db1d66eed8459ce1b7c72d2c4e1326a1cc5bed50e4535679b8e7890fe3106d91

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
27-04-2024 22:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-27_34c4254e235fc7eec9583e60f9caa6aa_ryuk.exe
Size

3.7MB
MD5

34c4254e235fc7eec9583e60f9caa6aa
SHA1

9618ce799603ab29f6bcf6ad6980cc9fb9ca61ac
SHA256

db1d66eed8459ce1b7c72d2c4e1326a1cc5bed50e4535679b8e7890fe3106d91
SHA512

992043000c63a9ce9cfe0f3cae0a64f161500727e49debdf70969291c4c03921fd34920bba3743f8aa0df3a5f9653b4367496ef54112ad6a87d4ce929bc79a04
SSDEEP

49152:LFg351Jg2TDu3Smqh7U91MWbkujdGXEBj3liyBteB9hFtYdqlMMNPFd1YMGyNNAW:S/Gbk2GXmtdqPPFrYMzYHD527BWG

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
4208	alg.exe
1492	DiagnosticsHub.StandardCollector.Service.exe
3708	fxssvc.exe
4584	elevation_service.exe
3468	elevation_service.exe
4436	maintenanceservice.exe
708	msdtc.exe
4816	OSE.EXE
4052	PerceptionSimulationService.exe
880	perfhost.exe
4936	locator.exe
4212	SensorDataService.exe
1064	snmptrap.exe
3144	spectrum.exe
2344	ssh-agent.exe
2756	TieringEngineService.exe
3136	AgentService.exe
1512	vds.exe
2188	vssvc.exe
4616	wbengine.exe
736	WmiApSrv.exe
4856	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

2024-04-27_34c4254e235fc7eec9583e60f9caa6aa_ryuk.exealg.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-27_34c4254e235fc7eec9583e60f9caa6aa_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-27_34c4254e235fc7eec9583e60f9caa6aa_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-27_34c4254e235fc7eec9583e60f9caa6aa_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-27_34c4254e235fc7eec9583e60f9caa6aa_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\648061db4a48edc7.bin	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-27_34c4254e235fc7eec9583e60f9caa6aa_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-27_34c4254e235fc7eec9583e60f9caa6aa_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-27_34c4254e235fc7eec9583e60f9caa6aa_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-27_34c4254e235fc7eec9583e60f9caa6aa_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-27_34c4254e235fc7eec9583e60f9caa6aa_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-27_34c4254e235fc7eec9583e60f9caa6aa_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-27_34c4254e235fc7eec9583e60f9caa6aa_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-27_34c4254e235fc7eec9583e60f9caa6aa_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-27_34c4254e235fc7eec9583e60f9caa6aa_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-27_34c4254e235fc7eec9583e60f9caa6aa_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-27_34c4254e235fc7eec9583e60f9caa6aa_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-27_34c4254e235fc7eec9583e60f9caa6aa_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-27_34c4254e235fc7eec9583e60f9caa6aa_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-27_34c4254e235fc7eec9583e60f9caa6aa_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-27_34c4254e235fc7eec9583e60f9caa6aa_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-27_34c4254e235fc7eec9583e60f9caa6aa_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-27_34c4254e235fc7eec9583e60f9caa6aa_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-27_34c4254e235fc7eec9583e60f9caa6aa_ryuk.exe

Drops file in Program Files directory 64 IoCs

Processes:

maintenanceservice.exe2024-04-27_34c4254e235fc7eec9583e60f9caa6aa_ryuk.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-04-27_34c4254e235fc7eec9583e60f9caa6aa_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-04-27_34c4254e235fc7eec9583e60f9caa6aa_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	2024-04-27_34c4254e235fc7eec9583e60f9caa6aa_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-04-27_34c4254e235fc7eec9583e60f9caa6aa_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-04-27_34c4254e235fc7eec9583e60f9caa6aa_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-04-27_34c4254e235fc7eec9583e60f9caa6aa_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-04-27_34c4254e235fc7eec9583e60f9caa6aa_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-04-27_34c4254e235fc7eec9583e60f9caa6aa_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-04-27_34c4254e235fc7eec9583e60f9caa6aa_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-04-27_34c4254e235fc7eec9583e60f9caa6aa_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-04-27_34c4254e235fc7eec9583e60f9caa6aa_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-04-27_34c4254e235fc7eec9583e60f9caa6aa_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-04-27_34c4254e235fc7eec9583e60f9caa6aa_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-04-27_34c4254e235fc7eec9583e60f9caa6aa_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-04-27_34c4254e235fc7eec9583e60f9caa6aa_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95203\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-04-27_34c4254e235fc7eec9583e60f9caa6aa_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-04-27_34c4254e235fc7eec9583e60f9caa6aa_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-04-27_34c4254e235fc7eec9583e60f9caa6aa_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-04-27_34c4254e235fc7eec9583e60f9caa6aa_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-04-27_34c4254e235fc7eec9583e60f9caa6aa_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-04-27_34c4254e235fc7eec9583e60f9caa6aa_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-04-27_34c4254e235fc7eec9583e60f9caa6aa_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-04-27_34c4254e235fc7eec9583e60f9caa6aa_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-04-27_34c4254e235fc7eec9583e60f9caa6aa_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-04-27_34c4254e235fc7eec9583e60f9caa6aa_ryuk.exe

Drops file in Windows directory 4 IoCs

Processes:

2024-04-27_34c4254e235fc7eec9583e60f9caa6aa_ryuk.exemsdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-27_34c4254e235fc7eec9583e60f9caa6aa_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchFilterHost.exeSearchProtocolHost.exefxssvc.exeSearchIndexer.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a0095922f298da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000044615323f298da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d3314122f298da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007abc4a22f298da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a4afbb21f298da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d3314122f298da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
1492	DiagnosticsHub.StandardCollector.Service.exe
1492	DiagnosticsHub.StandardCollector.Service.exe
1492	DiagnosticsHub.StandardCollector.Service.exe
1492	DiagnosticsHub.StandardCollector.Service.exe
1492	DiagnosticsHub.StandardCollector.Service.exe
1492	DiagnosticsHub.StandardCollector.Service.exe
1492	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

648
648

pid	process
648
648

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

2024-04-27_34c4254e235fc7eec9583e60f9caa6aa_ryuk.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4624	2024-04-27_34c4254e235fc7eec9583e60f9caa6aa_ryuk.exe
Token: SeAuditPrivilege	3708	fxssvc.exe
Token: SeRestorePrivilege	2756	TieringEngineService.exe
Token: SeManageVolumePrivilege	2756	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3136	AgentService.exe
Token: SeBackupPrivilege	2188	vssvc.exe
Token: SeRestorePrivilege	2188	vssvc.exe
Token: SeAuditPrivilege	2188	vssvc.exe
Token: SeBackupPrivilege	4616	wbengine.exe
Token: SeRestorePrivilege	4616	wbengine.exe
Token: SeSecurityPrivilege	4616	wbengine.exe
Token: 33	4856	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4856	SearchIndexer.exe
Token: SeDebugPrivilege	4208	alg.exe
Token: SeDebugPrivilege	4208	alg.exe
Token: SeDebugPrivilege	4208	alg.exe
Token: SeDebugPrivilege	1492	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

2024-04-27_34c4254e235fc7eec9583e60f9caa6aa_ryuk.exe

pid process

4624 2024-04-27_34c4254e235fc7eec9583e60f9caa6aa_ryuk.exe
4624 2024-04-27_34c4254e235fc7eec9583e60f9caa6aa_ryuk.exe

pid	process
4624	2024-04-27_34c4254e235fc7eec9583e60f9caa6aa_ryuk.exe
4624	2024-04-27_34c4254e235fc7eec9583e60f9caa6aa_ryuk.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 4856 wrote to memory of 5044	4856	SearchIndexer.exe	SearchProtocolHost.exe
PID 4856 wrote to memory of 5044	4856	SearchIndexer.exe	SearchProtocolHost.exe
PID 4856 wrote to memory of 1204	4856	SearchIndexer.exe	SearchFilterHost.exe
PID 4856 wrote to memory of 1204	4856	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-27_34c4254e235fc7eec9583e60f9caa6aa_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-27_34c4254e235fc7eec9583e60f9caa6aa_ryuk.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4624

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4208

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1492

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4496

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3708

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4584

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3468

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4436

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:708

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4816

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4052

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:880

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4936

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4212

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1064

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3144

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4388

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2756

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3136

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1512

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2188

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4616

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:736

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4856
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5044
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
c8cf3aec09e221e4e2d2b175d1d2dec5

SHA1
5a98ac03be86739c48aeac2d31226736663d67ba

SHA256
ee58d25cbbc5c472c21f529f9f9ff64f5fd1e8c35993097195f07a55433f27c8

SHA512
9fb848d8d693c41abde851f0e20985e4d2a3d95bd2cb46cb860a2775836c676fcf1bf205b761141c0ebcc8f5d537472415b64978f3ad47a614d52fdaf9105adc

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
e17813fcd2fa9b48e91289a246a3b94b

SHA1
78e9390e20ab228394a4a842a170362b16e8c99d

SHA256
38bd05d3a367ec89836be6601575ce4758620a8a83065309400012161bd90cc0

SHA512
b52462eaaac9336b664f92af334b15effcdf2661235cb4da101742f0f5c8a35fbb6fe57630e99f8809289dd4f7e5c45136cb14c59c5cea5a62cb1eab2e14535c

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
b2a0375968837843493d89001fd74fcb

SHA1
dad2a5c699e5d4781f061e4cef127814ee77b95e

SHA256
8913d75855b4b1b0299e100014c4ab29a3b9112487a52cf1a9eae2f3dd55868d

SHA512
50606a0a5e48b1cfb9723eee280f9a622130e3f4ce4cfcfbdac5289a8e2ccd10c785dd29a42b8525d0dfc1a8840cb437463285e0feed6e78e9f325057d951cb1

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
b381bf83dad9fcb10154385c13264ac4

SHA1
ac0b92db8858e7aa3eada258c6f1236fdf3e7241

SHA256
416732a83226b90adf89544b8f1d02097eded85efd22817e09253d1d64fbe52f

SHA512
c4dfd03e8f25dd4b21f824fbcce8b9a6fbce6bcb5ec8f2d0c933272c1260ea5bcf82f7ea0ca7e9dcf8d246dd90930570c82ad88aac4935496237aa255e5b407a

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
115d02a072d3ed0f39afdb60c657a1d8

SHA1
d6f38bc15c04fb85bd16cd4efb9976bac10c55ca

SHA256
d0b0d84784e592d13a802702b36882f9c8f0d3f8de247f89b7df92825a9019a0

SHA512
0612aca235732ca2074733b6345d1fcc4e095c145c8f006c0ca8aaf9c416771b6cc4c9b734d67858b5fa944e902ba07d6cfd5b7aa778d425511fb962bac020cb

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
6f3aa3e20bc0e3ca6e4c48ed2fa02ead

SHA1
ade4120a5fe2d92e7d80fe09ea7343603786bba9

SHA256
21663b14f20673cc410c97138acfed47c1a1450e2078cefa51b3e54b1ca5cdeb

SHA512
92645660980669af4b1700582349654d7b1214465905212f071589e011c426dc84a939f388aab0ac3381d5f2ff15dfbb45954d0a8f856e356fcc5042f013614d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
16f3a559da29014d0a4601c8749a19c4

SHA1
a38966a8d9078266e2059f6562ecbf3c6b825364

SHA256
8207036100dc93cf08af24752d61cb5188718207581c3ae7389193621c00612e

SHA512
f3df27ef2a63d3d9f3db5defb5f1680cb8cea6f554d82633040f16ff4493575d4ac08e8d376f60923b90d3ed05ca6652f811fab925fe7cf7659e3c6129f323bf

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
3f53664d7989b21972195db8bdc10bd1

SHA1
31894ec43a780abf772a9ebe914f9560415baa9c

SHA256
288b74ffca6413786b0fc6f9737e4d722df0f39850601e7d303666a4abb0c457

SHA512
662752de6c2f37c491b61740e60610ac9baca4c93d873011c9c29a494292e6b7816e5c3a65d11ab4ed65f93e66c684d7e28175f6084179640bc466ad57337e60

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
3155f80b5603994eaf3540eea7702f85

SHA1
1b4e7002c8a061725583bebd57f2e87ccc13e914

SHA256
55a1f4fe8abea21332474f337d4000077df05f520777cb632abe9ea67a32e181

SHA512
112e719f00a189b42694cc56d5442aa82d14235e92928d12d1208178ad7210cb1bb0745b9040336ac971ae37bc6aa50504517c9bd0369b78083641daee88a4a3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
6d80833304edf89996038a88d6151e4c

SHA1
7ce58f58fb35f174ba801f4b66ba8bc0f68a06b5

SHA256
19863e35b0dc5ed0d4ee1bfa89685d7965fc15c79c1d53d28f4fcb1f990c0d6a

SHA512
a222bd7d228cdca8bee16db5b1ec828904a7e747a62bcfaaa3c0c96347cde00a1c5c9004324991e950c519f2e091b37a022b798319cdcd4b1ee2de1c77af7e5f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
0d7f78f588f414d43484d046e74feb3b

SHA1
8fa17ec1a393db993c181247f3b099b9f3fc15ad

SHA256
c81c41b3e42e9cf050ed14962b82bac83b22853acbb7eec6d510f492496c07f9

SHA512
43649993fc7b2b4ae6e6eb6c7167a0cf432c6dd3950b6630a9f3c5b49f2cecc41a214c3e317323e84a6b1dfae1377beae711908e493a92ff3b66b1e442e6266d

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
daa49ad18e7fe52134411230faa45834

SHA1
42a75e5a50d73b8cf1e8048faeffef3a0c74023b

SHA256
38741a03075f57aa2f9da019e57c833b8bf6cbc524436e9d3bc9c87149bd707f

SHA512
dacdc1a4bf15f4468096e0f3f6fb4bd24b0abe95cf10113ac0f472b5fda53d859d2984aed06b1f4f72ee2f83fcacc1679fc4b1ebc5561ca2d5c1639a1a3da808

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
3a25bafc6a98393fb2246b48d3ac7465

SHA1
0bf5943259c4cdcccb5ec2bdab47ac234b6e6489

SHA256
cd40495f2c1857c9cfd7b397fb524bb5ba5ddcbec97335bb4742d1a1b5a4c004

SHA512
8e7a6207cecf6dc6f06ead669c6e7a2ecef88094233701fd33c66f834a0d03323a4041a07b09e69a59fe3775ca224a78e0c153bccb73600b92a2cd08d30c9cbc

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
66cafc984dc953e8470f1da18682594a

SHA1
78e4069a6560c77766cf8b72c0f0e4e60c68fd47

SHA256
76847a3f40bccfb41b25ebe64234b156ba4ebb661f0a76807329b7d2df8ca560

SHA512
277c60abf8e980144f6347923aec355d876d2abb096070f21fb7633a72b5814b49394101d7a9675c9f133c450e7f8e5d42a3190f4688f0290ef4a0d0192bbc0c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
e674698f815c57fc01b12ae32c84c958

SHA1
e82c78cc10c4ca0eab29a9ef5b3be8c9c10c15ca

SHA256
312bdc7fbc31fa62282914c81531a72a4c60bd9a678aa8565fd53fad033c3997

SHA512
e2528ec95a2eadba82bc58c70740bd69f91934156daace829cf96c1bb497e4589c2b2329f2beeea1a178e9c90260b8c880d59910263805f9a880ebd5062212b0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
9336cede46f54b032b61dcbfe286c55a

SHA1
9e6290170f110eb9ecafab0f8c59c277dc238370

SHA256
5e83b389293dbd654d08abc6d306b84916619ca3fc16cff0e1f938081db80864

SHA512
01836098ddfc2dde63ed7a231e41faff197410b65c409df25f6929641878f9be46bab33b48e6be26684db99ab3cda4c744c368d1153871e492900c6c5d8cc6a9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
4772efe784e85c49615f318288e55e85

SHA1
55c3271572320d68d9a19e275b3070354e8a54ac

SHA256
837a2eba6ae7eb7bcc86cca7275f9096f3c2ef931dc39f8428a9d39c3da88a5d

SHA512
cda6ee9a8493d866249b14cd4b7decbffa098c2b2727790c97e5afa96886b40b59d8f14f6f1bae1cf9d952cc3af04a39883d42f0d0fe4f346bd7904c4bcb4876

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
96e18a91c206f3507c605cc21253ed49

SHA1
4c7795409c1cffef47030066a87e5c620960536f

SHA256
7f2adbbc7c0e5492082796e5f628f613a1bc546583ffa85cab4cceab4a1c5e0f

SHA512
d5db05266dd45f90b2fbe2bc20710d57f26752213a65525b1ccbc3c42cc53a2e527c697280d8a546f02bab3bdca0316612b0a508c4dfb60d65f575a5fcacd270

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
95bec7455b3571f84646d4d106cdce93

SHA1
e226b39f1c85fb3dddb54cc048b56397125f6fdb

SHA256
50e555c081f6daf01b8be1e2bf252622d1e086ae9077e020b52d85aa331c0c5d

SHA512
48e6fc237d0b6585601bf17c00d38a86e6b82d84ba264c82761683f4eb026020faf63453a7e61bd66828d86b8448f1b0dbcbbf27f37117808d95734b7be4bc68

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
f227acd08e01a98b83b61e43cdb345db

SHA1
975cb81b3d2b53ef1065286062b3ad682d57e7e6

SHA256
7a2928fb8024946c7e26e9091abbb6be035c73d9df143a8b568aabac1b93c50b

SHA512
6f9e8af54bad5b25e33a00bc6485d2e65a7f54e32190415c647f41e8cc09a21800eded9a104c68d07de0b4e1ab8e55276b230b183c80a052ba34b7bd8b5a3488

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
68d227a813ab2888ec69f21551caa829

SHA1
869b46abc3c4e8bb789378be1071e38665dcc617

SHA256
b7a898c95e8f6981628a2846f089fc447d3c92228292da243983951be1e68762

SHA512
a340ad1e618be74ce7d5d60f2651aa5c785d2a0dd4061dbeb964c1cddccc7e8a8f685c1b2015c75588ebc216b62813fafb5e24ae9d5df076f088e863655b2ea1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
824fbe0d03811a0688fda9a485b8d131

SHA1
2dfdb0a6aa9da0a3934dc806bf1ba84a01be1d79

SHA256
d934bb207a7dad935cee9aacf38357402a9f3963050d2bd9a452de82bde17e64

SHA512
cf858ba723d52d9d6d28e79c526196eccb1083570823374499825114d60e18a102d22f2aa5baaaae7c357933881eb86ec3a324b256db1ca91b9cb472652d7666

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
3d8a8b92152e725c1da4ac8b9efb4845

SHA1
7e07428befb55a9e3604bfb42cf3da62284424a9

SHA256
e5cfa031b497738ffcc57868b8d2bca93575bde70a43e472387d4a37296c0416

SHA512
fae26f9f970fb7308fd95f835f295429b7bec469a615dc5240fcb06910d94a6c4b2665baad50d275d59a995d1b1df9140c8825fc5ca94ab170c708ce9fe79b33

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
f6ae1ebfad8c204ae7df127db4a57544

SHA1
3e92dce5c0e6f0579ab6ca316a6652b8978fb60c

SHA256
6aa1c1d3f65e61cb66788c0afecc7d32d5d490c202dc1e4fd1daf09812160fb2

SHA512
f5582af1f4c1d541f7dcfeb73e6237444b2faaf62c3e73306e90b18bb7f27e97bdbf0043401b3e442048a567dde513914be919a9d995cbb98d42742ee47f54e2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
e9ba853978ce142ee487712f20fa40a4

SHA1
dc1540a85f31bc23e7d02da300adcabb55b0d619

SHA256
8fe30da8aa8c676f26c5735343d7290ebd9f5d24d6a1a58651cea0002299113f

SHA512
cb6d3b280552d915ae99e129c0594fd4e1dbb0fd1b04996891aabeb2759a012a222cc1cd91086d7d054963e337a02704052a1e5d43120ea029c5bce1cd7e92ef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
36266df2160e5055d6fbdb6425c49e56

SHA1
6b2cb491ee04865236c656f8e2068fae9796e603

SHA256
ec03618b46004a6e662a61330d1831b2dd5f02548454d428a07db1008c5553da

SHA512
e8f39d367ca84ba43fcac5ea00a9f8d78ac37745b1112ee9994e03217de96d457df2e56de87c088ff83be5227be0032d30d3078e321129269d1debe8f3614780

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
4a19c188a351a859a3bbeb161fd2c9aa

SHA1
ce181c150de0c92460e1ae3621cbc206913bffb8

SHA256
7883698bd576bf76db364677c0a3139be9262b5f3e79fa73e7887ebee701f611

SHA512
6f19cde05dae569210081d2a832601bfd2af7e5ae0d79c81503fc2f33d8f9eb13540db5b9a9ed401395841b109fc8d74097e142c6977b28fa14a37809846ad0c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
0badba147a5e86dec705dde7137353fe

SHA1
1deee6dca4d04309e2601b8d9832833beedb8ac0

SHA256
e51ee31607ea1da964eb422c252590f56f0b67ada9a00d35237886672e8c0fa6

SHA512
f7a8d7e318d11b921d5af33aeadf567a44bb5f57bd1f68f13ff28412528976fb36e39eff3676c87c3964e51f164c52dc3d07937b579afada2f733087a5f6488d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
c9777b6dcf3aa2d788f54dad8b346b47

SHA1
3b38e1fff4d34607b49b8ff5974ea48e1fb75732

SHA256
fc54640cef96fe16daeecdfa6a48b1e63909ed686a6552256d7328a677b33817

SHA512
565669bd19fcef037a77bc16f251871d72bb90eb72cbb9af885ef9bcfeaf1e54180f4f26044c8a5de03133819c1ce4e04a3ae92dabf14b4a6519916fb30a477a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
c80c19e7bdf07f1e3504bf6bcce6cdfb

SHA1
002ad76bf82543b4567dbda2a208a6c18abf90b5

SHA256
299ff850330f6648e6e83ead9771efe16171ab05a028699bb24275165ff8adca

SHA512
f7f8946869df16759c22ea45f28903033faedf1163cb1e12437016fd2cba3e42fc36dafeb564abc4a1ed7cde58cb019f3766d89c43314b622ce05b98585254e8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
487cf63b955cf05abc9d7eb8474c4c6a

SHA1
d4762cbadf6bf24baf227b40898549c157a6281b

SHA256
19ecd696c3cc07f233644f78e14fa5184a5e09c8f253172c2b490afefce809ed

SHA512
6864534aee082a047b4d57d06d9dcf080ae034f458d5b7ecea5c63c54789b85667b49e4ed8f009ca61d4935f36f4882dee4fa2c242183e4e08a42cd496d03b04

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
7ffc40ea65cece1a1cdfdd691c6c6d8d

SHA1
c44de35186133c2b117f9900c2be51c88b8faff0

SHA256
4fcc051ab5f97eeb13c0345256e56a7e180538ea1ca8350052acb7e02ff9b0d2

SHA512
2825efa2a5c1213540272867a46e2b0e447e72b6ee34b3b971995e13fc98c79763ab610f5cd4ce39b74e291adc6f92fdd223b8481525ce9624dbeb55a04725ef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
3ffd0df2f814c74446b642a6a073d470

SHA1
075f5a2491f564ad79e4135e55267f85470f6b41

SHA256
0f45d6c765d1e46ba203db822286067dc43f508bb038bf27b03e076d09ac031f

SHA512
d3b9e6c7dfc17606c672297be582044fd8548b96200f25256c9224d2e461cd7a7b2a5e6fd2bbaae1ee9e3c511fe69af1d445b14417c241ab0f791bccc4f90d18

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
72d941bb75f28d9eab7bd6816e11b4f0

SHA1
a9fc1874a0d483c617785e288b1fdedb80b3eb72

SHA256
0e9f9f7f37ed4a9b232952abd35aa620998e10935d416bb2082d2603f74b4092

SHA512
199ec20a1834df96b1a050367d3ffb96a48835534beb70b8fb227e9b988087e7ca6950c6cacafe43a72ed71cca8e1ee1936c45da9f918679b5f8c7a3113c0b88

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
35b2d28c322e36064d19cf1b2c97ba8a

SHA1
9c6b9d23fc6889f5891849550c56f4f4f1d72bde

SHA256
ea5a4bbce04be1a1fd4bcf52bb7cada85e953d29b8cc22e2906b351345faf605

SHA512
a895d7f6c4d44bd610b150b3c56b37f1c3f82cfd24a70310f1f4399657fa39d6102a4ed7678f82bfe5962b2570ccaa38c9c165a058a31e7f0616d89b1a4d2798

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
0605126288728036e7d44160a4102651

SHA1
da184b7d1d512b15fd9acd955dd10b9d3e5c30d2

SHA256
b6cde6c8764647ca364c9d3b145d90db72c1c935a31c690b4e38619873268e0d

SHA512
dbeccf777fe24321254d6e0693c592ea9470835625ffc07f3a1ae3dc1ed6f1f1ed43e720dfd03f80bfce2f0c36a3b6cc44b4b5a7756f6f583ca35866cb0271ea

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
c4078ff310814dde4166ae49ceba3fe1

SHA1
aa123493ed8f6f7fc35b2087870648c71a38e687

SHA256
4fedd82517d701d6f9824d6caf6478664c09f68609430841d776676e34bf19d0

SHA512
146dde9af3e1b22c3a6da805f785f8d55a68f9d3901ac1c9620c520ab98be1a86c769036e7b0b0bde10b7fa93f31d198d79dea0767980f441c889577a7a2e402

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
17e4851b6f304d3801bc88e842238f34

SHA1
e912b4780b3945b1467976a21a0c4c7007bdb10c

SHA256
4388d3af05d3977f78d26de723b7135761c97f063fd3f6835ae0c9290716562f

SHA512
77400d44a41a96e8fb25cf8de0d837c741fa8c62486cde5950c3afc593b4e440abd1f3c4fe94c7978b71bcbfe977202f9daa4a1d1e75971ca87a3b3c446c2421

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
1b440f807a36da5d4443f50a1ae3fd93

SHA1
206a268261918810860e5a07a49c01a9ba4cb5e3

SHA256
e4b418a8387ebc4aff9550dc92083adb57aa249d32ab0fc30bf885fa7eaf8a5c

SHA512
e4db6d911f45ddfcb02c94a5001312fb0d7dad10eed1b04285ac1494e5f4ebd3d0abc40b360852d0e54b0f3e371261136cc1ea003bd5a4d3b951b0b8f86df381

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
e3ca37d0d25ee9a37b21384a4b807dd2

SHA1
5a79cd73a3bd8e01f7d55f6ffeffc761b977a4a1

SHA256
8f2c71b26773a0eaf6697ac5e4efeb8d76d61610ff11439c4401373c8bc5bec9

SHA512
6123dbc20d0b7ba824d73f15d0ed3d00edf45b9c7f88e6e29f7c52a537e90fb2937a8be3252f627cbfbbcdf5a68d1cfd146185ad0dfcbcdee75144c4542f87a1

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
73a0d17e1fde7e3695957cdda11ee803

SHA1
b93c645b8ed398a6a88a5f1fa2b5c1c153be967e

SHA256
9f162d6499e4d4350739897b5e253f833ffa91d537f76accc690bdc498ea3e14

SHA512
31ce6b74d9bac5154c171573e53a374d2853bba4c8789f5aa5df4349e4b3f5da2c927ef38c94c12c442b98aafba2f390810ee52da77387f578681c4925a31248

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
7f88b24b1e9605df9328750f7c5ac125

SHA1
f8c5f39c2e48cd3d29d0f5b9118c2e5388951260

SHA256
d83411602ef2dd975e87c44f519a2c74e076b6c5a2bbdd8f53d7bfb8206072f0

SHA512
46decec31358d2222fbca8982a8afea3dddbb1f68ab7dd01703f80efbc2861489406e673d1e4f10e11d3fda78ce204f0ad71321f09d88e06bd31ca46414b8ad6

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
5e1a4c8de8817812e3fb889b143121a9

SHA1
deeda27cfdacec5d4ac9153f155e72bb88e6517c

SHA256
0bff431524de9a8a32865fc70ec2db4492f74b0b67c9af3012a091ed838fb441

SHA512
f30306744c95f019ae54dd7a35e71ad219f538760195aea44a17aa6f22bf013a711f4ada3890da883d651977c9ceae918e43d5b491d20aecb93f202da6a2e314

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
a851ff35ff8bcc0a94d81758f16737fa

SHA1
0dfb65be761254a445fd2265593317ae706be31e

SHA256
a7db5bd6cda7af7a020d365d2dc00d7228538709dd79f7b71da374f6052d5277

SHA512
4e090c05be7aa1496eee8bbca8762beced318dfdd25f7e562006f5f8c08991c5ec3514af49506df8e17542b2cdb7339dc36bc46a6107623777cf685665657105

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
cdc1fa081f02fc0eaeba21ee7b409039

SHA1
3f379584d0df47c35893c3090d2e5a3978a8da52

SHA256
df18bade26f51e5bb2e030cd460ece29825e3318b0693cd919202480917e14c5

SHA512
bd3c07a6e4792d9f534ea1c3ec810bddf1a52598bc4a485f79dbf0b282350601996e2b9a5661dd70d667ee5d98c50dcb7def5a25523d28c7d055d440da65a6f2

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
8443580326c25494dc81e91837209b25

SHA1
b1cc40cbaf10b0ed37791b3f1087b0a135be6d32

SHA256
c74ddf7684c270355ac74465ec133cc0131469bd12fccd20f7ecd5c9c9b5d257

SHA512
c5facfbd29882a627b5a98879345ab91ae1b6d132995ed985a881a7787161c9192a413e9c707d599afab6ee5b0e62bb7fec6d35918df6ea0c492075f55382336

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
95c0972d5e4de25e520fce5ed86c8f8c

SHA1
1893dfff66601c9e9e9764732134fe6b2ea7c608

SHA256
3322b4601865e1aed62670bcf682eb1c6e738789d07277f8f9ca9d7816246db2

SHA512
a2004679ee9461acfce9e44a901c3807a51ede0ac54ed9d303379e0e925d37af6697948333fd30a1de9f4299d6e6b666a5f3f22e7b897d3fd41844ffb443ce68

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
a2203142529978f0677df5dcec013b66

SHA1
7c449d40bef7c07f86666ce808ab0ec74fbabe8d

SHA256
865e8ee6e08a281c0bbc50011bad697b58dff08d7aea949769b81c1b937bca49

SHA512
64a4becff8da09b2f72860fd61488685f75dc2a9ff0fc1745599d2c0fc01a3df82655a38b4457ffea4853fe180cb356d52034ff98f37c98f44eb6495659e3a01

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
b9d5788b3a268be1a755ddf9b15a2e3b

SHA1
3f992e47f53d5153677c9258f76a66604020e20f

SHA256
32650bb054b7c3c0471f657cf221986fa57a0aed0bcf6574306ec5295c86ff9d

SHA512
4c0e706aa48df16b8389828cedffd707be669cd3601aec81263b5e2de410cf93887ec3746669119aac118139eafa701bf1a7118e7f033bc5443a667bcd0d7362

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
038dbcab5605be40035c1abe6c030ac5

SHA1
04061446bccd65d8fd62a6a4d85961bff75529d2

SHA256
f56594bdb829bd33663d31280a2eaababa789f09583fc7b0b3458d9eba0d291c

SHA512
985aa3c8455e250d97a2460e686d8848ea8aa0b77ef845f20f3985a38b4fa40f4713e97d1655462d4a6e3bd4f4e28724eadd4896dcf5fff118bd7473bf0cabb2

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
4cac867cfdde55d9f88cbb6593a782a0

SHA1
bce8af27689c5d2b02369a950090c8c3f961088a

SHA256
6f448d4bd54b53e2a9470ee785452280ebd7929dfa87e98cfe1ee601b2f89fdf

SHA512
9406f7992c37cee5ea7b3a87c8d6983b3be5dc4ea9ee72422a5933ef620dc10a67ae55a31a3dcf3c63fee5c5b5330434b81169a239952db59fc53b07a4db9a65

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
79202fdb27a3b3589badddbee65adf91

SHA1
fb4f6a67f9f5d80878decd9a361d024706fb6ef1

SHA256
96a8708dc236bc123f81d43e6d9239cb7e142c67d1c02b02ba91086de3ac01cc

SHA512
4b0b6d3e1be318c5e145f5fbeb0e61dd477b652a518d8e1d23770a8da77cd0e295415c78267633b6c55e5d0b8a2bc662fdba3c219017f7e29609a403a60b09e0

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
a9751ac6983770305f96093c102ad56c

SHA1
b294946fe2bbc57605af7467b7de5b5507a7f5db

SHA256
ab3718873ba4e8565e701e697591a3e03d5134c6268d7c7356e905ff52ac9203

SHA512
5e638a1bfd758e6cf826eb345cf50ab45a396798d823009f13e07f88c7d2ba34cabd5d94a625760ced14a1908597a0e4735226898c54ca9a1e9cc9304ebb24d8

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
0a2d15f8d47ea9da0e69885f0f3db909

SHA1
6fb78da80a7b83eea6fd53d5e2894064648c3d03

SHA256
8b376fe8106d07131b3e42c0e3442048bd8ae65ef621456edc2c8545a8263cd0

SHA512
72d82619e9e8d41f8ba38e862f09abbecec6bb62d0168c9f10baac1c7e3de87ee11b72e3d625cc4784be9c6a3113af1955fe25e2228627c920d073bb6312669a

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
6a1bd2f61b2874a1efd1adf65ccedbdf

SHA1
b0a05a9aac9a449a24096a9aaf6ccface5f14595

SHA256
a9e384cfaa21be042db9be927fdd7ef5a5d406b8aed5790c0865a699c8d8dc7a

SHA512
a15dbf1fc6ff04d823329660a86d6440ecf916d627125a803dc0966efa289d15e40b05fb7fc4156a243d9483dcca3ae1803cde01cc5028715114cc4469046d85

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
8489f8ea7ace9e2b97da823f56f5d539

SHA1
b0e124b975c87652e49642558c81e8130fbbb332

SHA256
66941301e93bfd429d8796415ee7bf2a3ae848e2be9edd46514ed00f5aa8fa56

SHA512
f78b8d125c33cc75d769532089e6deacb6083425c3d1a7234f900efa5d053d05416c0b3394c566e8510a1935c4b9db7fcac30dbca00cdb9c1425781e822c1760

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
6a504750a814514a47c8e6cecc3c38f8

SHA1
10f999a4958806f1a70fdc7c5b06ea5e742f4d27

SHA256
a123da062e0c3b940da90ce2ec91aaf1b87b96d07ef7f54526737cdb4bb10cba

SHA512
d3c8e980c8739ae2203b474446a7e4e8a7d5feb8c481d270e4519cefcee302b7598dc1d8d8003749b978555da9bc42158ae4095ee119a10d537eb53122a6dddc

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
f17c217747b640e2f618c695cbe5c31a

SHA1
9cd3aa1716e8987e2715a0243104af75ec1a30cc

SHA256
579d84cf0db291d45d680f0e959f90ccbc85203956d8f4082542e20f64903ed4

SHA512
cc66b8bef00540cc85a509c64998267db4e9d603132b6739a508d08e771b9ef5479494502f092d8c9e641f204318bd8ff07608e6b2a3e5dc955a6b951c9c3de8

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
4e9ce478aba8871c618395b21cb6f9a1

SHA1
a53f78e7f21d3ebd118b4a57344900aa5735da09

SHA256
24170257d2f1f5189725431213aabc81fe64092967ed57640dbd57142756fb95

SHA512
6bf9d8fc278fe87927b7bfad912a2b2ca58aa96cdb102d7f308c9066f879d9c38f3b9a4623b0fb6ba3bac49b937c30006b128092eb9012276f5cf65632adc3d4

Download Submit
memory/708-96-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/736-686-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/736-253-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/880-128-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/880-240-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1064-155-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1064-463-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1492-34-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1492-35-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1492-131-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1492-26-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1512-217-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1512-681-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2188-684-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2188-229-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2344-186-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2344-676-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2756-680-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2756-191-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3136-202-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3136-214-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3144-167-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3144-675-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3468-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3468-71-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3468-69-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3468-179-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3708-39-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/3708-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3708-45-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/3708-59-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/3708-61-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4052-228-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4052-116-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4208-127-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4208-20-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4208-13-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4208-22-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4212-679-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4212-265-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4212-151-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4436-81-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4436-108-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4436-79-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4436-74-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4584-57-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4584-49-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4584-55-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4584-166-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4616-685-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4616-241-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4624-488-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/4624-8-0x0000000140000000-0x00000001403C7000-memory.dmp

Filesize
3.8MB

Download
memory/4624-0-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/4624-492-0x0000000140000000-0x00000001403C7000-memory.dmp

Filesize
3.8MB

Download
memory/4624-109-0x0000000140000000-0x00000001403C7000-memory.dmp

Filesize
3.8MB

Download
memory/4624-6-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/4816-110-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4816-216-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4856-266-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4856-687-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4936-252-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4936-132-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download