0c1734922282a75e076157a19ff64da3681a82ad7845509cfef986ff0569f907

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 11:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-08_f012cc77fc71176d5f21ba869865b1b1_ryuk.exe
Size

1.1MB
MD5

f012cc77fc71176d5f21ba869865b1b1
SHA1

36afc15003ce7c0c4e9707aac111852b20a78497
SHA256

0c1734922282a75e076157a19ff64da3681a82ad7845509cfef986ff0569f907
SHA512

ce687a24fb64e87accf724661d7cad48d034fe4272d39a138cad6b4a848e328008bfce3d39a387780b28e0b241b9eda964d58b167ad2925e931bb2c48b404742
SSDEEP

24576:QSi1SoCU5qJSr1eWPSCsP0MugC6eT/SkQ/7Gb8NLEbeZ:gS7PLjeT6kQ/qoLEw

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4364	alg.exe
1948	DiagnosticsHub.StandardCollector.Service.exe
3116	fxssvc.exe
5064	elevation_service.exe
848	elevation_service.exe
2152	maintenanceservice.exe
4464	msdtc.exe
4644	OSE.EXE
1408	PerceptionSimulationService.exe
1128	perfhost.exe
4688	locator.exe
2536	SensorDataService.exe
1760	snmptrap.exe
4728	spectrum.exe
2236	ssh-agent.exe
824	TieringEngineService.exe
4696	AgentService.exe
3664	vds.exe
2704	vssvc.exe
4884	wbengine.exe
3944	WmiApSrv.exe
4188	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-08_f012cc77fc71176d5f21ba869865b1b1_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-08_f012cc77fc71176d5f21ba869865b1b1_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-08_f012cc77fc71176d5f21ba869865b1b1_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-08_f012cc77fc71176d5f21ba869865b1b1_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-08_f012cc77fc71176d5f21ba869865b1b1_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-08_f012cc77fc71176d5f21ba869865b1b1_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-08_f012cc77fc71176d5f21ba869865b1b1_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-08_f012cc77fc71176d5f21ba869865b1b1_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-08_f012cc77fc71176d5f21ba869865b1b1_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-08_f012cc77fc71176d5f21ba869865b1b1_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-08_f012cc77fc71176d5f21ba869865b1b1_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-08_f012cc77fc71176d5f21ba869865b1b1_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-08_f012cc77fc71176d5f21ba869865b1b1_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-08_f012cc77fc71176d5f21ba869865b1b1_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-08_f012cc77fc71176d5f21ba869865b1b1_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\a88581b8aa61dacc.bin	alg.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-08_f012cc77fc71176d5f21ba869865b1b1_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-08_f012cc77fc71176d5f21ba869865b1b1_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-08_f012cc77fc71176d5f21ba869865b1b1_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-08_f012cc77fc71176d5f21ba869865b1b1_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-08_f012cc77fc71176d5f21ba869865b1b1_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-08_f012cc77fc71176d5f21ba869865b1b1_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-08_f012cc77fc71176d5f21ba869865b1b1_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_98703\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-05-08_f012cc77fc71176d5f21ba869865b1b1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-05-08_f012cc77fc71176d5f21ba869865b1b1_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-05-08_f012cc77fc71176d5f21ba869865b1b1_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-05-08_f012cc77fc71176d5f21ba869865b1b1_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-05-08_f012cc77fc71176d5f21ba869865b1b1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-05-08_f012cc77fc71176d5f21ba869865b1b1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-05-08_f012cc77fc71176d5f21ba869865b1b1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-05-08_f012cc77fc71176d5f21ba869865b1b1_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	2024-05-08_f012cc77fc71176d5f21ba869865b1b1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-05-08_f012cc77fc71176d5f21ba869865b1b1_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-05-08_f012cc77fc71176d5f21ba869865b1b1_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-05-08_f012cc77fc71176d5f21ba869865b1b1_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-05-08_f012cc77fc71176d5f21ba869865b1b1_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-05-08_f012cc77fc71176d5f21ba869865b1b1_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-05-08_f012cc77fc71176d5f21ba869865b1b1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-05-08_f012cc77fc71176d5f21ba869865b1b1_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-05-08_f012cc77fc71176d5f21ba869865b1b1_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe	2024-05-08_f012cc77fc71176d5f21ba869865b1b1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-05-08_f012cc77fc71176d5f21ba869865b1b1_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-05-08_f012cc77fc71176d5f21ba869865b1b1_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-05-08_f012cc77fc71176d5f21ba869865b1b1_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-05-08_f012cc77fc71176d5f21ba869865b1b1_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-05-08_f012cc77fc71176d5f21ba869865b1b1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-08_f012cc77fc71176d5f21ba869865b1b1_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007d112e693ba1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000303573693ba1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000018f7b5693ba1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001e01dd683ba1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008ad451693ba1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000668643693ba1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009994b3693ba1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002d9694693ba1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001115f0683ba1da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000170e6c693ba1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1948	DiagnosticsHub.StandardCollector.Service.exe
1948	DiagnosticsHub.StandardCollector.Service.exe
1948	DiagnosticsHub.StandardCollector.Service.exe
1948	DiagnosticsHub.StandardCollector.Service.exe
1948	DiagnosticsHub.StandardCollector.Service.exe
1948	DiagnosticsHub.StandardCollector.Service.exe
1948	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3160	2024-05-08_f012cc77fc71176d5f21ba869865b1b1_ryuk.exe
Token: SeAuditPrivilege	3116	fxssvc.exe
Token: SeRestorePrivilege	824	TieringEngineService.exe
Token: SeManageVolumePrivilege	824	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4696	AgentService.exe
Token: SeBackupPrivilege	2704	vssvc.exe
Token: SeRestorePrivilege	2704	vssvc.exe
Token: SeAuditPrivilege	2704	vssvc.exe
Token: SeBackupPrivilege	4884	wbengine.exe
Token: SeRestorePrivilege	4884	wbengine.exe
Token: SeSecurityPrivilege	4884	wbengine.exe
Token: 33	4188	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4188	SearchIndexer.exe
Token: SeDebugPrivilege	4364	alg.exe
Token: SeDebugPrivilege	4364	alg.exe
Token: SeDebugPrivilege	4364	alg.exe
Token: SeDebugPrivilege	1948	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4188 wrote to memory of 3020	4188	SearchIndexer.exe	109
PID 4188 wrote to memory of 3020	4188	SearchIndexer.exe	109
PID 4188 wrote to memory of 2276	4188	SearchIndexer.exe	110
PID 4188 wrote to memory of 2276	4188	SearchIndexer.exe	110

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-08_f012cc77fc71176d5f21ba869865b1b1_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-08_f012cc77fc71176d5f21ba869865b1b1_ryuk.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3160

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4364

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1948

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2164

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3116

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5064

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:848

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2152

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4464

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4644

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1408

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1128

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4688

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2536

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1760

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4728

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2236

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3644

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:824

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4696

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3664

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2704

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4884

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3944

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4188
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3020
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
8e9c26f3b86d5f2839275a206ef2c99b

SHA1
71db9f19aaf627fade62e4193ecec9cf95c54802

SHA256
afb69015a1952af33a3b497afe9621285e24a234a42b69936a9648da80cb47ee

SHA512
7549a31df481a4bae706b5e3d560f339f26377e4bfd6482e5d0ede9e669588f988a7f047d84d05cd2660e58f09bfff01ca7adc736915e80680c4d5da31b69050

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
d3a37867efb29f53ee2a56931ed459e8

SHA1
90ee4efb122061c31f9240f92195e8d3e7ac28e7

SHA256
99ce1b18c1d3d8b3011fe6f6534ad0371e1ddfd6f376796b35f4e5a326383d56

SHA512
e9ce274d0703fb25e9c34502b95039074cabd5ed9a21ded83a1253c0c85902b2c56f14ba0d3d83a5f191cad4ee5135e944331d8b271495c90f47d6c5e62f371c

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
11da1ce80a1c73afffd319dd7552dbb5

SHA1
feeafb0ac59fb9ab0575c31afd1acf9c9c253cb8

SHA256
fbcfacb4f312daa04cf1d374e139a25411178d33c5719b9151986044cf0d5fe5

SHA512
ce716264ed1e5ef954d701559770979c725616af0a0a8c6276d313d3860398993016027e435134e48ee0010c03314b3b3efea4c21ee8b5a60758168692c091f2

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
6256411703213d4a43cefe879c36e4ca

SHA1
ded2c09c0eeda9f0962950c48efd6f815be9bc32

SHA256
af241473a235f8f6988b15bfbb1b0b79eece5c91263ed54987cd19ccfd50e3e4

SHA512
6d484fef02ccd6f7d09a1857698fe2d3420bd7d3c240af00a2f8f50febb8f795f4cc2e38e9e756bf9bf7314f412a91e830b4c5e2c7707616492c811ea2f647d3

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
642089b20e38a577a7d24b7d66c744e3

SHA1
75846b08816155764d5bb2db47987a4ea876b57c

SHA256
46bf0a39872d33b8a269c38ad655d925179227cdfa54bf5bfbb286229714a777

SHA512
196d80b227ddfe18c6f8eb1fb16d6bba4e33b0ce14e8cffac2557ec11eb467525945a0b84e1156e95055de30f5f5e7ccb569546eed83eba0a5bfb4aa43f6757b

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
4b3cbd8539b2e5cc9376befd0529e5be

SHA1
008d7f1fa004c15b4b593ddb8daf68fb0fa4af6b

SHA256
6e9fd5a76731a7e3ac2508bce323ed750818d3b28d10f717a475a933b7d8ec26

SHA512
e7d946a865a9824f1e78de4ef89750aa13f0c0d001383ed1b9499a35830c5d8c3e8e20c73bfb8f93d1256f2c2f1e3753719ca669a5e1fa55f44fb5a9f524d1b6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
0cbb7d75e5e44d6449988b7b99d6f6c4

SHA1
b40a6121a19955f9d79b0c766cd2379c10a441b1

SHA256
c86db419defc50c48c2d5351b6e705854430bef1d0ab64bde840fba1b8a05eb4

SHA512
521d343fcbef5fa2a5268b2dc847c12c1976a6ea28f0e73f46cbd6974694251816e86513219dd908b5cdc36150707e7dded8518e2ef60e61f77f4cb28bc00c27

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
c2a829fd4bb352ca2c821841c3a521cc

SHA1
639bb748b54e81e206b7cbbc7fa1fcb18a7f3dc8

SHA256
27fb4262b55d3b4c693c51ccd8bb16036c2c91c9a49e429791599b55217c89ff

SHA512
a6191d923d17e437e5d01cfda49e8c20f0ebdf6734859ed3e469164a06e42870ddfe4e74477bd1c5075255daca135330184eb013cf9d38f4c66600ca05ff8589

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
4e8daf2b0e49a14fdd5ed983687e0f5e

SHA1
f8250e375ff21e3a29d3c50f6e732f7f298416b5

SHA256
7421e3743710c49ff30a1fed62b83dc4c8914096d6ee5b246bf0e9d1ec0b3f4d

SHA512
9de17f65b2b49f1aba494321bc6e8daf70798c7e80b5708df6bbd99acb9bfed716410ca1723627b02885c586e4281e5fec99e65e855623046572568ed9d423a6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
a4c6500559e8ad85ac08e7ef62042bc6

SHA1
21d95500f94ff9dec1d86e54a47d3859cf57b133

SHA256
c163dace0fa4476ff04ecd7e845f338c8a32d3c3ea93eaa478011444cefe89cd

SHA512
6fc7c5cdeaecee51f4917bdd140fbd64f4c9021bbecd26c537756863a044d07e1bed480bd576431d4fe94bb0285082717bafc3faa54cc478309c98e1cc4a0c11

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
733b91604c7ad6de5fa7e66874256bb6

SHA1
d8da8487ae18933f2dac7a82236eeec8efbac9d9

SHA256
482a05523b3d231868d9106e92e61f97e4da5a29ef72cc0d059cf40f452c1a80

SHA512
b74f392d8d225ddb17e155db9031911c18cd404c0fb774f95fd7ab18eed9c630ecd1babb265a1a1ec8322a117cc001034f273a848f9ef99e748de7e0041b8d18

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
389d73b01cd4143a96af2f9b5a0c4140

SHA1
6495d8c17de00500c2d48310427a7c9c2ca13917

SHA256
caa4069015b489444dc13d9ad15cc4e6af8e5fbb00ad51e3ae656871a633caee

SHA512
8ec6fcdcfbf56f6b5bb5666c72a341ff0b1342ed35b0e7c4141aea15d306c8cb08848c1c04b438cbc46f12e1b686976d2ae06d48191ac0898528e35354bb2f00

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
22728160dd8240a1484080676f4f0538

SHA1
cd4c0d58f1d467a7a982df363321165a3bd24ce8

SHA256
4d5a7ff785022602623424058749ec324259e03c2091095a2dc25a802f41672b

SHA512
8dbaf9e40058d0469c509188c3bd0f16e14c32df18abf2819fcbe5d29575525fba3f9b0432eeb2f9b9bda0db9dc802ea81bf9debc1453d1cd21b82cb0e13e24b

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
050dc739ed2500eb8b28934a312ee627

SHA1
fe70ea655179077e3ef971955293645045f72c4d

SHA256
8becf806c6cbd3ee1964d9d68c0603ecc00203766893c135f83e8825c185d1d1

SHA512
212508f34aaa8c0009e8c4bf160bd2445527e249c634e31bb078c54fe50683247b7975d819aa92b26d2b27b3cb9efc42c3dd1ee5778f6a5b9270f2312e3fe22d

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
fac28fa47497379b83ff2d6e69d1c82b

SHA1
b0d2505fc79d7ea1b02fb3f250579c7b3d0205c2

SHA256
841a78767af2488c790eb70d930c4a27ebadea51fbf4a77ca340c8320f8c6c39

SHA512
ab4c0b00903ceea3d0177439393c4ec8bbdea99dcd0199792e4c8ed02316b138b0b607cd2a174c60f9858588c415445d89a5fd714e3d74cc6b851dcda93cfc5e

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
4985c0f99b90ad2430ec8872c9123287

SHA1
bf9516133bbde3d7bf958dfc21c0b14ceb0a5253

SHA256
939a9becbdff8959554fd4de3b3a037f37768841987d36582a906b86093fbcf1

SHA512
57aa6eca08cba098e98384287163008838e25e2dca6ce5be1e9fb971dc55dfa383f87ff20449f57bbb946f868aa3800b530cbeaca51f5614fa35e8dca142a0ef

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
47d145dade94aef4d7f28ffc435c6ab1

SHA1
51eaf68190a21921c1eaf41dcac858fb3601f649

SHA256
98376ca02c162151b3d91416fb554e7e6202f7ee7190c4ae419b5f1907a33033

SHA512
edb8b2fe7dcf38c6868d67e46a6cbf92c7681321e63cf558e4f2a1b2b77e26978875bdc2931bc2c300ad0494c0beb2462e66ac39fed5089683afb057798ad57d

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
ae9515726d847fd43f73fd927f3ae450

SHA1
584d36a889993fd1c6dd4fc41ad234306692cd58

SHA256
e3eb63fbfdd6122726ba042487d39f2dbba1b9f7525ddf92fb6bbde4a0f756d2

SHA512
507fd2a39d8558d92d9f7f66928fe073c0eab9f5b95778bd2417a5dc58d5ffbb8c70fc19088eeee6ac79470bc0b160f60201c57211f89a0cf6550d04e535812f

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
1234720cd4cca8bb6b065ecf246e2380

SHA1
380652f839da71ae988d2f64d46a9372c878c98f

SHA256
d359da6078cbf153b5690e11b14b82a06f9e242daf82beb503f3ab0babd6ddc2

SHA512
73b9f385c0acd5b7260fedbe3103634d42487eb3c011cadf547e2071eab1622f35bbe8865c0467c46856b7c4b4032fb12a4998a0e9779f26cfdca40b9f34bbfa

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
a5ae891ca901791b79d8f4ad5ac1926c

SHA1
d8bf6dca5b214b9b1608226b6b1f3b98fe76672e

SHA256
f8eba5785c12c57eb4fe338c2e7ab9f49f051bfa9cafcec617e47662539d7be3

SHA512
314e5328d091de7742876eba92a876029029a27954e877e25aa2562d2cc85704a8045acc57c74a59b208b1822e2dc1976bb5b4384c938e8d2b3b7e803c476c37

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
d5c6df16200f935a2325745fdf8ff16a

SHA1
77ea465abd6f1cff8839ab5636550ad24400249c

SHA256
e91be1f47b45488bc8ed58bf1ace11a26555e2a34c61c31ac9eeb6b4d0df8180

SHA512
2ff150fc327668adcabea6429846c1ab5e217422c7a00152f1e9054c7383ff981777deddc98b0ce4a9a085ef32e07935f414b938da506dd518a8b59451c89270

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
3cb6a6d50200027c4b2330abf7d45861

SHA1
65ce255295e7bbb7e95c57927ba615dca19ffdff

SHA256
fabbd85bd2143ce954b4116b102c9f4a928e18129f8e650bed1e5b1f2c267254

SHA512
3e83c3f2017331550c16a74fa3487511b4c1ee7a934ab0b0959409b9903baebacebf80c6f192e1b1dc3b181a903c7cfacf1403780efec8696be7fef1c1058c8d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
84717977646f83fb42f8871e45d3920c

SHA1
40c76c3b0395c24e6773714d61985faaf532b846

SHA256
9434ecf30198c8fbdef609c25aae250ddea2246faef3e22e59321f05511f152f

SHA512
c7c56e26c3406fa3feb2e60260ed5077126f1108d3b748d743f08c2b666ec5e5040132352f99c2ea7d59619602ec36004a4df4caa824c09e19560cd98da1e5d4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
4005281291ba01691030c1d82314842e

SHA1
1a3baec6e675088dca60aa5f594897668fd89c8e

SHA256
eb9316a327a63d290ba6d2cece7243ee70ae98af787912d9a7dd3b0021f889b1

SHA512
8cfee302c21064f1c54787603fd9e342d69946dccd29d15a60c4d4fbfed855dfc3e61d5b6f6d9d0982fe82c451a218c0e1b734726b1bc03c86ed388d3d2bf38a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
2dc20777eeec7951d7394a897fda2808

SHA1
53129cfb4f5dac1df14fff16b14b38f0e587a5bd

SHA256
533e4f075ab70c0fd646475ae97b7af0a21e793f5448cc74bc0f0755eb125662

SHA512
28901fae53826a9c9a1361e99537dc1654de449fc8fd8d62062ba9904f1d3f73f696deca345d1cf042bf1565750499054c01d24d82a50db2dcc751f91ca58239

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
fd9f355308bb6380e8ee674a4abae40b

SHA1
7f157f43525e1e87d8b182d658fd8c49911614b3

SHA256
c39aa8d12425e6595f4ddba2ffe40749b6a82620cc5eed74eb601c97a26953aa

SHA512
27b9a15ade7bd1bff8a2f3fb4dc32199fa74d5abd4060daa50a9752410376b75a410a4bd1f359958d81586e1edcbb39dace7e9c04143e41586b5ec4374f063a2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
bc972f5d1dec2e23fe34c48873753308

SHA1
94c475cb5fd8969d61559819f8c332474facfe5f

SHA256
57817701dcf38a372e6161caae602a188a7dbd9bf3a3170d72eabedc4ffa5f5e

SHA512
5a1e1738771949fe43d2c2ebfdfaee797723ff5be6e73d426d57cd57fe87fd9b796911dcae1614e380676708e3f5d4812d62dedf81de5cf4f5d8451edb954492

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
acfb601473b64ca039b339b3ebc84bea

SHA1
1fb97b1d44f0f2e883453e022ef301da24edc60b

SHA256
674d12ec0d6620ffecc9d4d7d84190db5398f95f18c9d37f0439ed3729bac069

SHA512
1ec9d3e4c2c6a0267a639f50595b48a3d1439843a014d80a9119fbf5427532b2130b306e61253f5facb4dcae4390da14dbeb51b5df529ed065b13ad74529b961

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
23d4ec83a1eac26cebf7a1ff1b4b67d2

SHA1
7f765778109b0090b68f97098bf62c03508e6762

SHA256
1860ec51cc3f483d07245c6250129d24b1a52e972c5b2712318c52ed325761a8

SHA512
afa5872b7b26c6ca29024c7a32feb378e5abd7fe4c77cd0abc6705bf489e04a392fa15013e8c5f238c7a459df9bdda5c7448da3458ae49fc99e62ef9cdbcfbe3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
d59067ffeedbdd402fb62a6cc860f543

SHA1
d5afafa45f4597390acfd710463b9ee9e180dd4a

SHA256
3f955c4f1f46205897ed383334ba723b9a712a43c15c5b8935b9f717b31a1871

SHA512
8bc30761a1c33df4ab50b5e1ac3f6d941116db3df05926efdaf4b52041f54aa71fbdb4d7932ecec51b261c22235f0df855bcd1fdf420acdac1d7f7d3e2fd03de

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
724356d8bf70bf705e619896594ef54a

SHA1
42974f543147b9f85b0379e317979902bc4bbbe3

SHA256
57fa61345d70ff9e96d73fd15f20021428dc3a643ff6f9f24e141ae0052eaaab

SHA512
69c711f94a8180677f1cce3261f632d93e15f30bad720b90252f74ef135ce231b1fb1ccc731aca50dcf4ab7a78f5f94c24474792093a9cf2c7b25639b79731a5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
d3e48b321d3392bb747e4d0bf04c0904

SHA1
1e85923e9cb9ac59983bcbfa976bdf84936992de

SHA256
a1109af54047d0e231c9ab0b1350e47ab832c1733416cbf3f94974bf22767757

SHA512
37add8861c854ca763185a3b71bd7599afba8d3fef74f9eb0e585f1600479a775a4f7ee8987f3a77480b39b5fb7dd36a703e64866fbec2f3c0a3a59099781a03

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
6d3722dd23619422f37c1f16da734491

SHA1
1d80a1bd5f1363a2d931dcd33b86900cae0e42d6

SHA256
fd989b551ed7ed46ad3350aa156330cd7554b00e1867a4049cda6b62a53251c6

SHA512
d4743131792582a08e5d6467e561e10cf2e9a97a7a2dbd339ef0a2b25660b8beda16354d0ab4fc1e6c545794f31a434619e0aff695b5b4fd3ab9f06ecc02d2a8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
2617c94971a564b5ab7ae8dc93e23fe3

SHA1
63e1b0c4e5831e369223004ea17ca7845f2ea033

SHA256
23cee8ba11742a8d134fb729942287fead827399ba78f7cc189660fdf8d5bc14

SHA512
78bccc23e110e4fea21fde8ac858ae1132c5969c7c82cc694e57849b83939376ba89f7799599929832a327a53203dfc1fd5ad9a5b994c76da1999dfab862239f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
001be5c1b69095477c40bd86ac201e7c

SHA1
dc81ef7190087df5e7095e4edbe6005e1c7df1f4

SHA256
fd50307c23ae1cacd80d77178bfc750adf63b81605f668ac9504c7cb49878cab

SHA512
11af16fde6f24bd29ce0216779b03855f29e78d46115a24cd4b39ce69c3db5e47ebe5215acc5fa36614fa0b28e6c49f7739905fde6c9dde46a31de0d0b00a3f6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
99592fbe757c81302f896e78458d67e4

SHA1
cf3c71e3d5cf2e668eed6eeed67ddce0ade099d4

SHA256
caf46e4a483b9ce1d08847460000b7d1344fe495e2d06ab2f4056de9947c874f

SHA512
3513a8e898c09b7c15a77303c60a700942fe29dc5d403b1ce8eb1d36c66d59bb498aeab50c9b9b0917e10b7a77c0e2ffc19e7ffe7e77ab86045bd5d0c26c5ea0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
4730c647a167319894bdb613e57c5e53

SHA1
f9cb7542b82c15971124576b5e15ea4b66f22f8d

SHA256
e362eaa21c3b3ea397497fba7ca486189fd83e9b18041f254a741d50d673de0a

SHA512
fd177c7890ea9f7336e5251fa8a9390b3dd93fc47b2f855bb71d092f5e09527ca18364024cf006940087ab25b9d69e969d08d5468d465750357e3a432c8a47fc

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
924aad07e242d18d1d6ea3e720e22516

SHA1
c69aa8ebf2e5dd6012d1b696a231e0876ad02d37

SHA256
ffdf7cba88b2c0bed1c0fdbcd8462be7e5d790ad48c540dc074b941c201ab2c6

SHA512
c2ff9223b701e85b73a2512118fe1141994f5b64930640f31f8510017a2c41afe8603905519a70b2f02e3995804bfd3bb8fd04c79d4f4642334ab86d0c98a06f

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
0f6a4416543449538f0374b866a0ba7c

SHA1
68cf1334bdc22501702903f1438b22d6dbaf1704

SHA256
62560571cd7691edc05b6907284346a7b5b8985b141690296677cba711856dc6

SHA512
fccad15eb2c1c898a2e9bbe7ee1a70d6895e2631955d19db81d08912d0e2ae71c24d3c26055227820f32f3a40bde83c7cac55129973f619635e31b2778cb6e5e

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
87fc4df7c4212b4799a999cd85ef247f

SHA1
322a15c29708e9391d5f62722a4e6f3b613618cf

SHA256
fe61554adc5359870ae1563cb90d561d04729f51f541b277df2e09f2247a8bb3

SHA512
f910681a4297e3da29cefb5a19096c6811ffa1f512e805fb55872cdadf68eb811f107d7c4c4012397ea2cf09108c8eee534bfbe6328c62f0c71a9f25ae98d46e

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
7f12beea3c1e7baafbaec8a6013450c2

SHA1
412694a56c14fafcfceaf5d54fa9efc2cd9a97b7

SHA256
0e9dd9c44cbf18ad18902184c8404452621d2792b47ae62c92cf2abc0353126e

SHA512
e6c829091f50bc6e7165300181d4a319f7795cff43e52aa206bca8f8aa7360d39abeecdf93d0856b6df08290c958339418f1e51adf55b3589bbe4c803e4582a3

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
d78e36680496ee94f1eb6dd18b89f743

SHA1
4a4c6438ad16aea27c3d796c95ad58bbbd763431

SHA256
937e339edbcc179cd225ae4f916c4595a954d156bf5edb844382fd3e6e0bdc37

SHA512
2318e960501149341c736829cac1f938a7c629d0f6ef0298dfdb59c95992d77ae7983595bad82199c46ba34a82aed803cf82a0203d61182c72b06031b7d0842b

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
ee6bfa9311fb6b256050362507286c0f

SHA1
ca0d2f436243fcb543ece7788d1f1d02434652b3

SHA256
7ac0810ff9a8055face4460f44183e51a738c4eb3ba285f6bced670c679111f3

SHA512
a2ce689c0f434422acf258963d28163e04c6dd55c54d6b5ed9ef83c326bd5579beba9ab1c1975efbba60eecf54a4321cee2c06654512c8807830629d323e5cfc

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
2ae5cffef5cc87390155caae02d20e08

SHA1
3c3c51b0df0ad2d965cc5154fa32141c5adf261c

SHA256
c7c03821c4f701ed8eb6a18f0e00ddecfc5893116c2ca564c9556733cbc30130

SHA512
c796c9b0eeae487bedbaecae595ed9a5e428c56d1ec6a888718d1b29db638f1955b73767cbd6c0f7aba0526ca9453506ac2f61c0b8526e7c7ffbb0a2c6b767ed

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
ab3f1fd308276ec0cf706e806288378d

SHA1
f4db7607bad14b523bcad213a198204ee794f474

SHA256
ab83dd3912238e65568dd2843c2e675c7f58d12e190df86460e88386a8d250c0

SHA512
13d98d5311bd860bd30a187d2c1f86bc31e38759be0ecf099f0d4beca30f0cef8d4dbd0324c2090acf6e8271c390cb74ea4cf81d863bd3926e8c7c45281b68fa

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
ce0901c5c02e5d3d4c92084c438111ea

SHA1
e39a7c30c6d19e236ffff0222428655e24de30f1

SHA256
72fc40981f8a089b63ff8effcf1bf967f7b31ede720056a38d8170c10aa58384

SHA512
af112cf4f2a94250231628185d4bc7b68ad5cbd2c0b55046ebea64ec8e19bc25097b564f37fd1f1bddbff0e7302c4bf372045d101f3431856cf3f3ea60248ca6

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
253bf8ef3faac66bdcf683568744a20e

SHA1
4af7da5d2c0705c206b8c8577c013f3833f590e0

SHA256
4e1d8b85308225b107c67eea80f94864432e97a48624692fee37781066e6167b

SHA512
4946caaf08eadcb1b2107f45ba987214a6a81d283dc402cb9eb307ef0eb1e680db77669d6fe70e0a47188e3670a8b8ff55f7f088751c529b42527c58f3607abf

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
3a15501bd49e29811506c0ac31c84f5b

SHA1
f427a2f997ae1c144e2c90ca946e0e2705ef7af8

SHA256
0685244614e153aff37357cc2605623c5f2eead64407f52a5e2c1111914a9bb1

SHA512
e4903f624338dff2df21852be10111ad3835ad0b9ad8b970d8fc0c5fc697c3ef670ec6996ef5a7ee5d237977307f0e44efb6715caf434d6377bc06c20e7834ea

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
6a939f8678f2a0e95af390434be26c93

SHA1
f57e523eb61ffc3541b0301c0b12c9c00c396dc7

SHA256
b8cb792b5d8b5e8714c6554974d64ee2a3c6e8d98b9a70a3ba0a6f2146c249aa

SHA512
373a92192a107ae90e556db5081e2314fc530c03116f577e15b84ca6fb01ca74c0f990a823d67c2d5b1f0d7e1e0b08fffd3eb7427cf6699059d88f5e0cf9386c

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
425a08285dfe9228e1a97b7081fbd485

SHA1
3dc03d6083c3f9947c5b0616b9fe9c3e0673d7a9

SHA256
16d4e7296eb793fba2b658ae871987d7c09a1d619a6d7aeea6fd3e2fb057f7c8

SHA512
2c6e0a98314f7d81369b4ada276a3e392662c1912d5f00f54d9ebff1580ad3f34c6c6342c40b5908311804606bc143d9a5868cbad3f733836c79be4dce7dfd6c

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
72ea3573ed8a81214ffb2e33cbf12e4b

SHA1
2c0498164457574d8ce7e510569e535548184ce8

SHA256
dac9d8cda0cb5b5d063d5a6e6c11b0f4d479af7c57179855ee9562cd861d875b

SHA512
b69bb2642b6e4c80216e89ed9593decf092efedb3fac9f8c3588e8631aa4e2c6b727febd1f2013a4c60ef46cfdeef9a3048f1802855062559e0ccb29e2752b2f

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
e08244b03d33f7a29e2658911aebfcab

SHA1
228c3afbee123ff6219fee4181bb55bebb6d7dd4

SHA256
99e314ad5a3cefccb29f6b8fc1259cea89a64e42374311d21d3d22a5bd01a8c5

SHA512
9ea8473ddfa03a8c543fb56497c183cfed9e7713a125d454e46f1156396028b8b228817d51f73d99633bf994544e3a9c3cacec356b791cddd6652b26ae7a021d

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
46a138eccd331f678e6dd22df1be55fe

SHA1
a0c30a1544cb87feaf64b69a25a5653fa7f2b878

SHA256
7dc82d35ab2f2f60f6ca557f69c63a0b19ac8102c85e5c7bfddf0254e3714f1f

SHA512
d7cfe55177ac23a22c38342fe0f7a3002e87e9f7028a829a49fcffd9190a0d2a202f2088c3b472a54b47cfcc8ebe58c30531e672ab18c04be7f89e8faca545e9

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
9446e3ecd8d0c65c7bd3f18b5e49d7c4

SHA1
6e2ef191e082ce94c43a9ed5a36b524fab67c3d5

SHA256
59d6dec6f8864df6e343abbaba05084e1ae300a4a0b5f8a13aa540343bccc0e5

SHA512
aba6baa9233fbbff70654ad9ec04c858d21bd7df06aa601adfe03fa71ba2fb63fd15883c95807f35720212f2d921946e26591ca5fc384f63112738d16d7f5c5d

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
182f6bc09424863fa2ae2a3eb7c4c778

SHA1
16c89f5dd1d7d24ed63b8e4ea675bd9d0ebae9a8

SHA256
254af05006e59782df8f61b47fbe3542d9df07fc1660aeb7a4a793e886aeee8f

SHA512
68335f93764da01c655e4911b9236d639c74dd111c1a7426ade4befaff100f26552e45fa9166db6f23615364651f88f1ed67e8671765b270a268fafe4c6cdc88

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
3df9fb37464390d09669151a8ac8b121

SHA1
3b107a91dec1409206e2be9e56c90ab95022c9a7

SHA256
41dbc2f812ffee0655c49f163d8eef60db941eeaa903602e07ab11d96dc27aa6

SHA512
93e5902772d4eacc299872c018f7ea552ab14da01cd40ede7e4086d150b5b67045f6dfe360538f676bc230c98e905199109a254cd9421a1ffda27f3a64afa419

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
d4bdd881a28f0d79071e54dca9fea66d

SHA1
331f18f527933e881d57f95937600bfe2c9ee417

SHA256
eb1d91d9ace13874676c932bc284ada81765de638c9d22f3077297f42773dc14

SHA512
493648b39ebdce85bfd301838494d7074d5f1bbfb7e1988d696da9508bdd8d3afd3822c8ac76125bf3ce78afcc872d10345e7ef71e73e3709bd9c9c82568e445

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
7012c89d8147caa42e4581a5e9624ca7

SHA1
2dc2b3ab47fa531f8d6aa089de6911a9739c0b83

SHA256
7000a22152f6e76531a7066fd389a9faa5183b8c32b7dd25ecd5723821d696e9

SHA512
3954b9f2fffb0fe1c86ff06adf14810dba236c3af728f8c9973ecf066cc550eff740c6baf7bb64a4fe43add3a59e8dccec59620798d8a59d495381e594ee32f9

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.4MB

MD5
170ff540f5ec6642907fd9f7a0a8f018

SHA1
a8ba558b3b0e229a29ff9c3d5e0064c287c18786

SHA256
833fb4dfaada2bd0364f8b7fb39e66d4a6188b85a79aaa705d512b330e3b0cb3

SHA512
6a04f6fec7b5b5c41e68a29f8808e49fcbf0dfe8c65296ebc9edac905d9af8e813aa236de64f32e31a1290969ea0e6b57445c310a96d8cdd1dca084d113acb04

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
42587fb020916527edf8d89ceca5a97c

SHA1
cf538b6be825ed172703dd8baea7d2db60dae440

SHA256
269cbb12bffdba625443ad7c04213685847ea3460f9a655253c37b5345547bdb

SHA512
47d1e85867baff87aeb00ff86e71682d3d294df446125e17144ccfd95ffc65983fbe0bed0d8d8c1b12adf666d5baef37d31f380b9b19f649594a277b125d715d

Download Submit
memory/824-270-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/848-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/848-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/848-599-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/848-108-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1128-264-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1408-263-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1760-267-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1948-35-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1948-595-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1948-26-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1948-34-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/2152-74-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/2152-80-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/2152-86-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/2152-84-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/2236-269-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2536-555-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2536-266-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2704-272-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2704-601-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3116-50-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3116-38-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/3116-44-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/3116-47-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3116-51-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/3160-9-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/3160-468-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/3160-1-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3160-469-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3160-6-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3664-271-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3944-602-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/3944-274-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/4188-603-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4188-275-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4364-20-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4364-594-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/4364-12-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4364-19-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4364-18-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/4464-88-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4464-109-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/4644-110-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4644-600-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4688-265-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/4696-207-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4728-268-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4884-273-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5064-59-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/5064-53-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/5064-598-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/5064-62-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download