2c5efd40f91b936744760c49d720b6ce680e86418f0f883f151b1706426b913e

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14/05/2024, 12:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe
Size

1.1MB
MD5

cc80340e5995894bb3bf098749d24554
SHA1

dc6802600303eb85ed7be3e3d940084545b51e90
SHA256

2c5efd40f91b936744760c49d720b6ce680e86418f0f883f151b1706426b913e
SHA512

c2235abdedfd23136f33f45381372a4f0c91b66b8ad36e7d852357e1052314fd4473aae2ca0d446a2819fdf607205a7102c34ef1137bfa6b9e8a3daa2d583cf3
SSDEEP

24576:cSi1SoCU5qJSr1eWPSCsP0MugC6eT6t/sBlDqgZQd6XKtiMJYiPU:US7PLjeTA/snji6attJM

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3604	alg.exe
2876	DiagnosticsHub.StandardCollector.Service.exe
1984	fxssvc.exe
5088	elevation_service.exe
3680	elevation_service.exe
3456	maintenanceservice.exe
5028	msdtc.exe
1728	OSE.EXE
2396	PerceptionSimulationService.exe
4064	perfhost.exe
2736	locator.exe
3732	SensorDataService.exe
3664	snmptrap.exe
1776	spectrum.exe
2952	ssh-agent.exe
2500	TieringEngineService.exe
2908	AgentService.exe
3560	vds.exe
1616	vssvc.exe
1408	wbengine.exe
2780	WmiApSrv.exe
3672	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\638ebf57b4b1389a.bin	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99718\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99718\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99718\javaw.exe	2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003056ee7cfda5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cff3eb7cfda5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ddd1687cfda5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cff3eb7cfda5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000008033d7dfda5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000981f967cfda5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000020ba27cfda5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cff3eb7cfda5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000021db547dfda5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2876	DiagnosticsHub.StandardCollector.Service.exe
2876	DiagnosticsHub.StandardCollector.Service.exe
2876	DiagnosticsHub.StandardCollector.Service.exe
2876	DiagnosticsHub.StandardCollector.Service.exe
2876	DiagnosticsHub.StandardCollector.Service.exe
2876	DiagnosticsHub.StandardCollector.Service.exe
2876	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4044	2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe
Token: SeAuditPrivilege	1984	fxssvc.exe
Token: SeRestorePrivilege	2500	TieringEngineService.exe
Token: SeManageVolumePrivilege	2500	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2908	AgentService.exe
Token: SeBackupPrivilege	1616	vssvc.exe
Token: SeRestorePrivilege	1616	vssvc.exe
Token: SeAuditPrivilege	1616	vssvc.exe
Token: SeBackupPrivilege	1408	wbengine.exe
Token: SeRestorePrivilege	1408	wbengine.exe
Token: SeSecurityPrivilege	1408	wbengine.exe
Token: 33	3672	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeDebugPrivilege	3604	alg.exe
Token: SeDebugPrivilege	3604	alg.exe
Token: SeDebugPrivilege	3604	alg.exe
Token: SeDebugPrivilege	2876	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3672 wrote to memory of 1508	3672	SearchIndexer.exe	111
PID 3672 wrote to memory of 1508	3672	SearchIndexer.exe	111
PID 3672 wrote to memory of 5016	3672	SearchIndexer.exe	112
PID 3672 wrote to memory of 5016	3672	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4044

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3604

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2876

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:956

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1984

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5088

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3680

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3456

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5028

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1728

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2396

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4064

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2736

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3732

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3664

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1776

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3052

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2500

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2908

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3560

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1616

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1408

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2780

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3672
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1508
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
f421e13a89b3ffb841f76f58cbd734a0

SHA1
16a7768188f3a5b077a7069464a002ee2820cb80

SHA256
1716b52d8c245e1898d72a21c7ac78949446952a55c6359cf2734152ca509044

SHA512
bb2859140e0d217d316088972cb1aa0a97d764e6b2e1305fec20d157afe8e7944146766a80444254f03462f2d1454d924b02df321642e555ce4413c48bfcb710

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
f62b542e89e683ad83c22cf9f27a959d

SHA1
d29581d382ee80f5b893d840f0a3b13f736dde37

SHA256
1584c0385fe367792989990246c6140cfe32a09694b92423751dfe513690eed8

SHA512
cf84d68c9ef9fb2d69872550e0fda55b038c66ef327920ccb880e6c701a9b815474cbba7634645cd2f41fda5b9538f0f5cf425ce763bf6f49870d39969c66b72

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
bd58bf2b23b83f748fa655ca841b2623

SHA1
55e2c1ba65634272348c481a72303f34f2053d77

SHA256
e140ca0b4f5477d37c2981feae838a9e789e8734415b68c3e1cc2d14d144f729

SHA512
a9a0d5cca30b5906669b9ee44c0fc85e27e3a3a1f980bbedb8dc30ce9ff801f9737832e2abbc5fa59280f788fde8cc1458c72cc6eab3a2e03073ee4cc198f919

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
8ea2de82e4778c101cd223778c59afa2

SHA1
3300b0fdc62bd5135f48bf4c2079de42df893d5f

SHA256
ebf724b37a0751c8b99413444f2db29212d3519f47d2ae92e16a320c833730cd

SHA512
0fe5677ebf80d92fc760d2aeb851786f06d918112314eeddc316f661e59cf73042ceaeedd880abbdb5eb9970b1b86af69fd34cc80cef84daafa27c0dcce175d7

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
2023ef482f01158778e0843d90e054f0

SHA1
b4a0d64a1b03f506fda27de8856a3f820c050c6c

SHA256
0a894c1c9dcd08e468f2d8de39f696d02b27a0eb5a3ff2fcdbf1ff943f6f676c

SHA512
4b031e617c8232a41e69e7d306595742ce51045c8ce542b3759f8e453210844a31cce771813045d4c20c4df9dd6077dd0c46ee619bc4ccce4d86f44666238e60

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
f5e12c52b27f36d2846832f795496964

SHA1
d045bf8af78baf44f06b30b19071faf522b8953c

SHA256
6e67feb225e46cd94927767a6fd9dd9024943d1cc725ad2e6394c176e49fe38b

SHA512
f257173dd2050bf6bab9afbaf2769a424a8b3f13b26b248088077c4893f3bf28848e79af9dd468dd4a5f9282b54367c8de05c98d6916288c02dbec75e6ae851c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
a519b7cf26949e635483cc183ffde1b7

SHA1
d9647b3d513dfbc316f40b21203722ec04bbc389

SHA256
40de23b4165e680f51f9ee612786f4b84da2e1888b23aba6211b8e90960e32c4

SHA512
2dc9b68a29d91d3e1c13972a73bfbd6e1cb7aeb9db520f8fca988932cd855fa3601c93ec75d89421bc0f86b7f6b5a2fbc24dcc9276886a3b373f78627d084b83

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
7e2dd0f2c74ac2bd455829e7212505b2

SHA1
dde4cab69d5b65bab24bc8e56ae27868fe1e3845

SHA256
a508b03e775449409f8d4f8b621aa9a9d81bbd70212d95f3661279d3ae000dcc

SHA512
e22cf30dc8ec58eb7e0b601236f8cbb13fe03fab37b953087961197471cd155789cfc632f37bf30c6a6b540be3db0f174931cc6419f7a0e64ba716130c41fdbc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
e9fdee82e96445f571fd85aa4d512d5e

SHA1
b74a38035d947a50f5cc9ef01c3a9b2feeab8505

SHA256
0a582365a0e496a6704991b75bf90e7957263cc3b0b15e84c7b83d46c10fbb48

SHA512
4dcccd8d903c7fb6153219d8377f3f34198f06ad7f6f4b6d18237ab15ebdb4db32bc823a78bd0f8860220c1410001a5c4af10e61f2d8c0b8480b27b4c13ddee2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
693d6f0c95861df5089e93380110e000

SHA1
5c46eaa99332883392af20845ee5a94f0faba651

SHA256
b66c1f7d05bfc3518b260b1886ee71396f6e42b46f0405d50db2ab682550b0ff

SHA512
95d46c9590d6a6e1f0b209797330f914465e95c388a9c9c81cbca005b4c41c8255a9b9c8e19433c1e690c583a239c93bdb9a152c34949918419c5cf202a5c803

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
03f9de1436aeb335874d1e48372f1230

SHA1
d5e9f01f41f8de5475a58b3e1b45e99132de4acc

SHA256
37747569a7731c49a930e1dbceb8f6ca02231564d717884b8f607d5c1df11fb5

SHA512
4dbbf06dd42bca9d3b7e455fc25dd13fcf18796743a10ba46463e687d2419a661021b6e25a45184aed31cb1cda1667cf1eba3c6291f29f33ca93013ffbf6a9cd

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
a651432d740874c45af1350605165b5e

SHA1
4175f418f233e89dc2782dd3b381539626844552

SHA256
cdae09e2594487a27c4699a7e4006957aae4689a0bd50cd8571f9aa2049b638a

SHA512
18926affcf8917c30936800adbe26636caafefaf41de48a0a7eee530a935d2aebe8619f094b96b051529f190bffe4a034f22c15db9bdffb66e18a7631706a3e5

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
1ce98a0ef5995ac16074aa9793e902cd

SHA1
57803612c4fa08faacb6ca0d766759574c0fd09e

SHA256
82433d4f74c58dee7992a9b54eb55d8414fdcec91b0f3b2d41adc52dfc30e5bd

SHA512
7be8b93275a2d87655b8a187588290dd0f85319a4e44a8ecdeb49347f26251127f4198b2e724b3d9aa2d3cc543fa10941cefcdb414b39ab0b25b39d3416f169f

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
8404143ea991eac46eb07a3870c4cb8d

SHA1
b05e6e0bb7d961b26b71d79c93262b4daecd462e

SHA256
7f17afbb3ff1fb3168cb56707284877a9e95cf8bc7090dffd607eab8c6ba5d18

SHA512
3905ee2a7cca78fd5d0448e262209a31632622b8ad51d13d2b8275c3306162a982bbfaa1fdba4f514578bc6361e3c620699e9d61f3e89249f29bc80ee8aa9bdd

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
f7e3f2a77eee92e19f2862d32a17f7cf

SHA1
b0fa4e3bdf2a8a835664db41c7eb6b631c572039

SHA256
3bd8b49b56f426a7e1bf1de938aaad07a9edfb0c3157199c2390b65861510e80

SHA512
5180ccf6415196d6f60ee8f7da48c42996956b8704a33b4664c4c393c9108c8644e7af27a2fcdc342b7db802b13e246e12577f0eb2adad29929e82369e80243d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
46dca7e15be2da9dfd63cbed1c450e42

SHA1
b7a167fcc3cc2f73da006eeaf1bf337ef308f447

SHA256
c9da213d9005625cbb5dbf189c1d9afcf94a40134d8617d0e7cf0c1279b32e8d

SHA512
eb40eb830fe4e378b5522e6cc7eab7dd4f61ff6309c828124455c2884c0500f6be4f837123d1e1e8b8cc37323d12a3be17b62f1d2d7fc8f28dad5d870c9c1733

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
463226ebc79ade94ed447926b3d5b6f5

SHA1
fb026dae1f19d78bf4001c41214fddcf46112bbc

SHA256
fc48d365d88889b8456131889c3d24803d0c8f47d5bc0bbcdeef9542e6a4690b

SHA512
8d771f9d34c5d8b82ea5399206237b25627f1557257663df1b4371251dc8baf7f72fee9f354cae5e24a14c2f9bc0449576f4c4d8f6fe5780fa0674c99daddd72

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
cd28bd214925d75da8557fa1fdde8517

SHA1
dac6cb7014ba08055dadf6e73cefad375fd7799b

SHA256
f18b9ec38ec834199f7b7b03d2dffa1567f82f895d1de8987d7b8314f5ace06f

SHA512
690f475cb93e5bd9a6fb85b87314356ec295bd6914697737b2154e50ee36ae45d0a6b4155c1c9fec4d4fe241bf2d4164d81265f4df43274855d1da79168cddd9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
0a69527937f6a5345d257bfe6fd536c1

SHA1
3d99a5339a1262b5c202644fd1bbbef308d2071d

SHA256
541a1ef68303d40751d60778bd4c7aec81432e1ba412c2da8790d13a66eef03c

SHA512
0de155b79ffead6abf76a8b27278f8b3ab7c0d56e6f4a2010d88c00429036184969e72baccb5a73048071c5505e16ecfe664fe11b0914780f1fc1fb393ceab05

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
ce02389bac0bba1abbef30c2be0cf6f7

SHA1
ea5a11b6e75177973428529c8a3a259b3716ec89

SHA256
a45485ab0fc1174878a0ed70a32509316b4e702cb715c0979f558f1e71a550e8

SHA512
24eefbe5c121c46a4efc4d85a8a966e60b195ae910ce9f3601447df8dac592aea15c7d7724a4bbbcf12d6566d5a279c37ab8887ee3eeaf5c5d2189d06ae1d0ef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
ac3c421e2e23c1cc53e6c6451137cd3c

SHA1
d6c402aff7c260c5bbe221752daf0e7fc771b7b9

SHA256
d2e9b46d480a867966a5b19361261816e86ead007b274b7af1ce0c3306fcb4e1

SHA512
89b16afe0245248536d8a008c955824bfcb22d2dd56419bdb691dcf9a53a749700fa843736fd7ade23a7b361d95a56cd0b42cf4e70430d030af1b9fa39dd20d0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
1294d567ca8352d5ee847e1b4030edaf

SHA1
cbbf884c470404062be0b108ed2458ca4be635cb

SHA256
9d59262707f57fdeba8606418c7d5452130c89af7dc3609686f388a2df5ecabe

SHA512
c2278ce6f8a91bc43c2274c2de69789e21fb8641cba239b31e8e1dc3cbd3691c65744a96399be460dcc2bceea6a179c595c01e9cf0f16243ff2ef2fc255f3bd0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
6dc76d75aed9bd7125d21db3213b088d

SHA1
6b1cdc2b37674075747a6be83861b0897557e19e

SHA256
b3a16416785f77ae159245c39ec238c67703665298652c8043c00cb0f48d7de7

SHA512
c3c5a6ca2fc95cb7e126dfa3a627e628648db03752d00826f3fab2c1922de5cb8a9035f5986dfc2a2b0f0db1b389e43886b069ec816549935f3051f7ed4b65ab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
3e2146b425a3ec3bd75806b1648c4275

SHA1
59a008abdb39c07f0d57da91a19bf9115e96f121

SHA256
dac30c5aaaedc54811c5ce7c6c10cb71e57656df8a2dbece15def1fe223b2a1e

SHA512
7c5dc5970a6ce7b5a1c43ab766f7c8ffd994571699467626f71fbc1dd734c89ef1248e5f4dff27229c3cf588f83a57c392dfc8d481e78672a055c20866e8d8d0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
010079e9ef1dfbd90321b9219f9be36c

SHA1
d40ceb61703f1c55e6407ec53501e344209dfe59

SHA256
08079ceb5d676ab2689ec47f56d6682dc9885bcf5c7efbe16daace3e1f276979

SHA512
2cc47b51e2c61c0a6cdc0f1baaa73000c1ace7388c4f5c68b3f07bd737b0cb32e35a5f4c3f916b7e83878210202448ce85c959da75634deaa09d2d5e827431d8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
122cc7aea8795199e4f5ee9a8f8fa351

SHA1
f25cf0b1f36341e96de3b8512209e5b0495d78a6

SHA256
17edbb7890bc913315455d7a54f82a2e41f2aadb84ae9828e372f8a8fc0a779d

SHA512
8dac7dc9ff09b8ab6186c9859b224ea062b6d2d17c5ea900570e3dfc2ec2f3c81c72ef1b465fad96a89849d5c27b5c70d172872e6bf0634aa9d39bcc6fc05143

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
94229c763e948e25e3c90d38606a7f78

SHA1
3e74341b97d79cba3172c374adae6b802168c41c

SHA256
8f8d017448337628284fb77ef10af29d029c02143566cdf4573dc0c9a56cf06b

SHA512
d7111da4bc28d34c025844f44d48bdec7019d3b8881457dca93ef72730a407d147116b825be1ef10d878efc79ee87825b23493d1758b47cce78fce613aaca426

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
91d291b51da5519c13dab5f82d725cbf

SHA1
e350cf4ea9cf07d35db6708985676abb34881294

SHA256
4d86d0afb7462644b0186c7490ac471567e6c58eb19e9f34895a26a59ab02e67

SHA512
09f87ac2737f7c53701ff8aed38cf37aec2fcb93ef2a1df59d766f389bf223824e5c37dca65b7ea60bc9f9a0adbb7c39e789f756c226f1e6235125dff5d1a89e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
ca80c6aba09fad88c4eb1a227e4c4570

SHA1
569e44d1ed8589bb7629768c538804102a41af38

SHA256
d81422c2b007f039b9baf92357cfcebd977eb2b3ecfa799d54a4c8b02ea81fe9

SHA512
05a25cb5ec96c55c892031966d4033459dea476c062b7967c5494945e16a4e7b55af387431e5078f35a47c5b66fcc15f758eb5974289817f4de304a2c98fbc73

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
e01ebcbaa914df7106e5e6fe8a10f274

SHA1
b529a00614cb5d5b762000eb6b5ba75426ee5bc6

SHA256
6ed3e9e47a03d79192db052c81f60c77ae29275e4547b767d4c386b35ce18d28

SHA512
11e5a11aaac4261bd2abfc970319e395ef39391b9b095a3145dd5568c39b6d3e33eaa860852e7d533b8a3053910e2956ae60bb3f9f6acd89e285d7dbff7fcd36

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
9e651fa92573b57377011457a3903086

SHA1
8fe55fe7a278e31f65e1390459b1fac7e27d7b4d

SHA256
da16c8c5b6d419f81c3e355b1c0574539659c6f18d192a5cf762d9dae557b2ca

SHA512
ed7c0ddf8259e6866c1f77c579a00da6752dcf9a4f0487b3c19cfe67d35eaae8ddba4be21c38caf63f39510f0cbd795222631b5b35f0f9ce20c7791bcb235fc2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
ec6010980344993d936a71bec88cdbd2

SHA1
93c391e5cf8efd88d5bf4957738b04c59562bbfc

SHA256
de8d17845c0f92dddd3be1c1fa2bb755c6ddf6ef8488f9498b48491eef9a7de1

SHA512
1071ecb10a20ee7f8200aaf8f76031671aaf866a10fcbe8ba79dade7dfb77e6d6122a70cabaed17ed1e2b4e2ccd0f67ae088f24ce4f6fa8b1df47bfb4ac17986

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
67dffcd6963e668b9c76e7d29a9c056b

SHA1
1e35f4f9858c242564fb40e2fb399288da97a9ea

SHA256
9acc10afbc855ce89b67bd411486161dc0df7c1a822c72cbb5593973ee44509b

SHA512
24525867f605205c5a7068326d59778482ee6ed70684082f11a4f15196dc7cc9a8eb1752ac87b63314f05cacb31afd67af7d34b20c87be0b77ed2dead5476899

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
75e127e8e9897583e9ef7280c49bbcce

SHA1
e98888cadbb41b336ea136d3e29d794f0544e183

SHA256
c55d70c1cbb1392c288a3f15dbd9a18156237c30b500de30afeda2ea0f1b3eeb

SHA512
3a5967dbad223e250af3bc5d674d2b5c4692ae17d3bb400402f320bc35607f7c80abbb9bd7f1b47d1a81f746f57f94995aa149738cb9694def9cf81b01671169

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
9ccc2cb78a5864ee933d3e82df00856e

SHA1
32c5e40b7ff2040a6385aeaeabe0644c6cfd82a6

SHA256
e781ae5132bd8c9c98189571ec4cad159fb85186cf9abb74df30c2acd05b0ffc

SHA512
2b76d4c28f551104ef447cf47d9f6197ff5bfa912d093315bc33067d2ab91bcabbdb7d787ce9fceda4dd6c369c0c923f33897a945f1ba3549fce31c7a3eee298

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
80018050f23ec19cc76b2281f4094f27

SHA1
e41c6772d6a40a258ce3a12d44515cad193caa61

SHA256
1ead10def3a4320689413875fb36bab469d2cf6ddf6013430203845751740132

SHA512
cdaf915343cbd187a72ef669e1c7553ba64135e9623e9386c8e2519850ef4a9017f7a1732aae962a2749db80fe4f4d11efa3e98cef3f040612e5930e693f0212

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
8ceee6311824dbf38fc7f63d84f1c009

SHA1
23b17c716327ebba00484f66d52e2380206d8840

SHA256
cbb173089a83c4edf25307d8a21ac03892c9b7e6e53013b5ed73e9ddbed4102c

SHA512
1412a47061947e47ec59a4189d73e2e3c6415b22c8a0d63825a2787e1b46ea840a37042ee9d8365310789cc45ceacfdb6256886813c4010ef90372a1548d5dea

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
efc0c06021e4a0c98dfcdf98de61a62b

SHA1
d7e87ebf93922b9e2b8934dc38a609f58920585f

SHA256
4264dce4d4fcca118eb73bea9c6a5f2b5456f8fd67d62ab37c324a108e1d1053

SHA512
086fb1bcd2de8fec6cbc99d72e715aeaf41bddab95f00d10c83bc19731c78d4df81543d5595b518878d9cb79dc63d8af383c900edb1724c4b1d11460f4a7ff0d

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
7c03cb74b11d3cec5b1be7c3333e86d3

SHA1
5fdcd9bb31496316d7998eb644c88cb138d0d8ed

SHA256
9781c18651060f678ba71e5c239436939b474430f0ac54c8ac88409eae0bbb65

SHA512
879796785deedbf5a2ec7822db30b6910fda62261d82d66c8d2a7424cc5d8d5fb8e86a1ecfcddb9a00db832a5e8f5252d5b3b0d444fb40c4cc28c12ec5073951

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
0790596a6e9a522f1e9a6e0caae0a5f2

SHA1
6c0930e3647ecaa929a344aace1dcb7d7862d885

SHA256
318ff35d8029694c08361741b1f13848061f14db2ee19ad3baf4e91f669ecc78

SHA512
4122113c3c7be52f5faee2107af8e906b560aeb7f4c2f4106e79aa10261ae1aca7b0470ee672d4738f351006fc7dcbd032d620a7914c0605cee44de258d016e8

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
1ed4f3561f60e8147e5496657fc0ca92

SHA1
f21cf58fb469bdb9c18932e6bc81b3fc48d41cfe

SHA256
c8d28058810b241e391125c659231e5bd6c77e1f5013d2409bcdac91f8d7c503

SHA512
8c01b32f7178334a69ca49707900a58be9457257d36ca4df1e60727a43e0f3a651e16a6eb56a9372d956a1b0218b0b488251ebac3024e79f7356a781f106b3c3

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
7cf1ebb56264d33e9f970e83472576d9

SHA1
55cdb6c95b0f2abdb22e9974f449c5264f9c058a

SHA256
ebbcf7a6e7c97c8f2076f4b06eebe2c0be8b44e64239887ce3a5ecbe71bbc1d3

SHA512
72a54ff849d7eb0ec1ef26143fe5c61e9e37273f96b2f415165b88f721d011ddcf30d3a107c8b45a6089679701ed4d3d14f07d2631185dc86068e059076dce15

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
f13e841670890494c45c10dfa029430f

SHA1
ecdd5212b3c02707ee77faeba503c49ab0847cfe

SHA256
74b9bb1d2eb77894cdf432ae9cf3ec6492130fbef7ffe4e5fa47c7327709b28f

SHA512
62e5866dd79f46ccb2e308749178106f9bc5b09bd16ee6abfb77694ea23fe56016001853569daf7c5087afd3c7c535a927dc87e8996c811d81280416b0c7cf52

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
adf0ff5bc674f120a3c59e79aea1db0c

SHA1
9c2f08f663b18f67ab6888ad9f1240b018121247

SHA256
2de7bac0df4e0f8972dfbcef9c585e12e389a9b4e081c8d7c46595fd1534b153

SHA512
82825884cd19227be16859052fc4a0be81ab441a40281d51bfb85796d365a390e146afb254969bae5b5f9206e378bceb95eb38a668c85f88e3d2ed02081d4293

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
118d18e067a209bad8351020758a6c31

SHA1
39fa90c796b7862c3ab91a2433f03f08461f71e4

SHA256
8f04da90d4428b531fea9419316b5dd4e41da18afe8c28f9040ff489ca6f70c3

SHA512
ffb52f74d2b32f8f02efbccdc34433d7d13f1632ad72a40d3b6af46325693a1aca1ea377cb7caf76b82de9053bfce130d92e96249e2c0a4a60279dfaf0d7059e

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
e5bc8505bb3e21f82d7e7398c3fe7941

SHA1
d20571f62d887bfc1950e01c05178b07e9e91b2a

SHA256
67762703d3be07f5c297a399bb2b34c17ee746976b1c6689b7a11c1f281279e2

SHA512
685b011a6f5c14ee6631c95d2fa2c06439c09aea306c5c8e1a00d95417c4cf893582d330805672b02bde000fe2f4f862ec5326878c007a278b517e5642a8f435

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
515dbb0475770c7a6f25d2ea1aaa8aa7

SHA1
b1a99449bcfa99e9e9ecb353459064b11ef9cd0d

SHA256
5989b5e257c6cd9f6f96a29f2d7adef1bff41e369b4f212cbfd73ef7a3dd25b8

SHA512
ed33b5f8a7206fe1e4665aaea7893177f09d47e10c38231196212998a33919f55e0ffffc632f05baa7f15453723c18ce6011fe82b0407fec69ccf6589c53aa0b

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
1b7bde37ae56fe13a6f8d61cd1520e14

SHA1
41334957e386fa36247a2b17fb2ce351a9bcc745

SHA256
ea739970d8a0239a5cc4109b366763f75b9d16803f7a6fb7068ed8b7f0b83693

SHA512
3ab7d3be5332b43eff1c1380ef36895f311c7f3ff4e9f7bb0050453c4815018b348b9bb9d2c331fff30209c8409f5fa56d4df4e6b546696781bcdfd2be4fab31

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
89bf64e6c49f806af45adca1fdc82600

SHA1
145fb8f6019dcfdababc5c20b99ced98c89403ce

SHA256
aadfe11d8bf18767b2a7c2bbd21a9667c12a3dbdd3c51092347f0c3e415663fb

SHA512
7ceccbdcc221f14d3d3d0f2c4f2c05380095c62f3a7fec8be727076a2987ec78998c66442b88997853256254cf1868c9369d7b9d4e80063de09f5a83484ade49

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
f8020787e54fb6dc1097b6fcd0fa81e8

SHA1
c68737d3d6ee114d0ff28b01262b73cc7010c408

SHA256
016b092c0398f8a913f7dacbe8456a96cf2230693bf52de45693b84f0c5860c0

SHA512
96805669005ab70f218cec6726455a510c24b86c4a76afcd6a5c8ccb28dbb886e26bcc72a6282658a930b64b720eb0f733ea53be035b70cdbed4e72a05a06e8f

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
95bf9d1644c5e87660aeec480d056559

SHA1
c6cde63673cdf9dd34c6b805f9e260ff02ae05a8

SHA256
a95a40824c61ead64fe1711ee2112f46857087d9b5eaa21c82b55d418b487611

SHA512
b1770574deb3af0e3d227a2b5dcc1d6ad67ecdb8f5eccac6a13412be08131d43e5f83f08a61a9ee7cf55a7c45ff6bbb6ad5b9fa6c6c2e1a4c63920d040a80149

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
8f6279f39158849c11c0c087242ea6a3

SHA1
1b0ddff97070c39406e49e91b4e02898f2f52a7f

SHA256
ff5ef014594591e141de088b0e9fcf4f76c9eb981ed0cd2a8261a5fff08ab049

SHA512
4559bb51c499b10e838b61b18a2e56c01083174a5327934d9555854f053c41ba6888047329e3538601ba071e06f9ae95188f8c24ac3c7d2f9d7ec125c107fcee

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
1d430c7574607246ace2edaba467e9c5

SHA1
7ec9fe076a7288664cbc4cadd71f930c9f455573

SHA256
02e1ecc94ddcde5b359311176a0c4d06b64044bd5bdcb201e38fbc0f7589fd5a

SHA512
d5eaf511f6cb40f964d88fba20a5fd8a330ce6e6c999857cfa2b1591f392428bcae13f78ff4e88cceeab596bfab2c4509db6569e463259364a5a6c40c194ea5e

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
162866c158d8ed52979abd843c68a759

SHA1
bcfc79f48ec4423423ae600a6fbc7a809bcd40e4

SHA256
e7dd53f244cf84431d90e826d0aa5f5aca83291dfafab3d0ab05348b79eaed6f

SHA512
025cd48c040b94810d08026ef8b05bc5dec01825d1385c1702a05894f7926c4102ff518ff34fe59b3d30391c5068bcf3f648fc1bd3daadf1efa5ad4b599e425d

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
eb20fc73bb4f0ae37023344a8e891e10

SHA1
5256405bebbab45ef100795a407a92304d546021

SHA256
e344437e944d47f47b77264b1fffb8bee085ef4e27e15dc5921015cc97db6f6b

SHA512
ff7bffddf374d37a3bf9d15882db24e52c09c2d917f46a332d9d99eeb5c049c96b327284a7367523e50461d7e28995810ae9f7e88ba5b690d1f000435e979879

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
a856c628381d0280cd0027707fa45dcc

SHA1
0de313a64882aeae95c19b4afd006a64b860897f

SHA256
2fd67ba958d330a6efa2da3022e0631336622bd12abedadcd39059c6b457b357

SHA512
2e5d4b8a7bc5e72008b34663c68bbfdc4fd84dd4fc70680e8c427217bdd580e0226f2183cf5c506beae53ecce3e56efa8b1817aba1a45424ef9150b399a1626c

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
21eaa6e57ed95319f3d816aaac489185

SHA1
ad0c08f56592512fe514cb6be984be005bbc8f5a

SHA256
d20319750d7445292b99bcf6fa4244c122261bd49c1490b7adaa78f135cdab8b

SHA512
f0257f994fa043142c53cb0e4b5daca695e508eaaa78e1a54ead6718363951c61091288cbe539b0ba53acc0cfe7ab3e23064778a8064c94ed2ed89e2a662e9ab

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
4d3a6d0423ccad5019770d3f49fd6dc4

SHA1
ebefd6bd7d2bbcfba72ea64a2585e5bae104f30c

SHA256
35857d30b85f1813e2b4ffb1ef8710b4bc021e84acf9c1cf2617961a42211a81

SHA512
77c2f14e089e8e3fba9bc41cfb98d1bb20dbf0896de748d1440745ea685e993245aa405aa5c48f1fe4279006cfb3e516de7187ab072dfb6ed4ecad38800b8340

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
b0b11437cd273a3c57e78e3cd476dca0

SHA1
4c7ae9a53cb8dd1394c7134bb679f9d115602c6f

SHA256
cd776e2abbcab264b19a4d2e7ae2bee93c619822942f4c258fd15398246eaafc

SHA512
b13639fa970041e9bc8d3a5d89ff3458285e0be1849410cfe25399b109a803ce51b6d4370e8ad0ed8e4c25fbec35d8cd06ba1105cd44bdbe504535edaff71d24

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
bd4cd5c5358f905b744d54bc0e227f0b

SHA1
a0fe74f50d23d50ee746c20adc82e53233b88d2a

SHA256
53cf95ca58aaf1a042ded973ce80e222abe850782ad90a36036c0a26b8de9cac

SHA512
6cdf521e0ce66a093bfb876f0a6497558d6b6e892cec4d20326a1e2ae5692cf880f57ce6a5a719113d2f8034bc9d462dd64fea3ac50b001805dc02871a6ab60c

Download Submit
memory/1408-261-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1616-260-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1616-682-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1728-249-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1776-256-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1984-39-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1984-46-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1984-61-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1984-59-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1984-40-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2396-250-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2500-258-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2736-252-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2780-262-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2780-683-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2876-27-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/2876-36-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/2876-35-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2908-207-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2952-257-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3456-89-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3456-87-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/3456-85-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3456-81-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/3456-75-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/3560-259-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3604-22-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/3604-14-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/3604-13-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3604-463-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3664-255-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3672-684-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3672-279-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3680-73-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3680-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3680-681-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3680-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3732-677-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3732-254-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4044-9-0x00000000020D0000-0x0000000002130000-memory.dmp

Filesize
384KB

Download
memory/4044-488-0x00000000020D0000-0x0000000002130000-memory.dmp

Filesize
384KB

Download
memory/4044-490-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/4044-84-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/4044-0-0x00000000020D0000-0x0000000002130000-memory.dmp

Filesize
384KB

Download
memory/4044-8-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/4064-251-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/5028-91-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/5028-248-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/5088-50-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/5088-58-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/5088-678-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/5088-56-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download