa06e3ebd

SHA256
7b0cc0591c2d29b4148e209621c853753520eeb2bcbe274f86b306c4dbf1cd3a

SHA512
30473cb0c4e6db3eae44329b2cba0904a25a088146faa4ec4bc00abcd6fdda8c674f90dbcd238444e14679692cf3406c0cd15b47279bf45d18343327964b8741

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
2e64c0963dd10910e1ba1c0b413c16eb

SHA1
59ba2ccbcc296ed21717569c74f6607af33d28da

SHA256
219dc3c7bcbd780dc7dbebe6fc3acd1cb7bca41be849332664210ed18b2bbb8e

SHA512
bcf40bfe03c427e9a1436f5d0b9967cdb905b78000db3a32e75ed923f7fe68b0ff2ca1014ade03caf1e66106c3a3bff60c9172c49d552d57f065652c840f1390

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
2167bbb60a146c56c8aee9694f92d8fb

SHA1
34cb293cc8e32dd42bdcb1099bce33da532727ba

SHA256
55905265bf31bdc31301df6b5481460770daa7a37148d4b7ee7141ed19f48710

SHA512
09075bdcfa27f8f1d0c3630c78c037628672d0605765b8d62b8fc524a20eac5136165825fe7fbb72fbfca90b87d60601fa0f4cf367c0236c8258ca1cdb349d2e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
2b2489982baf8700a4c0815d7a95c30d

SHA1
fcf6761723181440bb5d3ffa606d1e5fd2bc3807

SHA256
ddea1fb29c6c00db88b90973559cc461ab4e7e9bade51c6d19cf6135e9963564

SHA512
3973d4151a1c803c08aa34881f68fca047e8233f7144dbfaa920ac0b355ca52e2d5b46071aef8384dc19e54bb2cf48c74c199ec45cee1ae181c4833b24fe8a20

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
115KB

MD5
f6b3923d1f110bafecd427250fc9506e

SHA1
744c8761a83cc2f672ec02e8f9519a908c35ef0d

SHA256
46f7ffa9bd432733dd224c4be155bc1d1865b284637bf131e08d525931dada08

SHA512
68c0521dbb2a1ef1700656050de8ba2fdc5d50c8e3ac6db05996add7877f748ff5446c87feb10dd737e51749c7315d13140df2799adcaae34cdea48e3b56421e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
b5a90c5c3910be7cc5ce57b5f681a99d

SHA1
ca635eee9de2ac9f08eda3ee14ec853c0015ffb4

SHA256
05ad0bfc5f34e8a17346ab55ac0c563dab66d5e8ef47ce8e25544503ab453302

SHA512
95f596ab483ab6e4e1750bdb56df3fd42db2ff517c1880f0cf7c9f05fda63a80a547b4035820eccc25f023b71f3d852b9a8a6a60a39e274b0a79decabaf55088

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
edaf10d1c8190137f90f373fee4b479a

SHA1
d1405aa4caa7aee342c2162fbc7fda08b1ffc1ea

SHA256
81530389df7cb9d91b8057bf4abb483401c37f9f20f96d6ef27b81114b602d36

SHA512
52996c9579ade448d0bf4be4b06f182102823a5200649efcbe303c6f53e379dfafb9cb97881c05e3fab540f5c8234665af97e1383cfa567558f6a4317592f69a

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
795KB

MD5
d26c53d3e4f1af2564f2decbd690148f

SHA1
090dc8287fd9d30062bf7443c81128c5349887f4

SHA256
54dbf9ff123535b456d3b90ae5f1fcfbc9c38c0e3907415550f064be01afe9dd

SHA512
e2331ca260f9dd085f08d231312af6464c7afb89aaf034c8c556d3af1cfef251e489db87fa5e0b87c78c565c275616424a0698877f61001af5ef1fc7fe4a1b3e

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
5a6fc3ff89e755e0daa9141ece0f4c6a

SHA1
90e30a42eebda106875a15a38a7e280427e1f7b5

SHA256
0f246e2f62dc84556a5411ef634aae83f3ff8753d45cfa3b0feb6a3d63b75053

SHA512
270fb4980d88633c5f4aafcee4b757d4f52deb48ca19df4b505efbd798bcfd96d20c4cde4efb67e8e6c3fc1e5f982814d607cb30acf9da15b833d6c1761c886f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.7MB

MD5
1d1b4721640d67539d3e64ac5475f4ba

SHA1
81838f62b5c984dd0f6cf47f49ba9e925ea58cb0

SHA256
51e7ceb03034cbb1c4e9c360f802a974f82f49aa61174b4cbd5d9579cd93e4c0

SHA512
42f7c89386b3faf8bae76aff3af2c8739e8630a395ae90ebcbd56bd121ce61a5933e92ea463989d393c568cc1dc7de78b8ff3c5df97dcdeb32caeb175bbbd492

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
64KB

MD5
2406064ac6074e1fb10133d4ad4316b7

SHA1
8e6d0f10a5c0a7be8561507a0e4205879b65d965

SHA256
81a07d4028fba228b11941b137b07296cb0125c3a575af449af4a146de0e5e2f

SHA512
db16be88d966bf77b5cb3e24fa3b93f79f43090d00c8d0e65c7cb1294c8921339639964a5ee04cc417894ea99680c15b1bc383aab14db278fd485ab6476cc2d6

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
64d9d912f9194b6478e804d985efa77f

SHA1
5f2f4b60cbf80d7d7a668eba1c8487b9ee15a490

SHA256
b21aa2f5331ae77bdb720f27aed629554c22c1b95fd9f4effe233a3435cdbeba

SHA512
875fbe5184941084922b1ec3c9c0eaad9ec1aaf2631df51080fb7130d71052e0fae19485be3173baa118f6712b1985bb5e16a807e9fbfadb15aaed79c81b313a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
4b1c3c145d05f25c367c422b3cc305ec

SHA1
08d77044fed4355fa3971a77c705e29ef27cb624

SHA256
e79285fd06637a74f92a0d544e4a9bb5046c918b8843c8512aadb25ebdbcdff3

SHA512
faebed1f13ea8766bbb0f022ae6e75a0d544b35ea61696ba081a694f45a1598577c55435513ad681c19e7052b19aade58a26bd0e9c78fd9630f60f0c03de3d72

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
960KB

MD5
1be571f79b6001edbe57dc543af9bf75

SHA1
2755d454bd4e1c23497b9567202b6e2717671e06

SHA256
3ad3b1521157300c139311e520029c930bd97728248f1494e81b41f790f4c587

SHA512
b366ad5485b6568413626526a61ff38394480ee03208ca797e21f42d4c9e698ac8ec315a87b9d83d82a0c8eb559041000106cea6bcdec3354934e2450c6498d3

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
896KB

MD5
58a250adbeb4e24d8fef5e3b5c7a0c58

SHA1
45b0d747022396285ba886469ad848bc41958e6e

SHA256
738c3ba90680802155d52a3ae209ecf7ec07da707e8677ec269ed7bbfe0c97c4

SHA512
d1293e57b7693d3b71e00c93cf7aaced473e1859c8023b55096dba7dc51be92a4da3d32349fb22788328f77a441d8e7d6bea6dbbf3e373e18087b2218cce353c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
960KB

MD5
a79d7d6c6ef79bbf625122d0b9e71da1

SHA1
986d46ca72037ef5a3e6934bbb1906af617aa712

SHA256
acd0c4a31312e5a455c0c3ee3ed77ea169193f82167cff0053513b8fdd5274ec

SHA512
f597b5814f0d60d34e0edc23e5a89d9ba42c335e00d261cecffff177d04bd438fa5f98f4402ac07234cb8582751b416a71cd4056e21a30254a1ca1b0d1df7b33

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
960KB

MD5
a7dc533c289bad613e6debc30a00a9a4

SHA1
e4ba6093ec79140cc27b49213855719d6262c226

SHA256
c7d80efac91cc40c1a3ed1d4fa9aaab04f5f905e7bb27eee006d510c5d261bb7

SHA512
8069b8f2aeced8ce8293d6bc188e440a5f863f71e3344e8be43b3b16e4f5fdcc32efbe5e6f9b685e8ee3e594038c11ae17e5047a85a6c04c75b42d90a1e2db49

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
960KB

MD5
11ca156275265785111171dc70dd7ea9

SHA1
f7e77211f7d453a7957cba7297b9a804da920606

SHA256
7e8908c140743373c343c3fa44ff05d02d7feb91fee56551ee9238b484f2f35a

SHA512
06ee7d2eae6f49df9cb16c768b13d24015a03b8f02337153464beda471255af9444b341780fbeca6763aeb905072404a15de8d9594c03b90b1110025117c2d27

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
960KB

MD5
9d5dccc5c3587bb3fa3946386375ae1d

SHA1
f9400a9a43cbcca29afd2cb71f3abfc1216b2024

SHA256
a94fe609284c77f34c50a44215c424e4b91633204e812a4a839a847e79858445

SHA512
b8b43880ef72d68714429a61c39ac672a3f3f5765bfd036c50765b40a6c4a2413ba715eebb41dd50152e6e97bf4ea22cbf45840c3c57eb73cca45858b98acdaf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
832KB

MD5
cefae2d5a77ff887a282de1038c09831

SHA1
3b45f229bcb16afe491706ca4d79f950fc894a59

SHA256
b43fad3d53d7ea833fa96e503a157996692d8b79e1f10865176e086f2ff2f2bc

SHA512
3f218197bf1e8d2a164dcf1f17d6b670ce46f63e958c6d9eafa05d004ccde49b9cb3892267df76a82a662d413808388794ebfd673134eccc42cff56b5569c206

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
832KB

MD5
ed7abb3e91edc57d777430cea468b54f

SHA1
da8724acd0cb832b32a80a134d5c24efd1546ab8

SHA256
7901ba310c59a0a1f61dfc84b925cc85912a70e416f9138f85d46b9192b8ca31

SHA512
9111455b344d3f656e839b741af2c2bc25e143ee4090df35271410dc294bfef49dd0bbe9c9bfed54108f92e8704b26029f26ffa70aaec08151c0f014f3f0808e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
832KB

MD5
7018385e2f332ef0311b3245ff2e774d

SHA1
e1a3f556161182802f69eff21c9cb55e359530f3

SHA256
d01e500baa2aba008f0d057097b9645bc7cd95a29fd0bf02089e84f7d27a4e47

SHA512
18c6cdc0981f4adf0b980b6fe42f8bba438256fcfe779bc4c72fe06beb4b672691e1b2677ceca6fd6a3181830b2070eb03da42002db0a9d3171b1c4fdfcfa0da

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
832KB

MD5
ced3db7118cbae1a301ad4f145ea996b

SHA1
6ba306132b6af73a122c5a837fc2368c328141ed

SHA256
f4d01c292af53417f3935004e27cbb5346c6d3c47c846a9234b2d1e961926d80

SHA512
9aa5b5c28dfd1f8c6b750c085dbb509b380c0f723212f589b5b76cb4a6450be3129cfee346e853efc09ff9ceb014387f7989ee4fdcfda6f08d10347c02f32e97

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
822KB

MD5
b4f7776dfd1180d24908dd858bc2f290

SHA1
6784fcc5f824a8c68f5cbcf4c02b8f1472858923

SHA256
9e2073c0a823f73fb517dc7d2680d734a4c57c30c6722d85177af1431585f09c

SHA512
afaa85e9ed59c63ed68e2a57fa149d65c52f0905f7a9fa2a291aceb9cf6b17169f59e74bbed7a4a02e79cebb381996d574e5bf1a29327e9e39c447cee0b530ed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
768KB

MD5
b2e661c731b36af56ae1d9ad0924522c

SHA1
c3490dccbfcb50eab23e584ea0a42df2952776a0

SHA256
cb6f377e9d8c2d90c64a923f2efec7f6e7965bcd3dd81153e911939b1bf6b442

SHA512
602034ada7c732b370870136d1d63a0f61b601722da1454a6e7e6c151e957375347e8429c7e246ec2a52169ab11aeaf2c993cbd031787244ad5f916064886c40

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
768KB

MD5
8095d2f864c0c94bd042065e1c11b0e9

SHA1
a347f8621f4d0307da9c035b98b03e8b9b13413c

SHA256
db41a099c93eb360a5a8d04c4f729eb1886734456db91e6506f389e8e0e7f5d8

SHA512
39d7825b6e7fae12d92cf670011a985a0bf367ab85574aa250bcf01e298be2ac6a0ed765dbd6144351b9ca50aa33ed1b6a0a613b64c9e0e584fef39c024d0115

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
768KB

MD5
b25a3cb8649e9a94e0e0fae924dea243

SHA1
e9990fbf07edea46b0f34db89e76474cc5511bae

SHA256
5ac5ad1bfe47dc487588440244be52ace1a8adda5e64f4d0254789c8c191afc9

SHA512
eaa5aa9d1c9923ce11c0d66ee99629b35baa0dc6f9068e544be9040f1320b869fcd1d80b9fd83f3719f241cca1d3b80448ca336ff3c22741a200ca1d4b2296d3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
768KB

MD5
9404dd6472155b13343472b8711075e9

SHA1
02ac24d68d81cdab5246475a94e266c9e1a20c4d

SHA256
acfa7abdb446b7ac99d915991e72500f325be711222b85f15d650b4ad99d01e4

SHA512
8ef677f99087525a06bd516062087a485dd10af607da2c09c77a4f0280dfe0f9aadb457f12328397e08aa7eb114b6acc5a2b97783e63b254122758f7311c3773

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
768KB

MD5
d049fd2d1a703eb18ccfb388e116b3ac

SHA1
4f77c7df88d9741e0fda71b7947f7b4f9e54c49e

SHA256
c7d338804de5bf310f4c8ec771cc9e29bd0a0fa2e023754e3da56d9c33e0e11d

SHA512
a253b30bcb2ffa35b20e20119f8003fc13910f4a067f3ec10495bf60a81baf8520ea86034d6073f3cac315a1448d41381f4a4d54ec830461982e49d509bc7a32

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
14KB

MD5
b55e01f4a108efcc2c131e5328e4d7da

SHA1
d50953caeac1feac6ba29716af40e9b6c477d787

SHA256
537c51bb1844e3b92b1dc5df7a72fd808f1f064ce3cc11056437c21768e05689

SHA512
631e38a19e6a6bbb6ff7c06fe214ac11b9f91dc22ec5a2b855b5cfbc7ed3a623107bf60ca09a885172237511e080fd196fe8b7a19925976274aef2deaab81ba0

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
a3bfb0a8646c9ae198d8e168ff4fbf2b

SHA1
26f8091062a2f9e687b6f735ff2bc79f61eeb577

SHA256
7df855e38aa1d905900855847747dc75795c473031ca76701821f8b3355846ce

SHA512
aeac8c39179dd629d9d6b0f901666bc94f26d25652c68af35e6a12fbc524e4385d2d43eafcce213577676281eb744b2ceb25eda174676af1838112512866674c

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
ec23a205b61c732b6ec50ccfb427f5cc

SHA1
aae3589adf8da697c8abb261264b827b3a86f3be

SHA256
cce8a5bc073eb283720df86dfe8e9a5f2ef976ddd50454be482f244a1abcdb9b

SHA512
631fbc27251e2a8f5f1ecca9f20c91e010b862090b9828fad49270cefe77c5a97832bfa2493e2cc701ae8ad085631249f8e7329e60555d0e6b8f3381b7ba966e

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
944b3d087cd1e2d9ed249b0d54a899f0

SHA1
908e870b3d71ffdfc7022bf141486b2761410c19

SHA256
d1ddb2c045fc401b95491062dbefe05258942192818f36f144a12fc82a1ba262

SHA512
e410c1bed13ea150e9871ebdaf1d268c075a7fc2bdc15ee2ef2db1821a15610d365ec15d463f667b2b9772e47ab4ed87c6fd27954628a0786f6c2a3702a3f2a0

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.4MB

MD5
7d1de32ddacb3c07d5ea729c3a945d62

SHA1
5b4235674d656795cec7740b223c3152e3cffe5e

SHA256
0e4e6ac4a2944a43538372a6c62baba09903750ee10d2f044e063477d4967b31

SHA512
9f5b65b95cd92ab883e64f2aee915c46f92b5a19fd958fcdd2101cba1d8dd6e301e732b08ff9648f9b380a812f740935cbcfd5cac60add01e1eb1dc987f4a152

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
ae2ed9d67a233fe525bde30b26ff71d2

SHA1
7d5de7ced850e1e666ae11eb37de3a94eff59300

SHA256
8d7f826f6f5854521e4a6a71e294ec8c04e2086238509f38cc857ce1c2cb798b

SHA512
bb2ed28d695d3e181fbcd85e11ac52ebcc57eb3aedea59e155516c615e130d1fb512fd0a5d7d0e72fc39a578c334de15bac95ffc0778deac1e1a7d996fe09bc5

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
490c4981378f80c5e13a6837c65d3383

SHA1
4d83b9f108840139026a5a519aed63291c6a4702

SHA256
3f57e3e8ef4d539adc2b3587ba822ca44ef5a756d2080ef8132c0b02b21ab6b7

SHA512
a985cd4f9b9003558375a48605e2969f81d801ac57acaf2401730c810a1751a2c21d5c01bce0464442ebc4326d40e834038e2063b78a6fcc3ec94f2f6a67b420

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
240da6c454cb54e963544b4860f626d1

SHA1
f72b17d913272df55b53afd05eae6d0945c9baf7

SHA256
d9fe2130c76b1d64aa1a7c69a884e7ff6ac873f23b981cd4c3fbc71f80b59db6

SHA512
71442eedbb655747c824c7387205bc13021e404bdab2f8c079d47670915e9aa6f6931fde8d2649e088bde7c353918125d2d19de54313b7cc6fe0f866871ea8db

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
25373ca83f89b93016dcfbefc7d49845

SHA1
eba9613a3cc7a71ac0762bad6fa86b6a4b7dfdc4

SHA256
90ea1fd298cb175f7b19ca3fd2e952f792d7c31fb186f2796e97986b078f1c43

SHA512
16ffd52387fda45f85dd145cf77edaed367a410d402481f5bc099f6f4ddb0936489247ecdd073fca63698068e200c31bb4db8902ce225c40070c757e2a82209d

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
dc20a6305e246a80c1c586ab47062788

SHA1
054c604774b83abf534bfcfc6ae2b88d3a4e4d0e

SHA256
4932bf9005dc496cd2d92375d0f309f5faef84179d515ef85dc548a380291ef3

SHA512
fbad496f55037890803c1fda8bbba2b86c7506f3764709fe5c3665fec5bce882373caa0e2bd470a4690b7564b7fa751a25c232145f8946f0ecff9e2d0ab90672

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
192KB

MD5
deeff79f0ba87d455ddd5030fd9b9a9d

SHA1
fac7b8e9a44c15b225506ee1276f8b646fafce9e

SHA256
7256a0b6e18b97a552e4a7ce80e410d96a2b98fa00f7e16db424d26ac9e19798

SHA512
936745a934867d104be51999f5749f675279f945b14edcb32981cb0026ade535847e45a70e387400c223de10178ade5de88e2e33d5a3562d91ef5ff508303e7b

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
167dd92dc53916e3308c3bbc61922f0b

SHA1
38a21a9beb0a20945cc14423959136b21978d082

SHA256
09cd46012d93efd776324951e79b14f4950d186017fe228d1af20400f5087f9a

SHA512
91f7b46350d56f796dd3d41f25e11252164b50d633b2750bb57d25c3701dbfff89593f025d63257ab3a81248861555c268a53f4b066e30a2c5b58528067f66df

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
b96262bd86c341667a2274683d1865a0

SHA1
4e858d8049080472477f028e4e06ff42f56a223e

SHA256
741e8a15d3a0f8f89adbcd58acb8bbbe81bfab372024ea2f9aa6026188ddf830

SHA512
a5f1f26d1bf1687d3ffaf83f51dd0dd73c85b4ae36ddfe89174054b81894c6421e65426b12053198ee5dd68415d2b3677d0acdb1ef5219afe7a016478079df75

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
845f241e4e23b43fd2057d26f8e4023a

SHA1
e59ec68cf372c1b513c6579fe0a8987db64677d4

SHA256
eb394c406584bac2bbb2c427f9ce6b6b7d1db24563fce130a95e3b00767b7de6

SHA512
35f63589b2f2b4b1069159c37400cbbd49bc90657e5c9dfa66456afdf4858275efdd505d3b85e80702003945dd579622d265971ab56b884bd5701cfabf50e066

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
a525456211aa45ee007738b7dc6cae6e

SHA1
04e68ec4c1e2b84a8b7dd2986e19d284e8c81db5

SHA256
ea4238012a2b7bee058066b5cc24c93fa31018f5750e8ef7a24da90345dc87cc

SHA512
fa57f36e3799232f29c4e26baab9d2263e68b0884f97cd59ea9c706f80f4ea968e334345e8476578bf8ca2b3c7b003f0f68b634796d542778c4bc87f632a5b1c

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
85b399fc284f5966ed31a9ead281aef9

SHA1
e0478c89328af2041e2c1859825e8bd906027105

SHA256
7592bee0fcbb16fd7a915aa4e7d002d72dd29b0fa3d86062a9cec8ddfdaf176d

SHA512
74fa5658ac335c1d896b79c3b69dfac33f27e46cb97b32fb88064235a4a3caf6ebabce4a082dcf228434f87128e1c1aa854eecae4d1ae857c469f1203f6709e3

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
ec3d605a317275155fe204aaca1ec995

SHA1
d3f1c165eb8f37521f8167317d4a3ec447051483

SHA256
350c9603d06b4a226873ca8581ef1c9e2e09b20b798584491c0b0f7c289efb33

SHA512
fdef6abd1cdc1fa97231a7f792c8d63f4ea1120a7cb21fa34d77c615e4590cf21b0b72a362701d261ba1520c0c5a3d361bed336ac1c7a957eb7f3b28ac8d67de

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
0402d8b45d515dd72f6c19ea626fd382

SHA1
5d42855e0be20f3a5e5000d661ce08529a03de4e

SHA256
dd2eff9f2a84a2a0010b4112a9284c4a96bc7bcda36066124957a74569acbb1d

SHA512
9a7ed2c8fe74d0e392fb0393d9dbf589146116436e86fdf830d587ed944a3801b279b032503ce21e66300318fc748c016bb900110371cabc28bbd11c8534eacf

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
b33c8207820bdf550fba76460a515940

SHA1
6da417c7547159b9cf70e2eb6d91a232bc56b5ca

SHA256
3582a903bbbcb3fd0a7c1259181f79d68ccf3f623c379b0243d873ab1d7d9f79

SHA512
7218ea8e439e59da7460ba3bf388ad3f7774265b5b6084409f7982df18672c54d2fa21dba946aa1559451f460bb95ecd392cd5d887099e35597d8cf3592b08c4

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
74fa984511ba4f51b9f74be4e336fd62

SHA1
a58948416e4e993947d4e84976453a8936c0fa51

SHA256
120527f96f465b0e293c6dba842881a418cb6a379df42b005ac1ec18f39b4615

SHA512
41c4b4e828fa144647648c0dc46a48c301d9321d22543f167285a55f88ab839220ad724346ba0f7e0abc240174e35f52f8a75a35f6246650b1df99de72074708

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
5b6f50b4a214ac211df3f288235f39b1

SHA1
c6806715582d2b8dea0afff312d8c413b0b898e5

SHA256
462dc46b4b9b30e06f5fe2a24ad6549e696ea2ab645339de3fb1fa27b7426d84

SHA512
3b4b6b5b0bb636b1fd92912ed9fc0e0602f26014d83cceb1097dfc335888f73e3f89ab9736e11c1319d07157816e3859f33fd25dd5b30d36d825f7a9ee129a2d

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
256KB

MD5
45ad31f9ae55161e70fdb08464ff8b4c

SHA1
0bdee8b6a6a2e7f8634dd04a9a9bb23ce4d97eba

SHA256
067dff6d2132dfe8960e6cc054b6ee99bf93f2782e20c29d298b5c6c757f9422

SHA512
676aac43f59d19b301c042ce4fe937b385c8bdda30ba37a9efd9ef3a30c59400d2778d515a103a2a375f25804a54bb45d3660ee0caed96b8600862b366537aa4

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
a46ea5c0b0f04e0d06e58a27206ab43d

SHA1
a2e6c5cfad597682744d48b54fbbe9b9fffeda89

SHA256
766d3b9cb3c174238c10d02af77d7bbe105856dc455cc4058ae39bd12104a445

SHA512
77c090642182d8087d989393ed2c24350073f0f5307a3a4b183c96c1a025297504b0e4c90e85fee9e59fcf8b1695e72bde997cbdd7007a30a4b17662079076e7

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
256KB

MD5
1c0087984a377b0117b9b0806dfda6ec

SHA1
78a26759be16d495d836a1a1ffa9ae667219979c

SHA256
39d119cc8050e3b9e07bae8202a3568192633115e5c9987a5dce11e8fb4e4b58

SHA512
61f68826b34453122321577beedfdb797d64cd1590cdfb9f34c617df95e2af4e43d0e2a1bbf51b9fb185cb10cb6329ee6968d91fb2796a8ab3e64ff5a3060d94

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
ea60bbe59833ae1fdbee317527292fc3

SHA1
474cbbc1545d618089d62bcd5ab46df55554c49f

SHA256
278d6943fb6bd3e3e769671af40d222f5fa8ec3b1ebb9742ef579cc44ade64fe

SHA512
0283e2e0da74179731d50fa6edc2612e9a0a3d39aabe1dcb235b449214b668d87520e6e71fe165d9b1c0cd31443ab7f10e611263b3aa04f39c390587a5893abb

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
10005a7536e991821f1a1a8f16eb3473

SHA1
6f25290c6de657adbb2d5316a44b8bc5eb0711d6

SHA256
c1ca7d476b0aa1a1e40fc1c35544e600bd2ddec7e954d946b2360c593f3d28cc

SHA512
15fc3a26af72114d4691dfbf110c13cb17215d9b48b68052764493da0b10d68a05082da5249cfcbc99d2e0fb71bb6f3276ba9f117ae4edcb01653ad2e3de086f

Download Submit
memory/376-0-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/376-7-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/376-4-0x0000000140000000-0x0000000140A22000-memory.dmp

Filesize
10.1MB

Download
memory/376-65-0x0000000140000000-0x0000000140A22000-memory.dmp

Filesize
10.1MB

Download
memory/540-161-0x0000000140000000-0x0000000140157000-memory.dmp

Filesize
1.3MB

Download
memory/540-112-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/540-106-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/540-105-0x0000000140000000-0x0000000140157000-memory.dmp

Filesize
1.3MB

Download
memory/948-177-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/948-128-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1264-178-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1264-400-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1376-163-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/1376-153-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/1376-362-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/1580-413-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1580-182-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1848-78-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/1848-64-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/1848-72-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/1848-67-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/1848-75-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/2132-83-0x0000000140000000-0x0000000140156000-memory.dmp

Filesize
1.3MB

Download
memory/2132-20-0x0000000140000000-0x0000000140156000-memory.dmp

Filesize
1.3MB

Download
memory/2380-386-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2380-167-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/3132-53-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3132-60-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3132-54-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3132-123-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3176-363-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3176-133-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3176-181-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3496-85-0x0000000140000000-0x0000000140165000-memory.dmp

Filesize
1.4MB

Download
memory/3496-139-0x0000000140000000-0x0000000140165000-memory.dmp

Filesize
1.4MB

Download
memory/3640-25-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/3640-32-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3640-92-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/3640-24-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3972-172-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3972-170-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4032-185-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/4032-136-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/4100-395-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4100-174-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4228-49-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4228-48-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4228-41-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4228-115-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4228-42-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4248-148-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/4248-190-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4248-142-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4368-187-0x0000000140000000-0x0000000140172000-memory.dmp

Filesize
1.4MB

Download
memory/4368-423-0x0000000140000000-0x0000000140172000-memory.dmp

Filesize
1.4MB

Download
memory/4456-124-0x00000000008B0000-0x0000000000916000-memory.dmp

Filesize
408KB

Download
memory/4456-169-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/4456-117-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/4456-118-0x00000000008B0000-0x0000000000916000-memory.dmp

Filesize
408KB

Download
memory/4488-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4488-39-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4740-95-0x0000000140000000-0x000000014017B000-memory.dmp

Filesize
1.5MB

Download
memory/4740-91-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4740-146-0x0000000140000000-0x000000014017B000-memory.dmp

Filesize
1.5MB

Download
memory/4740-101-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/5036-191-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5036-426-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/6012-401-0x0000026EF1910000-0x0000026EF1920000-memory.dmp

Filesize
64KB

Download
memory/6012-414-0x0000026EF1910000-0x0000026EF1920000-memory.dmp

Filesize
64KB

Download
memory/6012-402-0x0000026EF1BB0000-0x0000026EF1BC0000-memory.dmp

Filesize
64KB

Download
memory/6012-424-0x0000026EF1910000-0x0000026EF1920000-memory.dmp

Filesize
64KB

Download
memory/6012-425-0x0000026EF2F70000-0x0000026EF2F80000-memory.dmp

Filesize
64KB

Download
memory/6012-415-0x0000026EF1BC0000-0x0000026EF1BD0000-memory.dmp

Filesize
64KB

Download
memory/6012-392-0x0000026EF1920000-0x0000026EF1930000-memory.dmp

Filesize
64KB

Download
memory/6012-396-0x0000026EF1910000-0x0000026EF1920000-memory.dmp

Filesize
64KB

Download
memory/6012-437-0x0000026EF1910000-0x0000026EF1920000-memory.dmp

Filesize
64KB

Download
memory/6012-439-0x0000026EF2F70000-0x0000026EF2F80000-memory.dmp

Filesize
64KB

Download
memory/6012-438-0x0000026EF2F70000-0x0000026EF2F80000-memory.dmp

Filesize
64KB

Download
memory/6012-391-0x0000026EF1910000-0x0000026EF1920000-memory.dmp

Filesize
64KB

Download