5ec2276c87a5e73a8e82f31b04b68bc180955b5916770dd755381440bd04eb81

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
29/04/2024, 18:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
Size

14.0MB
MD5

79a6516423680a7d470bc839b30a6b79
SHA1

dc8ccd39efb34ab9984c3f333bdd1bcdf3e073ec
SHA256

5ec2276c87a5e73a8e82f31b04b68bc180955b5916770dd755381440bd04eb81
SHA512

39875d0ed4314f128026fbec3b5871b536240f685c1aed4c4999654e8855a87234d40a8fbe3e567b30e0d7d42452791af80dc739179fb9c9c5a5cae773af3fc7
SSDEEP

98304:s8fjrjQSQkiSfGMb2KU0fxdibpFl5sD5NDi1iKZb:s8rjYSU0JP/k

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4380	alg.exe
2088	DiagnosticsHub.StandardCollector.Service.exe
744	fxssvc.exe
1780	elevation_service.exe
3348	elevation_service.exe
4064	maintenanceservice.exe
2200	msdtc.exe
936	OSE.EXE
2444	PerceptionSimulationService.exe
2248	perfhost.exe
4580	locator.exe
3080	SensorDataService.exe
3148	snmptrap.exe
4092	spectrum.exe
920	ssh-agent.exe
4596	TieringEngineService.exe
3668	AgentService.exe
396	vds.exe
2196	vssvc.exe
1444	wbengine.exe
1588	WmiApSrv.exe
4564	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\4a42e109ad45b396.bin	alg.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99140\java.exe	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99140\javaws.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99140\javaw.exe	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b68b7e98629ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000474bff98629ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c8a3da99629ada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e8344999629ada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000084aee298629ada01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d13d7098629ada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000021d06599629ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dde9dd98629ada01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f4f66c99629ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
1544	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
1544	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
1544	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
1544	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
1544	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
1544	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
1544	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
1544	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
1544	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
1544	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
1544	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
1544	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
1544	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
1544	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
1544	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
1544	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
1544	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
1544	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
1544	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
1544	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
1544	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
1544	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
1544	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
1544	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
1544	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
1544	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
1544	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
1544	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
1544	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
1544	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
1544	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
1544	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
1544	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
1544	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
1544	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1544	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
Token: SeAuditPrivilege	744	fxssvc.exe
Token: SeRestorePrivilege	4596	TieringEngineService.exe
Token: SeManageVolumePrivilege	4596	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3668	AgentService.exe
Token: SeBackupPrivilege	2196	vssvc.exe
Token: SeRestorePrivilege	2196	vssvc.exe
Token: SeAuditPrivilege	2196	vssvc.exe
Token: SeBackupPrivilege	1444	wbengine.exe
Token: SeRestorePrivilege	1444	wbengine.exe
Token: SeSecurityPrivilege	1444	wbengine.exe
Token: 33	4564	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4564	SearchIndexer.exe
Token: SeDebugPrivilege	1544	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
Token: SeDebugPrivilege	1544	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
Token: SeDebugPrivilege	1544	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
Token: SeDebugPrivilege	1544	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
Token: SeDebugPrivilege	1544	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
Token: SeDebugPrivilege	4380	alg.exe
Token: SeDebugPrivilege	4380	alg.exe
Token: SeDebugPrivilege	4380	alg.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1544	2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4564 wrote to memory of 1752	4564	SearchIndexer.exe	112
PID 4564 wrote to memory of 1752	4564	SearchIndexer.exe	112
PID 4564 wrote to memory of 940	4564	SearchIndexer.exe	113
PID 4564 wrote to memory of 940	4564	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-29_79a6516423680a7d470bc839b30a6b79_ryuk.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1544

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4380

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2088

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1716

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:744

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1780

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3348

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4064

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2200

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:936

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2444

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2248

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4580

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3080

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3148

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4092

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:920

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1484

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4596

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3668

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:396

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2196

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1444

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1588

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4564
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1752
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
8af49bbcf160cdc7e45782ecaa39daad

SHA1
5bdf7bb5996ca442ce2dc67e66d9943ad8fdc682

SHA256
9e609fa1e90037d6e3565b53faa142e0bd2835faaf8173814632d361d75701e9

SHA512
a8655dfa72c393e23302bb1de745dd53cb1b2761b4103dc98f73b0e9d1d7e7f18c2c9ab58b0f6b041ede96f5b1f64fb65e4115881027adb99ce15e96d37e6965

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
d60c03f6310a61719dc84692dd858f22

SHA1
b9d12ab9eeda789bf2188ee54112baa70cddc5e0

SHA256
2baa425f5a7abf671d9b271f39a1e460a0b3a45ea7177f4481d792b825ec0db6

SHA512
412e4103449d34e7c447c97ad65a4caaa38f99db30eb07e5ab155ea11484e42e383129fab28a714a4a8a69dbf129bfa903f73f2f46bea7a9601b5365c3243fb8

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
e6e12a6d4823b79e6564efaa79b78965

SHA1
d8ac8dedfdb4c32835f06e2f1093f4d72fe4f9c3

SHA256
39ecba48745b99c0f8e524026597ebe66ac6a77b1e3c09e512eb5ecc44497f2c

SHA512
2e0da78f49612159033ea49f531279103cb40e775660a2f3e9adbe59a1738931ddd3fb204e3321bc971aa20a32bf53a1e5f275538b013f76f35bee4430111bb2

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
9db5d84ce28705a4b09d81e3d6ae8fa0

SHA1
0bf934b95cc6c1ab3ac7475c7a270f3945565ccb

SHA256
5d04214068c860ff7e57b6e695e9a6243a358697fe766ba49947346ac425e49d

SHA512
ddaf2445c3c7280066a255fb1ac145fd25e40ba8ff7a2165eeba6ddf3eb89a99c38386a5382633747958f13d32e57f7eca5c2cd77695d95591c63d5ff832a025

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
a27a45111c2fbdf4dc03d2e48774b028

SHA1
832b3173f2bb405298ada74c3816b260112da3fa

SHA256
b173a72e3e888fd70347473031e5aab33abfab7eb05bd612d526ace28f8bf9d8

SHA512
ffda56a5cb1bf46b181d9f766ba4c5545b15fead07e2d0f24528b0d828496b71a5c50d3540a5a6630725b114356d3d9cedf6ff3d812135485f2dfe5fa7be3aed

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
5ea3e92b5dd69158adcc8d267b33e44f

SHA1
3e6e0b5eaa4f1e96ccb76a4aaf2b9e1dcf6b83d1

SHA256
19de40208923c6028238c28de34af8e1427f6b0bf4c01355c0952837dfe4abee

SHA512
52c7432302ce4c0ba1dec8e6f0f79280442ba4fcdfe650026c2d45f94ed50c0ac29ff28ee53ac48f521ef2c99af1fed9c8bacaee7b2e53cdc3e6a965448fa543

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
a086cfc0a470fb9bc1ba81b0ce652ec3

SHA1
85c722f5deb3d8d8252121fc7fe33ac0604f3ac7

SHA256
16bf0fc8c770b125b0fa9a7c93ed6d10026c6d37093bcff4d1498c8cbbada718

SHA512
6b08af1a8a77f4bf78299daa5b3b920b8cfe3d0ca9433065042948075f3938c97eb950f8788e2fce1bf343d407680cbee11a4020b1d0679438153e5132e4877d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
c5fa24a64adb51f0161d2590b988c743

SHA1
3e8fe1fdf059f4d6afa86b7acc4d2213c3dfd5c0

SHA256
0424402507d3eb882936d603803ab9b7312272f66407eb9e04b4c951741d7f9c

SHA512
2cc1b7a988203777e76a4837b8d0523ac2e8d99c20498c09968118ba1b708db4d7dd7b73583dd6dca011023c5cb443b38624bb9817b9dc6e1f0fdd5b24e78faf

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
c2a413bdbbe876bbb4137b3f0850e1e2

SHA1
809165f7e7ae4190ce8a3b02845a337238004c33

SHA256
8973151f19750b6b946f184aa07bfdead43e0fd2541027bdf57d7dde064f4999

SHA512
3b82acf042554d7ef1f120905b2fdb5d9e9b9a740e65f9326314d999639536afc4832d045d953fc3e369c0f6ba2568385478c6bb4517ee3f993ee7df321a5dd3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
534607e7b1eb643c87ba74945e6826c4

SHA1
7af6bec2a0dc449ca02b934f534903bacb98302d

SHA256
b489057e63fcf861b3b6ed72aec03d5fba19272296ce1fc52dd4c8ada826b280

SHA512
f972fdba904cfc914bad988d2ac34e047a72bc17d77a65d17b3b07c8315b885c71759d7b9439bf0db3c05330b0baf5df21b548fa9fd7751b91c73d6c4cb54f5b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
5e0a579c918b36f46f68efca73847c9c

SHA1
796ec01c75a897927d245c49346ad534dbbbec20

SHA256
af6027dd659b18973aa40e11b62f7155ad49493893cbfbdde359900b00e5bc28

SHA512
1a35ac9a945849d0817fd4db6cf97d5be9912ee938907fd998145cde1557d1f8474fdf3cb5ec14736071d5ff6cc1b5f34b14a7a1938c09858229dd056661d4a9

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
a858f4fe223c27d04a8ba76b5bd94aec

SHA1
4ba16512185b43e8c00fc2fff65273f1348c53a9

SHA256
de47f956c730b5235ca6c55abc49ac47e82f33c0ba9548955648e624b425c582

SHA512
21806406fff92309e50b91821e5585b359995b8c8a38c7b6049bbc1f7ee6285625d54dd1c3d4a773a9e22cdc01a755821b7f7c8554dcfad92bd1fb0ea6683c43

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
f973ea3d4c36cbdb1e9a0427989e65ee

SHA1
ee2796419ae8edc17f45e1298d5ac430c8be8fd5

SHA256
45cfefaea747a8188a721daa11d13d68a363db250566c5a6017f847fbc9e2cea

SHA512
2533275740534d70d9100623c1ae9ddd514489f61d3ed5e0bb1ec9658a75d344cfb3559004561f7a45ce7d6f7e7f34dcbf0810624b59082bc027c48a942f3c30

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
37ac6bed217a4ecb4118c3997e83a61e

SHA1
75138c4d63c18409e87ea42aed6fc805bf677fb5

SHA256
b30354eebbdedb15cf5a672d0b992d883e4298ac1949b0d18dbff6938c2ce184

SHA512
b8e36b14171aa3f7e925ffd2327078230391fd138d1758d0fabe9866d76648244aa68e44fbda976c00a4c00a4097acbaed9dbdb63394e66d23f05170f5a1d706

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
b3aade29bb61d01f1cc8bb126f0b1f2f

SHA1
c3093c4a33763f7c87d5ed528a8bd2b37077da25

SHA256
d3b662386f19f9e203015d5269049c9e91e7fffbd738b244f37dcba6facc8e48

SHA512
15a6991ca103a52ee2555a4dd98e36020ccc0ed12cd67e17ee0c170be82578f42f0095c343f85af6f5ab2202525081b0f2666ee86a5e960bb264452657209905

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
b0c28bc617a7b2243fe22557c7d44467

SHA1
95e5cfd3722863e2fad5eebb20b0d446110ae695

SHA256
af39f857090fd30076b99e74042fe29f18a5c72d46bca1e2cfe3be38ec064dd7

SHA512
30c37c82b039131602bfa374e17b94a63b76446750a91e4b990ecdadd551b0a350641860c61f85df2848f213294c102f0d3478168f21c3d01f80d1613470e9bf

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
0536c3199e32121682f7aa4d575b6a03

SHA1
2e85191741ceeb25fafab7a52f38d55bdd2bf60d

SHA256
0cf7bd231282b7475cb07e39a25eb17afa5520bb95acdc976087d1a1054e8f28

SHA512
c497881e400aa2e098fbf11894222672f7310aa6e5836e88c6d534638b669ff2c5b79137d40558582d644a882ed1c1dd038a69e99d361ebb5fdf98fe1550eab5

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
6d53d3c256f98f91692cfd96f84c644f

SHA1
ad17433114fb65b795970930e27bf8400d4dda39

SHA256
5ce031266e542b7ad210129d3cc3e66f5d66f898dafc156c84f62e9d30e307cc

SHA512
d0a31fd1348b7ae9dc781a5b837ee4619305178bf4c21d1ec1f898e57b11134789ca8db366cf99cdb702f668183b2b63b0a9ddacf23a9b1d3cadf3947e40aed6

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
43100077622a6bca4870709812f4b2f5

SHA1
145e37e7e4fcda2f2079f3054304167743e0c17c

SHA256
66bed5157eef060b486289030efa32bfc3b97f9c256516aa2daae4a60cdd6888

SHA512
1933a9cab72cf860e2678c5a46ac7effa022acc5f0819654a170bf28d9a0dfd0c7019a4119d3e1aec735cddecb6ed1808407061a81e69726087c4acb02e7c8ec

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
f7754b2434c59f78c7346d0ae17c6b39

SHA1
4661960af0eeaaeb2e2e3c8dfaa4159716dfcf4d

SHA256
bd31ce8ba2996819d79d3d020dbf2c23ebddbc324afe5c0ed8648f4b5da041a2

SHA512
3c735ac1e8cc255bcac29ceae36ff1787eb95c5292e9d0901571a57038015b4399b1bf0c4f09e84bb4c7e01f53cce1ffd70fabfc1717e9b07a1ee661d6296ccf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
b826e80cfb0fd3149e7005a9d720fd79

SHA1
869a42de7fb7f1b9f74d012f6bebf65eb50187f4

SHA256
8cf2fc78b924b365103e3750db923d90fb22f522b863cdc715d0c3e8a5a914ad

SHA512
9e5c5f088c58c2caa80a31b3ec9bd3509c69558616f7e34c30a23abfd14b7d6a6b1cf8ba57ed8bb0923bb8263e07c45c649e7c5a3001cfc0cc401a71588d7226

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
dd4d1496ae94947d09f80173285b96cc

SHA1
d713cd1d2b08514bf13318569b2ece308612d98c

SHA256
483d60d382f1bd5b203c6ea5e0228bfa4b04f527e38b62ef208b14f936ad30af

SHA512
8db3dad35f6da8cbc553fcc6bdcae369c6b5ecb85ada7afbe4ec12e312ce196e3cbe974f134e3bf382a85751b0f5a4edfc2723bd9824fee6878a9a600777b921

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
3cbdab95102c1ea52c6577c6d5cfb048

SHA1
b06b011264cc7b5044e0ca727ca06bfd95311b37

SHA256
57662e7ed7ea15f95daf0a6f0602fc478148dfdc0f482cc68609218a27232a96

SHA512
69ba3135fac1d05032e72ea018e888d5e9c9f0366ab63b99ce8a153249ff32fcdc95c15e60de9d50209949fe14d4327ca0f896abe81cf8982563274b59af3088

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
706adde02fc503f64de53e30540c7cde

SHA1
047354674ced5f0808498dafb27193440c0d4091

SHA256
9ac5e36b7ba48d2e4c339b320c8084c4230ff9e74f2610df8df9d20427184902

SHA512
316ecd3391cd0925cabcea7bfd650cf485ecf22f5b5127ecf9b93068dfbe7bae536fb363c8bf90604681f7df91a8c75d3401d424c9a65cb718e65961339a1d8d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
0310986f8f4a81b0bb7f176558154a5a

SHA1
0e4f7e10c5711f2f863960ed441a055bca6e7471

SHA256
a7aa2b90865e357c4a540f52aa683048d3856d6250d256241c05f3574d46586d

SHA512
35e2b6964360310cbb0d4909cad2c3591dd75b8df77fd4894dae49d9ce4218086d3f04c3e43fc6ad27e47e927372eefaf18c1b122b736f508b7ba24d7a6fb7c5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
7fa031c8520df1125a521d9ec263f65a

SHA1
c139c90188cca06574ab884b3af793916dcc84a6

SHA256
b4cb2de2d9be7526109e59b66489012bd70e3d728ea91d5fccdafab94c59cf64

SHA512
ec22b21496e8f294f8199cf6d52d2a58e7db6dcdeb4de60ad6640d8b4e0d43d43f1e9aa09d40f245605b0034ddb57ee5241afcd5380fefb932d23dd17e868585

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
ef5a2aa06fd06cf4243897ef1f3d016e

SHA1
e8334c408a963d606f2b98aa3a5039def0f5434f

SHA256
ac31814a497bd8dfd5cb4c1c32b1b8fea8345fde8322944fc67184745cb9a757

SHA512
3fb8b339cc52f7e93a272b714ec624382b3bac5466e67e571939dc72ae2490b91ce3949353cad8345533b70bbf0e1acf5979bb4706f12139ebe853203e8f9dbd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
f0ce04a38bf73d1618597dee5fc1a4aa

SHA1
1175a5eee3c319a5954406df9d6acdf3e8b8d9e3

SHA256
0401296e5c4e59bae12c44b2442c82d6aea0f5561bff0b3fcaee27defcb07f14

SHA512
3831afabf998ed7018e3a6cdc7cbf564e3e08169ccc5521704bb7e04fc1118fbfd5d4e9ed350e0e6b4a8ee4c9719445ca3f17de9a6085fa2ad862d6b63936535

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
65934064f00d1faf7dfe2f7bb8899e49

SHA1
6dd53e4cd62354439f1df60fd3386bde9e43b0ed

SHA256
ab785b7fee73de3eac3bcd46c0bff484ee45ab19dcfa3991143504e1e4d3c7e8

SHA512
e080caa2b5110a14d50a77f9275823b7926eb998b5fa082321e8cdfa4a9c6e985209520579f7ec2c7547fc6e225963645bc2b12e635c61b5bd51358b78f90f10

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
88809fbf0c8bc5e73d3b0c96ba7bf6a2

SHA1
b2340cdf35ec486ee1e2bf981d68b01a6ae13fff

SHA256
835070d79d7d785d43c5669a341f7c0d012f585365ba0074aa8e600fc8552e1c

SHA512
f707e5527bd57778996a256b7165964a64147de040d28136e07f1e44e6697278fa228f453618601e60f3b1b707d022c736b5ad13fa4b399b012b06d831574526

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
95a2132b422301e221a4d3a738c0c89f

SHA1
7e92b9191bc0aafa7a43b3a9a41c97af69424a4b

SHA256
079e0c8b8914c8544ac3e223095548f8168d036903b80dc9d7bf90df510306d1

SHA512
e340e8336b1b7347ca5e1b4f967bb31ef0de223e48aba2bd28361cc70711d8a524c24fa904018becf53bfa1219b72288371a6dfbf5d02b65114078b3e16a7208

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
342d368b93214cf8f0e47126c2a65306

SHA1
52d8d23ac61a98ce4eae893f10e509cbfca77f83

SHA256
785f317e303e80cdb5d880e411eb8840180f8f8381e71701e3f85c7bc5a7b1fd

SHA512
3e6d4cb3f02bac4cc8596ad7865d8855cdb394ede0e84e714fcfb320d350137a5538fb6829029fcde9af063aec3c960fbd59f02cf537295bd0bcb21f8adceaaf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
b8e24408a71d64ba4bc13ebfd82ddd5b

SHA1
c4b5e851e8b78ced90588f6a9676285e3d24e6d2

SHA256
dacdababc1bf03cc31b4c47cd62dd04d1c97e795955fbff90fea74eceeb76c46

SHA512
827e255b344a35f8fe0c5d8bcd3d61200cc2a2fca7c7ed6a78f5fdd927f6bf5178b801354fb9854d1faed3b5661dc455366fa4885bce460118b013f13f9921f3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
62db59e69813315e840bbdc12a976d8a

SHA1
c6d363516a5425c61f7577c9dbfeed0b29dfa213

SHA256
b8be261b027e861a7ac4560d7a388172f93e1aa8e79ea2ebf30e17aa19c00902

SHA512
057439fa5ba0858760ef1652a7ee6857a2782400bc2131444b85f384fecf1eda4b8c033bb6862ab9a17a7980ec41a61a6bd64ef97f442ca0c21fdf20958be794

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
050bba19f76ee907d842d4785a6890ff

SHA1
111dd24119c3612c6ebbc5304ec576585cd87bc9

SHA256
9d8dcaaf3f0be7cca13906c2b5b451959f3a5dd1d6638d8eff24fc3c31f89cc2

SHA512
b1c3ab8eb876a677e28ac29d5e4a6baa2477141da1a73320d1754db98b456413b5f49e3d83c75e4ba619f74475c1fe5857516de5268de6ed36a676598a803fcc

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
0c7136beaa3266e1f8d1fae45263f6d0

SHA1
2728be59d8cd715666284128a54094c62b06ee4e

SHA256
f04ea1db8d472bd793e95419b4296b13d979aaa34c6a98ab5f78ae6eec479e08

SHA512
a2aeeeaf30255c2eec31d046b403e3b89a2af78a15897ef09ffc078dac6b6d518a0f1a1c85c49613a68f320e71fae4de6fa33000d2f4d7d303a6d1571372698c

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
23d4b7e069d391bbdad5051e21f15266

SHA1
1edfbf90ba792b7921fcc6a72e9d856f2cf10972

SHA256
21ab72dde753b568082df6c7480f580056321fc5055ff08252c147ec1a9b9430

SHA512
2d8bbfd2f5be2916617be3d346707ef38ec37716a4cad097c6dd18ef2fcbe36fe08cc10d6b723dcdcbc2e337d307da620a251c837b18d1166f77c9c623a8c5dd

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
4162a88fc0e815804ef53ab61ef8028f

SHA1
f836067526899e2a5ef0adecc02e316b798396bd

SHA256
5b08407687f502f265662295385f4dd8917956a20566bb0635d801db13fd83dc

SHA512
4c66d1e3195f0013af8b0085d3b053953e8eb3b6965514011daaad06d1bdaeb58c8346f6bda56a9a1d5dd7a7e4c4391b03d92e3ed63ec7bf4528d02d2d9bdb95

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
216aa011e4a2dd8b3dc4ea1f5cdd3e70

SHA1
501cfbf836dbc9cfd459e392c1caf5768ecfa72b

SHA256
ab1872adc4c02beedcc658c7baae6e0fd28b75166199ded1fe2feb6db293f3b5

SHA512
15401acca1c941ba0bf9840c1254cdcc2a6bf6fc29242b527ba6ef253e938357a5cd7252a820fd01ca2ee28d49515ef7991a987c57ec5967ec9c8e4797de1e5c

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
088c4e8f59c8a2845a418d5b13a65295

SHA1
f72c985e2d06276f887fb2d87f4e19417ff931a2

SHA256
0a092017044a479c9deb6313bca440e1b1f5d1c529b6d1bd1fdbc0f26c734b1a

SHA512
7300603a960242c01844f5649259cd12966dba17a8fbd49c38775a1a560b944a86c91c5da1cb0ae20527a159dffd48017111b028bf2412dea2764cdffa01a8ce

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
3c1119c9af09950cbf589a20a61ed985

SHA1
10bc6e785f1e2211f09fd0230b3e303631b3af8b

SHA256
40886b93f19849956929ae3f3bd2b8716f3b7f9638bcb23482d552ab36cbe953

SHA512
a3bd2400f20f1fe9cf6e512a3585deb8043703fd1cd3339c82a66ebe19e02c9da7f068c9644835b6876431d7a1ed176a7102baf7f6cdbfb8896d0fe514953418

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
ba40d234e7ab6d218ec329b816714878

SHA1
eca48e192a5e95fae7006a4eb37dd89a0ec9c64f

SHA256
7485688a6bb18a39d214d6944b620f52fef1d0009f6625913c685b9a683da560

SHA512
e3f84694c59f899c8624d3b02105ad6ff6d11b43e845dc53595ae738829fbf4f6ad9e9848c71181269520d5fb2085dba7a308f50d778a7a36ea6f4fe8c5a1e71

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
feeb46b3727f6d95140fcd44eba9ed91

SHA1
2816106348d9d0383177a435c6239efad6a04386

SHA256
5cee90e6e00d3925ceab0d045dee8203f8695c7bf826bd3cc1bef58284a8e113

SHA512
e42c99672e71ac1c0be6629a96f68654fff254b0e297dd59e38e6442234e12de8b9536c289206ce7ef5cf272cd15ed6b99a6bc246a92f2f80a6efdddacaad8a4

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
639001e788e557ca429e99ea182b1b87

SHA1
f4090fc8738bf42726991418dba1a397ffb06d15

SHA256
9371bc3e57db3ab61e31be8529d1b7a080b3acd79a354b3a3a9f5fc5e06131ae

SHA512
2eecc2f8b97fd84189da5515863082405beb9e34061b29383432bc22c3cc046717e6efd1b62c8d42f227cc4eefb1cbc32de926010f609e245324c21cf1375cd8

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
6f5d12e289142d2492d7799509b38bbf

SHA1
16b3c57978c7067b6d3b6711381e7c7149e3989e

SHA256
77b16ccffd5b3575c56ddb7a50d2839bff2df3b137be718b94172f69ed0b1f0f

SHA512
71526e833c14aff62a0cb8d5a6bfcb91d3f5eaa0de42e5480a455374799ecb471b457669a7fc0b12c8df888b5aa384cc23867cdfcb6b4e4c59630fdaa4759ee9

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
ebc9cd0562c1956a44280f8d8d016b09

SHA1
dfe234d1e616ec454ce1b12d698fd3ddb5343f9b

SHA256
75daf11027a12d32db6201099325a8445e4c7393830dbafc9fd5e9558bc8ef13

SHA512
9f687a8824f4e5d95d18a21339173c6d13bc94bf8d4e232bfcd9983c3e4aef509e8b0fc587b22767d0eb2e5aab770a9af3db1fd8c94194ffb5f3a85868283844

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
ca80b80d09c13344b498faf8a0486461

SHA1
9cd28d3934ae95f04f5da9015c7a468b86f3136b

SHA256
13aa917b65c78570f2e9c73494acc33def41893ed70cf13d4b5865d3b27cded4

SHA512
a3e87bbe54324a8b7532ef10e67d50b215c1a5684df55061eab12f2878a7a9bbf935e8d002ffd8529c8e1fe2fdf881c98c80520612dc02f762f9078283ba7eae

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
4cc29bb73b6ee264f8836be3d8c03a5d

SHA1
63ab6397ec32b6f00514f1997b4e0337b0102d8d

SHA256
cbf8115943f5ba09653a075d792527aaaef860341c13426d1723b577ae10f2fe

SHA512
55906e1fb7c6f9109de5c5a17ba85f05ed6f536d32e55e877fc9db308d4482603e4cd9f82ee654066ed2d804610e75117b110feaa3ba0d97d86c9d8dee4d5c71

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
b777b26fd3077000fb6a86eff2479dcd

SHA1
00d108835f771f72b610b1a62c9dbca0d797d131

SHA256
413af198503e175632125a60da5e30d383ae2d49c1a2be940a081b91f5f90fb7

SHA512
77c24b1263acb68cec80c8515e18432ae03085b50f0a8c3e1d84e77eb5c25e0f58d788ec283e8f679cf6228a6241cd977f05fffde566cb542c4c644ad2bda272

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
93fa2d52ff1b7d1189d127c51fd031be

SHA1
b6f05f9f50e928d62275eec56dba2697816bb1cb

SHA256
db86524676d6cc2dd4fa59177347be90a74df10c0c3e36d8ecf2adf2363537dd

SHA512
9238aa966f669c90931b03e2ea1ca765b1ecb5d4f8086621b650a10aad221ae5e686afbd69dad06e0a81ae60bf66bbffc91b99ac4a912a1b17209cceb4615fdc

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
910c0b3fe9efe6d63148fb195b14c357

SHA1
35cc903dce9fccc035b889035b6032297a3a6e5a

SHA256
1c473bb001cd1cfb6f83fe497588e90d092a5f4aff8cff5e55c45d5535d2a929

SHA512
c6c4247bf68d74d7479aec0c0418afab5c01ec7f493b0b86ce94756b3d0111bdec470c53d93c24250a9edf21b475800ff4f730ffda818a0d73caea69091a07b8

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
5e8cdaff0bb10d1f2eee7687ae2cde02

SHA1
9b1336d7634c61c1c39a7a100202d0eb0b6e8d22

SHA256
48705c1479e1961784c21dcd18d7ab1e3cdb2f421b286926b98a5f6934ad7422

SHA512
aeb009a9f2e166caf0168cbcea190952071228c01818742c22d343cc4599b01d704c428cad82ad45f627564dfbf3ffad1357910ef8864ab3ea2f6f57c5446c4f

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
e986e689e745ec1e5363abf217ca1ff7

SHA1
a59715db1b9892ecd3b056d7fe082ba7a468c4bb

SHA256
3873d293cfc4cf58558040055fd5cdb7c7fe0dc476ea61d7c0cf8e17a82018d3

SHA512
55359ad02c45d31d248b1fdfcfb3c98e211c95a0d05d5f7248037971a48314d28b3fba2f3206d65d36526f23608c4051a9968a5240eb27db41e07222ae758c02

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
c68c41ed63fc8ffc5a7ebef5a5fe70b3

SHA1
c01244743ca5f8028c96ce00e2589ce4c19b027f

SHA256
594786332298898423e92173edb397537f2bbd87468b9c984d0ec72f420b023c

SHA512
92aa1d5e9da3cb0b5882bd9ba1672c927ee353edf6e8132ce8e643a626d4649f7fc41d2b6b7a752a12171a71a815a1e04dcb093b2532db0573fd3c8f101d0bde

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
9996d845b91252b70d32d45fcb28a699

SHA1
60a9026405144653cec78e4545d6abca9017bf0e

SHA256
3a669e4cf95498cedcde802f223e1d9f4e8af32b0578dd3c66227e380cc1133f

SHA512
de744120b3e4df99f3b702151309a2a27b7e12596e3131f603c47188e8c201a1fc7c7b8700421f1972c677d4e3b1e093e3f4b571b46251cc5eadd04e106f88f0

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
1ac4a9c17b600f1e0e68fdcab1b1c0c5

SHA1
741a469577dc44947a7d68370ef6def3d9286f40

SHA256
97c8d26480fa698d78f587bbbe8f4986ffb5eacaa0c6d64a518b764728b7b555

SHA512
761939713acbc46564a7f298d3b64d81881ec2b3a2c8c6987431acf3eacb668cd37448120c0734dccf4a34480657f5dbab331be8c875a435249f504df05b85a5

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
48a3aa0e45d40737967f96ab387c45da

SHA1
f17c7318e21c82d315eb391788183e846c595bfc

SHA256
542a3944123ed746a053fa6cbd5a2b06c17715c4ae6e94f8f0c365430c7ba720

SHA512
aeeedcf9f36ed294a1b77746214aa44eac831c7c8a9e9bc71bcc8e3591c88eb76072955c0c7d7cba67228a39b24bc66e57a998ae632928bc7d642b7ea068c1ad

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
3514284d84b55e2f338acfbada7c2e24

SHA1
bcc5a7240ed116c935c2609d995420062f6b65e9

SHA256
1a0bcb25b952d2ce9c47cc8dca3147bbfb309fcd9f506c7066766b1e8683c739

SHA512
5e9b4d3bee64bf37dd77216af44448358cba4a146853ac13604b020accf0670945ad28b54fbc0df6ae508665d3d3fc7d74051729a061b2fd111bd882b05af8a3

Download Submit
memory/396-273-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/744-60-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/744-58-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/744-44-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/744-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/744-38-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/920-200-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/936-193-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1444-275-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1544-0-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/1544-459-0x0000000140000000-0x0000000140E12000-memory.dmp

Filesize
14.1MB

Download
memory/1544-6-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/1544-21-0x0000000140000000-0x0000000140E12000-memory.dmp

Filesize
14.1MB

Download
memory/1588-650-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1588-276-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1780-48-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1780-54-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1780-644-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1780-56-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2088-25-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2088-33-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2088-34-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2196-274-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2200-88-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/2200-192-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2248-195-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2444-194-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3080-197-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3080-643-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3148-198-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3348-647-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3348-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3348-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3348-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3668-214-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4064-84-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4064-86-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4064-79-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4064-73-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4064-82-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4092-648-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4092-199-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4380-23-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4380-530-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4380-17-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4380-11-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4564-277-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4564-651-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4580-196-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4596-201-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4596-649-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download