98cfd16b11304be056dce24af429e32dfc183cd9fc71fc50602fae2e4d668c0f

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 18:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_170a64b127d299a9da3682c4e935f26c_ryuk.exe
Size

1.1MB
MD5

170a64b127d299a9da3682c4e935f26c
SHA1

6c265b7411a70975a0e5a4d16c5ccd6aa7fc489c
SHA256

98cfd16b11304be056dce24af429e32dfc183cd9fc71fc50602fae2e4d668c0f
SHA512

bbe0a75864917292f9f1ea8a637b749a71da1e0299b6d4b0f983f579c474d01528567dff005c73f3cf94785726684b8b64433d0bd51bcd332005795b5703c919
SSDEEP

24576:WSi1SoCU5qJSr1eWPSCsP0MugC6eTaqMrfUgYbkhqfj8uqw:GS7PLjeT+rfPOkhqvq

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
1776	alg.exe
3048	DiagnosticsHub.StandardCollector.Service.exe
4000	fxssvc.exe
2012	elevation_service.exe
1436	elevation_service.exe
1248	maintenanceservice.exe
2036	msdtc.exe
2796	OSE.EXE
3148	PerceptionSimulationService.exe
3272	perfhost.exe
2980	locator.exe
2032	SensorDataService.exe
4824	snmptrap.exe
2416	spectrum.exe
4756	ssh-agent.exe
4776	TieringEngineService.exe
5092	AgentService.exe
4252	vds.exe
4144	vssvc.exe
3568	wbengine.exe
4752	WmiApSrv.exe
3380	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe2024-04-28_170a64b127d299a9da3682c4e935f26c_ryuk.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-28_170a64b127d299a9da3682c4e935f26c_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-28_170a64b127d299a9da3682c4e935f26c_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-28_170a64b127d299a9da3682c4e935f26c_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-28_170a64b127d299a9da3682c4e935f26c_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-28_170a64b127d299a9da3682c4e935f26c_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-28_170a64b127d299a9da3682c4e935f26c_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-28_170a64b127d299a9da3682c4e935f26c_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-28_170a64b127d299a9da3682c4e935f26c_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\cc0743e9ad45b396.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-28_170a64b127d299a9da3682c4e935f26c_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-28_170a64b127d299a9da3682c4e935f26c_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-28_170a64b127d299a9da3682c4e935f26c_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-28_170a64b127d299a9da3682c4e935f26c_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-28_170a64b127d299a9da3682c4e935f26c_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-28_170a64b127d299a9da3682c4e935f26c_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-28_170a64b127d299a9da3682c4e935f26c_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-28_170a64b127d299a9da3682c4e935f26c_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-28_170a64b127d299a9da3682c4e935f26c_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-28_170a64b127d299a9da3682c4e935f26c_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-28_170a64b127d299a9da3682c4e935f26c_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-28_170a64b127d299a9da3682c4e935f26c_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-28_170a64b127d299a9da3682c4e935f26c_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-28_170a64b127d299a9da3682c4e935f26c_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exe2024-04-28_170a64b127d299a9da3682c4e935f26c_ryuk.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-04-28_170a64b127d299a9da3682c4e935f26c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-04-28_170a64b127d299a9da3682c4e935f26c_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-04-28_170a64b127d299a9da3682c4e935f26c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-04-28_170a64b127d299a9da3682c4e935f26c_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-04-28_170a64b127d299a9da3682c4e935f26c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-04-28_170a64b127d299a9da3682c4e935f26c_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-04-28_170a64b127d299a9da3682c4e935f26c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-04-28_170a64b127d299a9da3682c4e935f26c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-04-28_170a64b127d299a9da3682c4e935f26c_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-04-28_170a64b127d299a9da3682c4e935f26c_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99140\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-04-28_170a64b127d299a9da3682c4e935f26c_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-04-28_170a64b127d299a9da3682c4e935f26c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-04-28_170a64b127d299a9da3682c4e935f26c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-04-28_170a64b127d299a9da3682c4e935f26c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-04-28_170a64b127d299a9da3682c4e935f26c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99140\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe	2024-04-28_170a64b127d299a9da3682c4e935f26c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{C1566D4E-90C3-4D8D-8731-8398B4F79F34}\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-04-28_170a64b127d299a9da3682c4e935f26c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{C1566D4E-90C3-4D8D-8731-8398B4F79F34}\chrome_installer.exe	2024-04-28_170a64b127d299a9da3682c4e935f26c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-04-28_170a64b127d299a9da3682c4e935f26c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-04-28_170a64b127d299a9da3682c4e935f26c_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-04-28_170a64b127d299a9da3682c4e935f26c_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-04-28_170a64b127d299a9da3682c4e935f26c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-04-28_170a64b127d299a9da3682c4e935f26c_ryuk.exe

Drops file in Windows directory 4 IoCs

Processes:

2024-04-28_170a64b127d299a9da3682c4e935f26c_ryuk.exemsdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-28_170a64b127d299a9da3682c4e935f26c_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exeSearchIndexer.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f1cace499699da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e0c4fe469699da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dc01274a9699da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000993f98469699da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b08f87469699da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004853f7499699da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d27ea1499699da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000019d624a9699da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
3048	DiagnosticsHub.StandardCollector.Service.exe
3048	DiagnosticsHub.StandardCollector.Service.exe
3048	DiagnosticsHub.StandardCollector.Service.exe
3048	DiagnosticsHub.StandardCollector.Service.exe
3048	DiagnosticsHub.StandardCollector.Service.exe
3048	DiagnosticsHub.StandardCollector.Service.exe
3048	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

2024-04-28_170a64b127d299a9da3682c4e935f26c_ryuk.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1936	2024-04-28_170a64b127d299a9da3682c4e935f26c_ryuk.exe
Token: SeAuditPrivilege	4000	fxssvc.exe
Token: SeRestorePrivilege	4776	TieringEngineService.exe
Token: SeManageVolumePrivilege	4776	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5092	AgentService.exe
Token: SeBackupPrivilege	4144	vssvc.exe
Token: SeRestorePrivilege	4144	vssvc.exe
Token: SeAuditPrivilege	4144	vssvc.exe
Token: SeBackupPrivilege	3568	wbengine.exe
Token: SeRestorePrivilege	3568	wbengine.exe
Token: SeSecurityPrivilege	3568	wbengine.exe
Token: 33	3380	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3380	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3380	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3380	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3380	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3380	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3380	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3380	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3380	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3380	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3380	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3380	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3380	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3380	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3380	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3380	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3380	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3380	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3380	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3380	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3380	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3380	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3380	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3380	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3380	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3380	SearchIndexer.exe
Token: SeDebugPrivilege	1776	alg.exe
Token: SeDebugPrivilege	1776	alg.exe
Token: SeDebugPrivilege	1776	alg.exe
Token: SeDebugPrivilege	3048	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 3380 wrote to memory of 5092	3380	SearchIndexer.exe	SearchProtocolHost.exe
PID 3380 wrote to memory of 5092	3380	SearchIndexer.exe	SearchProtocolHost.exe
PID 3380 wrote to memory of 2684	3380	SearchIndexer.exe	SearchFilterHost.exe
PID 3380 wrote to memory of 2684	3380	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-28_170a64b127d299a9da3682c4e935f26c_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_170a64b127d299a9da3682c4e935f26c_ryuk.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1936

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1776

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3048

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5028

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4000

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2012

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1436

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1248

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2036

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2796

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3148

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3272

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2980

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2032

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4824

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2416

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4756

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4728

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4776

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5092

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4252

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4144

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3568

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4752

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3380

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:5092

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
39a10cbf7fbcccd6c69720eb08de3d9f

SHA1
34f6da4e602a024367e01b19a987b6b8f33f7c78

SHA256
1625640dcbe67bbfe8140556cd1aae4cc21e86ef716c882bdbd4a331c80f89ea

SHA512
01c0eebf4432739335518de72430d31f2ecf5f83c137650f5c79486140300a95843012440850daf00b3e9df996a64215d049208915cceba05fe45432a6028302

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.6MB

MD5
138a5f12f63c632672e5dc54dfaaa606

SHA1
cec1e18e48fff13ab0ca6de455e2a078416a9b53

SHA256
16c35277be1da12d1b5dc3940a756cb031dbf8ee778fc822b5b28728d23433f6

SHA512
d0cf6ded15d453dcb71cf18b880db9d540c709c67d14cad75a5375b20827335e813e8c1781a5fd9bf6db9446d0eb02ebe995ef170640cd7c5e86480234a49b1d

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
2.0MB

MD5
95d6ddaa553a1aefe93831a25d375f60

SHA1
2e96c14dd960df0ee3e3457d9e34444cf789654e

SHA256
5fbd006a28fc03b330e2cdbdb77bdb9e963d045122dee66e825bc7d50d92fc87

SHA512
7f069756a6f9da4b7a9f9c73b888fc01417d92c42ac3f75aeacdf6981db5f147cd7e9248bc0fa90b21a0db8aa0cf8e7133fef142c9a05970fbe76afa05a68aa3

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
1118c3bffc6b50afe54e7f3039d42144

SHA1
66440cb16d744e1b5dad559ce92a7c2685e74b75

SHA256
bd1b68ed5124672e443642b045ae424dce5b6c6a6c196118643b741fc68ce6bf

SHA512
88aebe93352fb12a129f298519454f1dd78ea7b20903ae4d9660f3884bc41f4e36c617e87e2d974000705da44920890d69683e2248864b193011d1548cb5f866

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
169ddd407bb3c69e11c9c3dcd3a587b6

SHA1
622badc3423212fc22e2ff73160b9e385b699eac

SHA256
f0d954339d5236be97d2163395ffe4d869bbfeef4392699037285d286855288c

SHA512
034a8c75e5f582bef998ddaacb476e224ea9327988c7acdb6aec6a571e7064ac712c3c3c29ee86fb4985171dcf4b454590ba3e992d5531d68d0c321efc5a8973

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.4MB

MD5
6615f08397a448b10f253693f25f708f

SHA1
ee04ad1c7b6104a27408d466f617f5156bf08896

SHA256
b432259453cf0730e7e25516dd745a585cb119c68f03429a20d223b43fd211b7

SHA512
668f160f1638c0bec67e8537385e27018c4a11dc55570acf045cd00fc8b20dbcc425ea01b77756c31f4bf47b3654569e31637ea3ef716585404b4ee3c2fb9fca

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.7MB

MD5
f55e83882e2de392e8d67bd35307c114

SHA1
72d5494b32e3ee05138288e2900d7ce4308d97e6

SHA256
206ab0a74177b7169ca363969e867d0e86eadf93b28c7c9c6c69c0684a6a9832

SHA512
f480627fbe157092f485279f6d76e70fd9714cb3ed1c19004e3786cab071af474a03bf6473627e5c98b4ede3c754bcdf3e077e783e49316bb0f4de49ebcda85e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
2133b50cc0f431eb0e8f383ef799af0b

SHA1
a6dd5d48de5b323293341196aed81e369b72d954

SHA256
a3b62966237081f0c6d1347268af3fc724beddebb97cd42c216236733eafb037

SHA512
9aced3f70b206ab31d5a57694a80db3a5933eed195cdd4b35282415def1bae8268c928fcb576f64d8abe1f1c46aeb9f9cff2e62f1429a4602fd3be90f5b9f693

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.8MB

MD5
088e74c97529c7af9c2fa9a83d2b4eb3

SHA1
07fa5b8017b872203452961fbc72b37baeabb469

SHA256
8af5f465635d61f1f318d2752c7dbe1263f15aef5763d108ec533ce06f4087d0

SHA512
cd8d955bd00ee0d040b836c2c3ca04cd9eab9e538630b9e7c78e7bd79ca3f9e88ac0b09f11813a56c1493b2ca61c89b0118b718ec01969ae683984a29f772182

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
3d0d54d7e7ea09c08d4a5ea11d97db85

SHA1
503dd1f075b3090bb61f80b22729b1263c9ca2d4

SHA256
e0d816b5a74116b913e2f4ec09b6fa1c3ad94888ffca439a1560dc6bc1c3b76f

SHA512
665087e8b243ce7eafa7966b2b5b1f062723b1e476d2f29c6df17bec375493be0c8c635dabb889ef3e5043ed64b51a0d534d27436a5765dbcdc19a697aa60bc2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
011a2a3ba87c90c6c537e38e727f5663

SHA1
02d186a1377317372685c36505b5c957fd3d2598

SHA256
766149b8ac0987e5f67b07c6e9f9473e05ed6690fb74791677c16552c3aabceb

SHA512
c44d3c7153d224a8a85c2471632779173043a9f7b9e0e0ae14f0b1bbc4b4583b92e7ff06d702d552a0b4f250a483eff45fb0b9bb9d52108bd006fbdb17cb9e54

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
c01e52f8e7b07a85442d49bc09fe0f9e

SHA1
f8dad6048603a8f874bd73352ed0fbb487fe0395

SHA256
5e16660c30d2a2316ee7f161144e325804ffe121051e7eaf3272d962efc2341a

SHA512
2752fc19643ec4eaba11bb0945cd63f1a69a076d372ce05b22d0a8ceb7430ad4f24bab2453675a2da51e9aae5775428fff2edb6eb808dbc1313fa23f06eefb3b

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.7MB

MD5
a580ac7499945610507507bda084d7a6

SHA1
d285c814f2c26850b02a00470e46c11e6708234b

SHA256
daaabb7ad929648598ccb1b358ca168c496e2fc660cc0d369265ec572d0e9a60

SHA512
8d91987f2989bfd9dc48935dd96baa98553e65aaaa955fedf04551836670f260c2e15ab4deeda1fe90abfc413f596826a8dfbf178a432d4abb6ea1d5e6c7a45b

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.5MB

MD5
9b1f77bfe6129145fce32a76bd981de0

SHA1
3cec55443c759ccf16fb3df9855a49386a5f154a

SHA256
720b0578e1860d3d4a96b88368c6e647f98a52c3fe813a46535da8d9d14fbed9

SHA512
44cdc6e936aa6d2586334ed0f8d42003440be66c27bebf5d1028474c23700c59423a86897197920054348e60f8a4b21f607e267cd449973bada061bf420b5cff

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
Filesize
4.6MB

MD5
004a054dbd663ed8edaaccf18cd8789f

SHA1
4f4cc034c29c0ff059b0d51f6ed6adb86cc11412

SHA256
ef4a31e49de3514ebce300172db7f1aa8ca9acadf5731078e54078118e3f8563

SHA512
8a7dd2a1d3ed6a84b56416c142388e2041465dfa6d30c0f7c54cec7eafa83cbd97712638822dfc31ecf4c766eaceaed7127633f7263f5f495ecf7614516af161

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe
Filesize
4.6MB

MD5
4182ecbb9838f7b757b6c7804c9dfd35

SHA1
91387c47d50122796df1ba5d724aed7994b39b2a

SHA256
4d4d32745d45e06b6d61ff053f5413ed19013074195e588f788ef68460491493

SHA512
d4a6494221a8d7c3ff0f4901ca688cedbdb81f27e440c2fb765832f87f1f8301f25534c50f17fd8662efebf88ac37d46a2a847df4428655c7c007463506e0d14

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe
Filesize
1.9MB

MD5
6f1755518e0e8d7473e874dd92e69d1a

SHA1
d809b7e21ee85b71ae41fc44a2aa2f93b5f943c5

SHA256
cedff568becd7cb8fb42fc63e564192e608b635c1af2a50d93184efe357da07e

SHA512
99dc38ee1c62454cd5d67a6d9f40722befb491f55857cbb2e57918e11f9ef9fdacce64b82785214d9c0c9d0e2095206a176cfede7aada50ebfd5ddfec1446305

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
Filesize
2.1MB

MD5
e4964d39fa21ef4a867ccc505ba96b6c

SHA1
0766460f3da102423d779a7abc7cbf5570c77be3

SHA256
2a1254c2e8842a4d908d97f629e4862843b9cc753b625ead909d67ec581492d1

SHA512
8e32eea4db8ce14624dbf5ab44bc82c873cdeffbc0d6a9f5efd26c37c94e0d05737c2cf466ef6ba8a4846ac026c907068e3cfeb9da0bbc3e762872d3c59975b6

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe
Filesize
1.8MB

MD5
cc9eb8af24203a5085457a800a6ad8cd

SHA1
8e049751ebc8a709bf84a9d22d0a74371085227a

SHA256
7f4503c2548a4efb320df122c950dd78fb184a6aae84951628ce5afcf55daed2

SHA512
c1847a853dbdbd8a2282de074b357be03a2a2d848ed2f57bac03deed04481c1bbe1d90edab364e0649af3beb1c918d7f67d91dbcb39ea0247c6172805fa10541

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.6MB

MD5
3ca8f3b94d735443434f9269d11e54ee

SHA1
cc8a0db0000d95750a74307fc3fd174beff81891

SHA256
95a002f89ce8362a79ced500106c6cfd4e859c5f2269cb710bba29a319dc8bec

SHA512
f430711c179ae1d40ca196f8cb977997d94d07fe37f91fc0110276af5bb556b1d987e5228525a49ecdbe570cc4d23edb4de1f7ef71c67a2bbed360c461b36b67

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.4MB

MD5
9a130b7e97e25d730a75961dae0516b8

SHA1
60342f73f9890b25af4549300352b2cc2299b569

SHA256
8fc3c708138522d4240a5a49e70fed438ff090cfe2ec0485e6b83e17806f5798

SHA512
275ef0448a2b06eec2eb35a30e8a4a57aedeba2a2588df1c378a16f9efa9635db5114854e21752e35ae64c002b099156caec0e430ea98de90cafbff56ae81d47

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.4MB

MD5
c7401dd7899437a893b84bd22d070ef2

SHA1
5d353a417b276f9362b38b0cce22435171ca6120

SHA256
2ae92bdc6185b56d74a57114bd67190c49147161590ee9b5a4512212fe9bb56f

SHA512
4ae4cc29a8be7a54cf07e3f4e5fd1e5a3735bb669a98378d129d1d5362e6ff9fbac13344fdee52fa43bc214286923bbfe67ac00ab141341285ae6654bb82dbe0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.4MB

MD5
d1e057738820a9bba5de33ea1526f4c3

SHA1
e36eafb3b5b04f6d61a61a33e8b2a708c84248b0

SHA256
a257e42e4262ef7f30b8189b4dde698642605be3eb69c1f4a1f865a9c6a28655

SHA512
f2d2d05c5fb65414f603f7d4018112836b6113f56bdc5762f2a79549f854d89e5e2045ed1d7461d3661335f4709be02e505742fb5a181207f94f6718fd2c2227

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.5MB

MD5
75e6f8b24994227285e6cdf6b28db8a0

SHA1
78da03e5b27036e28afeaf0deacad8a0f478a9ed

SHA256
1219c12c025c56269a8bee4ede74dd47b43ad1e23141ea0a6d9bb501bdd641a6

SHA512
f63afdc821ec1263b03289dc1c35c956493b6f75379af79360dcf67d2333c9ff1a94100a0dc2650791a78ad6db47c92baa34f673aa9253a91d55b6bd49e94b83

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.4MB

MD5
65414e1456b8f5bc0aa27e166cf7884b

SHA1
6ca1835e0d32db2aa2968a89104eee03b741d98f

SHA256
5f812a863440ff82474b07805e05066ac689541688bef301bf7dde594ae8171e

SHA512
33893f029ea491ddeb4b0aeb95029c7f5807f7217f3001908cde79ca2c51072379af6d983d2fceba2717c2eca6400d0866196620bb9484bef39b35ebddc916bf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.4MB

MD5
b1c3fba4451debeac7dbfbfa92f2a8df

SHA1
5aca5e4cf4cd8c40ce14ea827b02411936156212

SHA256
af8a117782db2b3519269896f6060b4327de62dce1737191635106547db588aa

SHA512
3fd61d028c229fc0b19f6c3bf0123d356c0d6fc1f31bc395d22a5a27c22396156d2b08d39f74d6169711f904cf61022d74e7f7186281a2cf55afa8bf8778c345

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.4MB

MD5
03eac6240a12965e8de72b652cebaf13

SHA1
ecc77867b2009f22d1269599b18e90ea86dafdf9

SHA256
b571e542f221f8f7bd4d997a4524b17dbfad6df18a49cda86bf2ce966e76f5a7

SHA512
5d9837b3fe8f243aa4a6343adb6e67af207a89055019bae5e9736517366c0c8caaf9560af45d48ad94315cd960d813d78adaf8da01123dcb9fb5def03a11fba9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.7MB

MD5
fc7285fe8e99db7bf9fb64dc425b7181

SHA1
67dd3019205d038c639ea7721ac4f401c80c2e7e

SHA256
47910ff204dba728e67347326f63b189e1a4afdd7e9997548c94afd81187f8eb

SHA512
fab6cbb164ef24b1c04cbb415ae457ca1e28fa6a8aa38cb4541371a588de9facea804091449250a48dfe6bfacffebf46612662d822f7b73b69261e8b872333c4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.4MB

MD5
af0042e16c375abbfdb4a2a18c0ee9aa

SHA1
38617eb55be724da2e950bece726d9b514f2444a

SHA256
3edb8b0bf95e0c3d510e903534103e41bcd7177d7a7abb9caee46225df5ac646

SHA512
9f458b4d12cd0911bf6b25d05c5e58d41905574ccecce3094dc6da8a30c1aea8544717471b170fab22df885052ef94747d91a6f5bcf4421308d08b80d8405663

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.4MB

MD5
1bde1833d91374af0d486814bcc42c01

SHA1
004a1da99c5b175cf9ff853a1f4130e1ecae4254

SHA256
1f2fb5a99d99ced5325853bbef959fd6c51d2bb3480a4371209ac314037913f2

SHA512
368c93a7fd0a3b438743111d5e49494eb9fcf94a91c4c27c2e4081340dd56b9fb9d7eb39dcf4cea98caef4f28fe21e4f0aac1cbee67e67fa33b8f6d33f2267a4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.6MB

MD5
ee926a9a571af14f1db183b7292e7b6b

SHA1
0fea4742334530d254c6795df46682fb9f0c4b31

SHA256
77ba18104eb5aa8416d23fb193b32994fd38ff3087dc884769a4d747070fcc36

SHA512
9b8a874bff34197b7b682b2331392a81e22d9f63f8121c049451c0b7da9a2503d04e422b36cde395eeec7a2515fe8c681a751260c849511ea1079c109c1c189d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.4MB

MD5
4fb7b2b726a0808251a8a967f8f98536

SHA1
391d65d0ec04fcc9864aa098db03d651cf067e71

SHA256
a7cf9d1aa0b3b16069c98a9262ba885437f2ba2db55f0def95a84f62e0f7f72c

SHA512
c1c09254c9b4d6aa995a269003d35e81bacf31f97d89ab426baea28a3960e9e9d8122fb79fafc16b8c3062638ce49012e1ab5b4c16e6ad07910b19274cd7e979

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.4MB

MD5
21b5308e36897111ddbb22b5b4b1dcc1

SHA1
6dc8a8701fa42d1d440476c674ca61a64c9e104b

SHA256
4373ecfba854a2099b31b79f364f0044125b222d021e08df01e9936b245a89c8

SHA512
8b15ff7c7c20c99563c8b67885d7cf7689a51e3d9139c4d2276108c91db3c2e940e572f1d96f4f7093ae8b7991597399d8dca9f82555903619c37632371edc03

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.6MB

MD5
534433084474bad2ad66bbd26f74000d

SHA1
ec39c30b9ecba0a0dd26451083fa4968357cf15a

SHA256
45a623dcf04ccd022b88d9c6094f6b4943badd0626187d98b138c7be814348a2

SHA512
cb9079b4fe7f5448ffdfedbabdf7d83695fed25f894c98388956eefd9c6803755816992bf798f5ec41bb04396dbf44415bda166dc197db6c9c03fd64919fa7b7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.7MB

MD5
d7961c9f53ae100799f967dc4e0af1a0

SHA1
3a744b868b0290978e7a0375ba066c8a5a06ba56

SHA256
274db1c14dda4a0ce4f4ab8d1acec16aacdc22fc15dee1d31aa184a592bf2c4e

SHA512
04fd62177fd9341f08baffeecc6ab5670e43b97353f9ad1066f06403d1497aaa49764017f3a31e3e36ab9ed4f1749fcce5e458fe19446d36a6f9eba1d3ac5926

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1.9MB

MD5
a162f5b8169b8262375765de56dd0702

SHA1
eb5f371fbc57916d4fde15bfb5f101907a0deff7

SHA256
b29ced6fabd1964153fd9755bf529f20b8029e9da70c1c6328311e4f43276b31

SHA512
0eef3a838153ec89944f7e76ab858707e733d2294ac370d6a4824e73b53e621b860986b4b464592b9c6ae8742304f6f8821fd44d79b4c8821eafb42ff3cf7721

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
1.4MB

MD5
b9cec2a623af9b73b5bb1ad86371a69f

SHA1
e27503a47f0ed2e4dc59d6c2511d6c1533aeb575

SHA256
0bd5c16e737a7c909f030f3d8bef00e8706345dc213b0f286635db1ef85b75e8

SHA512
c2747e04c3aebc98f74fe245ab10137db78dfeb535fa2dad0f0168db4a1db79b58cf56fb0abb6f5dbf059ef19f5f170c293141e023a06fe2e30da415bfdbd009

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
e62afeff2559b3739310273c0918dd93

SHA1
68d5b5721b03fb96f71225566e8339c1d8a5cf5b

SHA256
42526f0e01f59f37d9aa285439b5d080baad4e79f63ec2dfc14336bffab46650

SHA512
e23acf17587098939d93a6d623bbb0ae59b1b7258a734997677b4a83b99b760d848f25a002751e65f04124a554a77bd812206cf49cf873ae8db3623e33541a2b

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.6MB

MD5
64e25e47fd3450946de5cce4aea863db

SHA1
be1dd489149ee03dfc7aec7ff15038ff6a5bb0e2

SHA256
75d54dc9bb77accc976f6616c9e8e9975fb935a2eec4db44272211d5f0228a26

SHA512
2cc473bbb5db444d8b0d45271e1bca95175e7bac4a16ac253373bf7261066321d451c8acc5edb071369ce40b27af2581435df2d2b0978585cc83d78361ae69d2

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.4MB

MD5
f1631afee30bd727631f117cad6227b6

SHA1
432e03fb3c6e633933305cd2f8381d8ed7de5cd1

SHA256
cf2e06c9d9e364322bfb71bc23308e7dddc243cddf7c3b218aa5c7858c20fe19

SHA512
35ddeaac4c3e9a4d58cafbbd3c28c00ad93674ba41c08c286c555b1c11bce88f6bf5bd45a71976472a527fb75e3c67012134cdf87494e27751abe778f2374888

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
4184560c8f74495e0319c9770a5c727b

SHA1
3ce98f6adc9c4cc2bb91c5785a6dbd6ea25c639e

SHA256
51343c2b38c119ac8330b996a408bd3af7a150c110e682744ecafb3803a7e868

SHA512
cb6b21b4c233089102831e7d903f9c47504f4c530f8616c3a388923f29136b04503a1c6a643a1a3ce1aba51d7a2ebbeeab609c2e292ba3c08d0929a9a2dbac98

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.5MB

MD5
114c67334634b2e85a04e35947bc4b81

SHA1
b4729ce60937d3145204919ded330659b38ddae2

SHA256
4ef8b34bf5850bf7618f35a9b77fde75440d8d109e1cf9c55f7409907dd9e865

SHA512
67c7a16e1fe98627b8f8e8ebb9fbc5bb853a80c30bf0a220a2aa1662f5371a2855f11f0e93cda0ee93d50d2aa57f8bfcc5050e86bd5343414444c22afa10614c

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
71652cd486f29a14dbd82e5540ebb162

SHA1
8ae3d5405c6f43b2fabda180c714a8a4df17ea87

SHA256
a33267ee6d484fd1ad59fb89731ec386453d33a991507638569d192be4c1f9a8

SHA512
f15079ddeef774e5688bd599026b1bed2aad17f2fea4a10200649fa5dfcd432cd514d4c372f0762c89e2f1cf427dff65672de1c94579229dbba081c1f421781a

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.4MB

MD5
4679d30005a19666bd5da5a8bde5c2fa

SHA1
6906f3011cbca96ed353564b062963424e242675

SHA256
6a34e2ec8686257e778e0693151908b3f86b25c60cee42abb9a26bd55eceb886

SHA512
d91b30874714af66c1cc3ede5984f92de6d08e7bd09b584c62d5af3ff357b5841df041ea4543b495893abe439f899225224951ed4dede2d13fcd0358f0efd1d7

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.8MB

MD5
9e639c48eec306b3a5fc48d0697178af

SHA1
de4b109df33a6283b741452c2b02abbe9d165316

SHA256
78ed108204825efb84aeba552edda801e7d68b01daec04e6f45585bfcec93e11

SHA512
271c0c9b7f0fa79b8c307b5fc8bdd3c3688cd340f8a7fd303a13d401aa2f7b0c9889fa771211a1fd040c7609ecf23d311966bb2a4f4e821d586fb20210a2c864

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.5MB

MD5
559f372003442da6e63a59c0ad82eb21

SHA1
1c49ff1fc7fffe10f356270f21f3edbd7dd022cb

SHA256
689020128d05287f135e155f5e5e89aaa8ca15fb657f77b482d8d1a059863b08

SHA512
aa091e1bc436876b0e46a5123ba6d921f147daacde489db70f44f02244979747cd4fe29f5502edad493509bc6268fbe3cced56beba71370e4c599fc36e77ec1e

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
5a0e84f1dc1a5e4a7e8eb4722536f21f

SHA1
98151cdb17d7180116fab99e874379b1158ded74

SHA256
8a545d4447bd83dee264fe2e0eb159eb1a0a585ca19a361c1843cdad41f47296

SHA512
1055bab08706560ffe0a2781c19916e7432f262f5e5f0ce6ca9e1bf29224aff6b89fe527fed2d0df7ca4ab2b9817f37bc952f34e065881c7d1dbb12166009055

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
24680778c33afb079d5fac9497394ec9

SHA1
d7a18c0e98260ebc783769779d61e23ec5ebf51f

SHA256
40756a3a6c4575e8391ea934b416062ead0491d9eead01766d6fc21f4fa61aa9

SHA512
1bd261b9a0e4b85e03ca9f5a6d21d4bfb5e6ebb819d2c0da9b2defadd5a62fbceac160b6230d9b1931d1cd017a803de4ca0c15a12b66d2ace96369e89accc47f

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
029688337066384e2d812a2bd5d6c04f

SHA1
23e974a9f6085a2b0d7e8bd1ad3ecb256756f4d6

SHA256
dd55aa7a01e3885177c39d584cf0ee76b71d6a8c7fd0ca758adf981d2aa23b9e

SHA512
ec81f9e34a6cc546549b8b065ef6afeef89fe0f92c63452fe1cca81c9e10480c6114464dab86c21f10c114f60f19604e8d00c3aa22c979a2b8f735e143877997

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.7MB

MD5
81262b6dbce5dc2593afb854d2925ad0

SHA1
07adea954b7c32bf4ecd738b28e8a022339f547c

SHA256
e99a69276971dd9572dceff4500868f6367bd0742a759dc7c85bb5c9b949553d

SHA512
51e529a3b372b71404bff85835bf649b5e870500c0384e177ad86da421810e6553e84559a2127c67e580d995f5d2b95fde22e759fbddb1efd98c05b823b9a3fe

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
5a7067f1150245bd48b1d2489ebbb617

SHA1
5e47a52e53f0858433b5b865cde49321962982c0

SHA256
a051d7ba1e1a9a2813ee753f21ff7efbd2efe3adaa50ee2e73cdf0eca1fffdfb

SHA512
92bdbfd6993f3096b531c81cf3e3601df5fcf7cdd18eaab50a57072c67777dc52e095691ecf6dddb14ca82e988d716497906d8d4ab22abbe2b285008cf659e5e

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.5MB

MD5
f296da66a940ea88eb4bc4886a3c7dda

SHA1
e0215c0c76b6d49e79272544fe55bd539bbf8828

SHA256
f8d73073f5be2d9b06041903e0f9bc2c05e876d036bd6818877933b6b7370806

SHA512
674145a18f972833e5ff22c742fac9fdbba1ffc1c3f0c336f802ec8226332c98c64fa41ea946f6575f6b422e8bfd3e7cae140a2094d725e5044398e7be4baeea

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.6MB

MD5
274339e248520f4ab4e4dc95515ac6f4

SHA1
1441da107b2ecc87714cf00124ea3ade27fac14d

SHA256
8de728bf646e6d5758a55dadea12559207899e3d115788c6f8580d009f891373

SHA512
c14affa27095abd7dea61286371a189de9dfed15ecb85211eac125108e1390982a5ee1651e13e0482256769b4cf341aa81da56fe0f2c6cf570d607623f1b6f43

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.4MB

MD5
99a59a27997a42bc25623d1ae0ec7747

SHA1
489a8cb201737999fc4cc875920145d83f234555

SHA256
5f2eb284eb4f2f55e74703fe8e2f930b613fac352543b680afe8ee87e2cb4302

SHA512
5ca4abf861eb28c6f4f127c3f47597ecdde4e7b5cc354dec4b4b05d9b5bf20804e19717ad1b7541bace5df4c77bf9695e97f0509e167790aa69c0a408eb2b4a4

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
63951b3cf0e898d20d7da2e370908bc6

SHA1
54ac9b6817b69b20ddaf9360e08c6f909012406b

SHA256
2fea0ea0c90446c5da8cfebcb4a937999470fa32f9a70f9763c8f5de0e1b9387

SHA512
639aae3ef01eba1136cbf086b841f3dca34d3516002dd3f9bc9d5dd826b0787e65a3eda34ee20360adb163ab2609cad6f86acd953be0cdeab12b401d13530414

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.6MB

MD5
6f476ff77928f248b34f143ab071771f

SHA1
9887bcb508a34a45b846dbe0ea94aa2be6a4d897

SHA256
5b44bf3b5b857eaa8e9cfba4d6f1c5dae773621495590471358cbdf812b093af

SHA512
d14fb7185d898b6cc1c1114619e44cd88c1adf14ef2b67fe5158ff2b222f6dff44ef813b31234d4b40397586d014370d28f026252fe2cfd1660db83710f07bf8

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
7049318f7409b6aee81326c01577544f

SHA1
de521e6abb9f5860579a080c66dffc883b968b35

SHA256
69da1bb58e7af5fca6148ded61365b0219880e7dfe8d8de5ea05985159ae52e7

SHA512
7beaa511affab921fec9077b2b382d8bff8e18369622d05b615cc90f3ea7a2e5cf45160b5d02b37d6879ce0daf8e59e48ad9ba54ac73da1f570754e1c8f0badf

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
c10ab90811d3c7c82a9cc68da8770289

SHA1
9588b4dbd3063549816ac468f87731a342429e3d

SHA256
f02d206011c52e247abb08d294b3fdf901aa3fc4793ef317e761743c88647b78

SHA512
633b2c70abd07c10db4456bb796c8718d56b82c35159f041e258d3714bf2fbf8d904c3d9b38795188328edfd88ae3835243a3c666e047c78d36b957240d35a87

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.7MB

MD5
15b1cceb2266e25d91081c9bfdef01cf

SHA1
0bf70a1207291d633c4b459161675bd072b76f26

SHA256
6dac711a6dda33751a59074ac66748283052b3bbf8bc7f619514c8a85f6da7f8

SHA512
b366dec1b0fe20f548456347a7215819a9b478b4deba143fa9bddb27bd432aacebb5a7a309df6cc5b2de4d29bada040388d2d00ae316a00aeb578604843d3409

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.5MB

MD5
90aea77ad7b2e40b29fca2efd5e2168a

SHA1
a73649288e97bf8048fa236b4c7c467b97588d25

SHA256
0aa6bf300f462eb4516fb709e2a4252cb9831975b6246918304f28c3466d1eea

SHA512
c234919415f5e62da82d96ca7fbdde7effdead0f2ca18a3b2c6d2d95a73542f615218da16df404662ca24c0b456c1adeb34ac14aed9e6c51136e021aebd5e2bb

Download Submit
memory/1248-86-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1248-76-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1248-75-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1248-88-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1248-82-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1436-642-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1436-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1436-73-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1436-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1776-21-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/1776-100-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1776-12-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/1776-20-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1936-1-0x00000000020D0000-0x0000000002130000-memory.dmp

Filesize
384KB

Download
memory/1936-473-0x00000000020D0000-0x0000000002130000-memory.dmp

Filesize
384KB

Download
memory/1936-9-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/1936-6-0x00000000020D0000-0x0000000002130000-memory.dmp

Filesize
384KB

Download
memory/1936-472-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/2012-55-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/2012-58-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2012-49-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/2012-641-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2032-512-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2032-269-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2036-90-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/2036-101-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2416-271-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2796-112-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/2980-268-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/3048-35-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3048-126-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3048-26-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3048-34-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3148-127-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/3148-645-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/3272-267-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/3380-647-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3380-279-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3568-277-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4000-45-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/4000-61-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4000-39-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/4000-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4000-62-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/4144-276-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4252-275-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4752-278-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/4752-646-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/4756-272-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/4776-274-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/4824-270-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/5092-211-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download