7e3b0faf1230bca9416bbf140e59e037a63ceb331e040758fbc88bbd443a4a6a

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 22:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-22_f6baa1ca2994046e67b6f6b94e8fa088_ryuk.exe
Size

1.1MB
MD5

f6baa1ca2994046e67b6f6b94e8fa088
SHA1

2b74eacd5333c8488608b1554df79e725683c51d
SHA256

7e3b0faf1230bca9416bbf140e59e037a63ceb331e040758fbc88bbd443a4a6a
SHA512

ec57779951fcdc553431d9b341fcd287fa1a277d0d24e45ef1dc56d000adae072f483ccb7d429a43a2e5e1ea296a39455c011b8a479a74ba5ebe786fe40d02de
SSDEEP

24576:qSi1SoCU5qJSr1eWPSCsP0MugC6eTq8S+LbzQkWWbCzLLB+lMP1NFzSRY:SS7PLjeTq8FD5nb2LLPrFmRY

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
3780	alg.exe
3460	DiagnosticsHub.StandardCollector.Service.exe
3960	fxssvc.exe
3424	elevation_service.exe
4840	elevation_service.exe
1404	maintenanceservice.exe
1028	msdtc.exe
4520	OSE.EXE
4932	PerceptionSimulationService.exe
392	perfhost.exe
3956	locator.exe
3500	SensorDataService.exe
3852	snmptrap.exe
3248	spectrum.exe
2956	ssh-agent.exe
4908	TieringEngineService.exe
4316	AgentService.exe
512	vds.exe
3736	vssvc.exe
4028	wbengine.exe
4480	WmiApSrv.exe
3640	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe2024-05-22_f6baa1ca2994046e67b6f6b94e8fa088_ryuk.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-22_f6baa1ca2994046e67b6f6b94e8fa088_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-22_f6baa1ca2994046e67b6f6b94e8fa088_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-22_f6baa1ca2994046e67b6f6b94e8fa088_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-22_f6baa1ca2994046e67b6f6b94e8fa088_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-22_f6baa1ca2994046e67b6f6b94e8fa088_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-22_f6baa1ca2994046e67b6f6b94e8fa088_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-22_f6baa1ca2994046e67b6f6b94e8fa088_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-22_f6baa1ca2994046e67b6f6b94e8fa088_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-22_f6baa1ca2994046e67b6f6b94e8fa088_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-22_f6baa1ca2994046e67b6f6b94e8fa088_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-22_f6baa1ca2994046e67b6f6b94e8fa088_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-22_f6baa1ca2994046e67b6f6b94e8fa088_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\abcd2d1b293b476c.bin	alg.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-22_f6baa1ca2994046e67b6f6b94e8fa088_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-22_f6baa1ca2994046e67b6f6b94e8fa088_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-22_f6baa1ca2994046e67b6f6b94e8fa088_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-22_f6baa1ca2994046e67b6f6b94e8fa088_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-22_f6baa1ca2994046e67b6f6b94e8fa088_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-22_f6baa1ca2994046e67b6f6b94e8fa088_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-22_f6baa1ca2994046e67b6f6b94e8fa088_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-22_f6baa1ca2994046e67b6f6b94e8fa088_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-22_f6baa1ca2994046e67b6f6b94e8fa088_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-22_f6baa1ca2994046e67b6f6b94e8fa088_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe

Drops file in Program Files directory 64 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe2024-05-22_f6baa1ca2994046e67b6f6b94e8fa088_ryuk.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-05-22_f6baa1ca2994046e67b6f6b94e8fa088_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-05-22_f6baa1ca2994046e67b6f6b94e8fa088_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-05-22_f6baa1ca2994046e67b6f6b94e8fa088_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-05-22_f6baa1ca2994046e67b6f6b94e8fa088_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-05-22_f6baa1ca2994046e67b6f6b94e8fa088_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-05-22_f6baa1ca2994046e67b6f6b94e8fa088_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-05-22_f6baa1ca2994046e67b6f6b94e8fa088_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-05-22_f6baa1ca2994046e67b6f6b94e8fa088_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-05-22_f6baa1ca2994046e67b6f6b94e8fa088_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-05-22_f6baa1ca2994046e67b6f6b94e8fa088_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-05-22_f6baa1ca2994046e67b6f6b94e8fa088_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-05-22_f6baa1ca2994046e67b6f6b94e8fa088_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-05-22_f6baa1ca2994046e67b6f6b94e8fa088_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-05-22_f6baa1ca2994046e67b6f6b94e8fa088_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-05-22_f6baa1ca2994046e67b6f6b94e8fa088_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-05-22_f6baa1ca2994046e67b6f6b94e8fa088_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-05-22_f6baa1ca2994046e67b6f6b94e8fa088_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-05-22_f6baa1ca2994046e67b6f6b94e8fa088_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-05-22_f6baa1ca2994046e67b6f6b94e8fa088_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-05-22_f6baa1ca2994046e67b6f6b94e8fa088_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe

Drops file in Windows directory 4 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe2024-05-22_f6baa1ca2994046e67b6f6b94e8fa088_ryuk.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-22_f6baa1ca2994046e67b6f6b94e8fa088_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exefxssvc.exeSearchFilterHost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b1980a999bacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ede6be9a9bacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000042fed1a29bacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c34bdd989bacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dc16c0969bacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000052a5da29bacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000053f51a29bacda01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
3460	DiagnosticsHub.StandardCollector.Service.exe
3460	DiagnosticsHub.StandardCollector.Service.exe
3460	DiagnosticsHub.StandardCollector.Service.exe
3460	DiagnosticsHub.StandardCollector.Service.exe
3460	DiagnosticsHub.StandardCollector.Service.exe
3460	DiagnosticsHub.StandardCollector.Service.exe
3460	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

668
668

pid	process
668
668

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

2024-05-22_f6baa1ca2994046e67b6f6b94e8fa088_ryuk.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1608	2024-05-22_f6baa1ca2994046e67b6f6b94e8fa088_ryuk.exe
Token: SeAuditPrivilege	3960	fxssvc.exe
Token: SeRestorePrivilege	4908	TieringEngineService.exe
Token: SeManageVolumePrivilege	4908	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4316	AgentService.exe
Token: SeBackupPrivilege	3736	vssvc.exe
Token: SeRestorePrivilege	3736	vssvc.exe
Token: SeAuditPrivilege	3736	vssvc.exe
Token: SeBackupPrivilege	4028	wbengine.exe
Token: SeRestorePrivilege	4028	wbengine.exe
Token: SeSecurityPrivilege	4028	wbengine.exe
Token: 33	3640	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3640	SearchIndexer.exe
Token: SeDebugPrivilege	3780	alg.exe
Token: SeDebugPrivilege	3780	alg.exe
Token: SeDebugPrivilege	3780	alg.exe
Token: SeDebugPrivilege	3460	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 3640 wrote to memory of 4692	3640	SearchIndexer.exe	SearchProtocolHost.exe
PID 3640 wrote to memory of 4692	3640	SearchIndexer.exe	SearchProtocolHost.exe
PID 3640 wrote to memory of 2328	3640	SearchIndexer.exe	SearchFilterHost.exe
PID 3640 wrote to memory of 2328	3640	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-22_f6baa1ca2994046e67b6f6b94e8fa088_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_f6baa1ca2994046e67b6f6b94e8fa088_ryuk.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1608

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3780

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3460

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5108

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3960

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3424

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4840

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1404

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1028

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4520

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4932

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:392

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3956

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3500

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3852

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3248

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2844

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4908

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4316

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:512

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3736

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4028

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4480

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3640

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:4692

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:2328

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
7c32bf0da85c66f20b450262042b320a

SHA1
470c9ba10235ec5d9178f6c10a28258a96c5ea2a

SHA256
9673894e31168346f8a025ca7e92bed3c54a9c61a7dea174f154bcfe2a418089

SHA512
7968456ea0808039ae5e05865b2694432a49272663a7265ca2f5c32fed7095a8fef275d5320c6f0444e1d60bb92f6f230156cf1c3549d87e443d3e9309e23a42

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.7MB

MD5
d1537db2776f6a6c94c71145ba20b8b4

SHA1
4b5814b946b0ee484ee7a2bd7ff4575904bd03b8

SHA256
09738db532f4449b3101b9fd773fbcd4eb4c59cd2a3c9f3540e44f30eafe60e9

SHA512
a796a708e544e5f6170cb48f4cea663c302372c0d525e858a0ed823de721feb563464d3cfacf3c9667f133399b8ef174dcff35cafc90d13bcf0248dd0c8cdf72

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
2.0MB

MD5
1d15752bd59df3d8e1ae4a00e0ec3b06

SHA1
5dd0a0f7d2d2861aca4cd117648c34597809b0fe

SHA256
09d023615f03ddb995bba28c71683869bb9c3a709d5213c4c6a91682fd3bbce8

SHA512
1ca68c38f5d4e0684689b468ba3e12bfd86449236e1329d4321bd691985796232cc3bcc50e4564567cc279f71675429fe238953114fa44d7ca6a5ecee19e78a2

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
185000256be87fd39feaf89c479ec6ef

SHA1
9bf647cf3087e66879d4b3de5e4876b9f38aaa18

SHA256
2cc9ca295c4ecccbe484f8a2343789547323fc18aaf93514c91a502608ca68bb

SHA512
0fd5e57add3e2780dc0dedd49292b07d1f2fdebead1990b660d58f5890c3198599f18147281083fcd9598387be0e2be3c0732bb07b02882b73ced14c86bfbc3d

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
3d997181a78cfe2f16acb2d5fc7440f8

SHA1
22a4cdbeef5e6e51227da88237ff4cbdae3a0e08

SHA256
91cec804f59735bd14b95dcee731a88c79773df16d6583cdd17c782e1e13006d

SHA512
4fc163ca1c5c353c832169a89c5225b9d37713c09413e785aa7efb7d33049148648668af6232f17fdccaeed54c5d60643b9c121eef5b6e9283a6415b7aa19960

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.4MB

MD5
975b52d6c58852086a2b6c08799547df

SHA1
65d1865db494be162ddc139832bbce4a4dbe305d

SHA256
6da334a403c89f81896190993335400eea5488ce21a7f8f641785aae8ce847db

SHA512
fd6738008aeb5abe61172d431c29eda17d46f71704002df4ac6619effd962d88ffb6fde7b97801726ec9fb46329c2b6b9ee23b46cd5f148b641fd5ace531637b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.7MB

MD5
7174c088fdda41a9ae42d7f2aa798d12

SHA1
6c8faedd325efd1bf8512ea4594fae4cb7027514

SHA256
b97ab45e49663946e048ad5569e1e4f16847b74087c7753b99752dfbf0f34fac

SHA512
4793e4be818dc06bc62fb942449a7e60a8e028d209ecaaef28882a572841399283970a584c57de65ee402d608013197b9d3b19d920406d0ae3b8c749145380fc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
5df5aec807e0142d00deb5f6ac14615e

SHA1
173af1afee9b58b6a57f41157dce2f58d00f0257

SHA256
3bf9d613001d5f1e30a0cb4fff64be73246d083aeef5b8becd4a23c7fa3fdb1f

SHA512
cb13af629dba5b8d5d039b43165942e23a3bae3eeb816434547698d9c8b97ed4d43ab851039d66deb71bcf28eef5bf7e43d2a24719bbae7bdcd811f08e572c4f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.8MB

MD5
d264e01cc610d489efa081a7c366a600

SHA1
63facd17e458190b68ff98f24516ea4d8119725d

SHA256
5132f7cd17a112483cd44fc5bef51b825c97bd656edc94f89ca117f2a33ebeef

SHA512
b6e9ee35e10e9a6ecfef8f354f32659e7593bf04e5cc24ed26b770af24c2cd4908f5588cc7616a4f7a2643c9fd0334ea7a59dc562485334877f7aefd7a58f70d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
ce96f5b9dd664032a025d895e03f9e34

SHA1
38f4a8026fd87b861e519b5670b10d70ddf9b193

SHA256
7bd48cdfcf2f245cda2c27677d602c7a6346a0a73fc86f03a80c2d8c28d8fe7b

SHA512
1195eb94d5c88faca1df62021346036cb399bbbdb63225a4c85a530e509ffcb7ec6245c107e34c3e4f26ddb21b1b1bd8b397df934ae01894949910756aefa2ad

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
8db725b18401a9b652a8eacd31295b90

SHA1
9ff3454b922261de1313cd0640e3a38652532d49

SHA256
f5f6b4e9081b11a0de11bbcee8c03d08a4c35dc0b32d9708cb63add9e2bb735d

SHA512
24c97a22b74c925e62baa835c0142ff4f481444717ab8a4e0ebf1b9656495583914056abd8bc50d4e816cee7b1af04c5a1158b861218656454fdfbf246491960

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
445d826a9f7f800bbc13b925427150da

SHA1
4882720ac3f2052b98c9ef81d7e947cd376b6eb3

SHA256
1d861842393178cbbaa537a2486252eb66f576bf274e408903333c6b6dfaabf9

SHA512
692847f9ca88f1d6d0a7aeaf870a0e7e9ca677083922d13ef06f30250e10dd25ce8375c18b35d76bf8a80c5753023dbc3a13e4f101f09bf824334fcc5c1e9c51

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.7MB

MD5
ae2457a872cd563a27a8d60b478ed205

SHA1
ab8e828f1e2278bc029cfd6cb9f60dc83c0e8749

SHA256
026f5ac2b3285d4534a873e77f2da123c01ee9332a9697d139e63becba82fdd8

SHA512
9a49b5502e2c84dc7193a626a5f03d58a5eba6ca2a9d3a78e14c2150c22436310e38f567d92450ecb21df4cc489bd9bd2fc6e291e3b60c810adbd838cae792fa

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.5MB

MD5
52e7620fff05820b46c6923e02e83344

SHA1
fe058792695a5d823a47911cf779eae78c91f86c

SHA256
63145347f851f942bd4e48e89f321d7fdca50ea3057ee59b880d451725fa8d7c

SHA512
c2e0dbe04c83f6ed4c142c8c62a75ab80841f6c8b653864b42335dad4269bd91442c6f72883bffeca6a3f22e7c1021715e0d7995361c453ad49f3759d80c91ec

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
523760d36f97bd932add0ff23df22c60

SHA1
efd97380d582fe69ffe2d4959ae80bb1e0ef313f

SHA256
1a4b2bf21d8c3e660e66fac5611930c4bf1942d61ef3778a6bfc58776500e659

SHA512
040374bc1b4f5f05b99f00f0530aa23ee3e13f1e3da0eff97a8351adc2ef212a07199909fad636e2148ab03f549affe7ddf393a6e42b31bb8fe9a4e13d13e1cb

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
e1d60abd1ef2647142b502eba0951137

SHA1
56001a034bceef19de9dcaefcaef8047bc6636f6

SHA256
d98c01f2789c496ee5f60fc55e9919b5d46a2b96cf2c13404ec9529711582be2

SHA512
f44bdf4e81be97f7878c022797ce28677b05f7dd1acc9d8544f37fb5c2822a6857f7ce6584dd9bcc0b18ddf469f3449dc71ae2420fd0b80aa3e22b7aed03078c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
dec2472f259e182283c77d2328a94dd0

SHA1
bbe7a868c4858e365a898a82145f2aad2619f034

SHA256
9a41ef13d81b544d1402baee540ba33303338dfcc69e0436088cd09aa4a3bd1a

SHA512
af14fd03d0bf378926d87e7466247e73668f9ee167d123ccb3090bfa93ee433007488cb64bcaf8df31ef56c4bb6449d401096dc6ca76f68976e09aa78b67fc21

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
8094bc24ecc404248c47024a9e136a60

SHA1
5ae43b29d8a013c5a3172e437f53977fb8ea52b6

SHA256
b14eea7238247cdd14f5a20b56b7f02f3e199baee897cfab7c91cdbaef21aeae

SHA512
2d9dad8755f64f741bee336165733b8146f56579d3c9bab0b80ca1e3b3354d8d417bf6d8b41b64058062c20cde93317e86974b18acacdfe0f4ecff6a32730aa9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
e4a3a0fa1bc62466703a4523e22ca2c6

SHA1
428d570291bf25bcb47e5973433e06d96b519e0b

SHA256
402fbfae60023c2b45c2adbc024d6581fcb26367c2222555e32e0b8bb928d18b

SHA512
0bf0943ab6da504d9b559434077c9cd82128a57c15ef1b715187edbfc3330c6efb6b8fd436db08ad7a731706c406b65c0154bf785afe564d3888d7d516379164

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
40b7603c80e77b1c27da857359711629

SHA1
5c90f02ce0c3051cba76629f29471f6caeda708f

SHA256
7f471553b5938160e029b24acca36459ff4ca24e781c105c8c8d9887f5d38daa

SHA512
f2d9577964dbb80c7ac2bc1813fd82e7011d3b2b2d6cfef96b96945b6773cd6e86ce93190597f618ee23775e0422101f691a61afc78804d0a28ac7e1e6a52007

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.4MB

MD5
aca5d3cfe2408391ae66c0c7155ce75c

SHA1
0bdd479cf12d3f39f1d289e9f712b0f71b5bdd70

SHA256
15adb023a7044bcc7e92e35260a3b9f09a3fa378a8d9cbbe87a2c98cefb6f04b

SHA512
9ce294543627d963a5555be36b604305450f58d6da83eb8db71b478c471f1e00267d198048282577ca93104c7311d7c32d73d59c263d20cda1e3ff975043570d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.4MB

MD5
71c88c86af9886b71921977d2328acea

SHA1
936c1df1b20833992e1a48b47676da46395f9a89

SHA256
1bd2f6cccb114584bb70d34a6e5921f87670229d7070e91f228bb638c5a50d60

SHA512
02135c420a4cea3b66a922a72872d40f8cda8a926650ad6f31925a4578ca331250ddb0d338b7a5b7e17246896a7a3080f982857549b163e863c7940b5d6b697c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.4MB

MD5
953eef2a8a4c7fb7a9d075a614ca27d8

SHA1
3992bef6d94085d5c799e2a1ffbb7103e9c020c6

SHA256
79b167c646c8a6faa4e5fc34a0affff910fe8b62797b0c0045207c872c31ceb5

SHA512
a7887012be45c67a6721a0aa6f44293403bf3563c4d02879c79c55a74c1f251494e7fde3df52f8750308b27cd81e1016ccba31438bfb488e79b6b176b6dc0de6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.5MB

MD5
b61a62422f966c8794bce2dcfd901e14

SHA1
ad0409ff12d748b8df329d4bb6b19765528dd5c4

SHA256
68b4054be523f7e8e68acf637644dd25cdee321948877d3c8eac08c47f376445

SHA512
2a6be463b03f2a9726953375395349f1da11a353733e7470c4c52f08e704b739cd0a33c5348167acf54c124a50707009f3795fdec74bc2b57b176a7e8ff8d397

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.4MB

MD5
9f2dfe745036197a7ad50a91b3cd722b

SHA1
fc89e3468960108d382ce0cde73a78e3b8b12845

SHA256
20b8173c6a3961d5687b7ce02b2a72185af1dbca2845b593a8f1524c3db00f03

SHA512
fcd9edbc94488c0e8b62db5210081bb7b1d4c2446cfe94affeb543eb75402b037d726a9b3b16d4965fa88fda2fef2b284331c90de2536cda9d38e1128c692338

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.4MB

MD5
60b6c8dbb98d255f6037f78ca4565f50

SHA1
89e7a40fc8e8229710146536571977f414b87161

SHA256
1deec790b07851fa5c47f0678b134d85877569be591dfbc2bdfdd756b9ec210c

SHA512
9d5005639a71e29a735ff391ba76f2571b802d1c50d56982cecdfb98785d781a6203c043ae9fd177589ee6b88f959815b7891af4c2b804c606ea4b22ba34955d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.4MB

MD5
3c51985cc40f9eb62cc3eb7f7da42f09

SHA1
2b31d52e9bf35abf9bebcdf6e6fd2b3709c8b977

SHA256
68471b7042a1aed8474ae7ab139a08e7aed47a1268fd69e10cdc386524d65ea6

SHA512
5ad76effb5cbfaa80ce3bb63907170f63bf8f9eb867170a82915db3f849c2cc743e1ff4bff6131d7efc489630d712078809c6bdbff6f93e28a35441d848c27b9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.7MB

MD5
b93e55cb0c89069c4632bb14d39655f2

SHA1
fd12e57accb49c13843f7fc302e089e9308110b5

SHA256
77757182f1a836e368e178e900fd73c12a8f801e362cd75a2d46bcd522665802

SHA512
7b753fef1c113a987b9ba8e00e583a4e237380b918eba7c2ff7cefbfc31fd1449cc1a8f7039081a53357b3ed839e94adad2317293a0b33edc53b5d6e0915f020

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.4MB

MD5
ccf3e41144d84bfec8646266e5d9185c

SHA1
5943d22a4fdf7cd65bf57c227e10e0a534255707

SHA256
cb751b3a38ceb1b9001babdc3f6f82a2b0fc81cc96c70008bb1d13980103de8d

SHA512
a7d7de41d2e62d0614e90188536d43b292eccf36831e7ca3056682c8eac78d70edc324e3ec293135e79aaf30edbb2dec15cecb35519c924fedb6ecdbdf474545

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.4MB

MD5
0d62e99e935a70b71f26af6efe192f4b

SHA1
5b3bb6da08da7692a55c5e11a4b585dff3d5ef90

SHA256
5152336e55775a0aa9d76806a42bd0e15c8c043ac261a1745b2f9dd04d4e9007

SHA512
fc61ae2c8b624b5add8f9d97537af5c686aa2f2d89b3c16ee4746ff398a51258eb9922db92ffd2855b5f1d168aaf83efa209c01945915245a491601b0e17c2bd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.6MB

MD5
5e4e1cfb81adb06cca5bfc073466b6a2

SHA1
71fe30c51b1c3d1a63d928386645cb6507e81d2c

SHA256
6d60cb467d0ef8d7574e4be25689b2dadedc48f0fafdd51e2f400a652dc97b27

SHA512
cec940897d893939bf4fc6183e4394c5d8353484fe093fd505efcacf9d855621e1ddf9eb15142559c1ffd269af54c6e2ffe0c38f1c2c0d9e95cc9e28632324a0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.4MB

MD5
63a7cff41ca7407f118f055aefd64fa0

SHA1
88c04acecaf7b810ef123634e3602b003fe7de24

SHA256
0dc76aad02591a79ad660be032716ca2c72727d7cc5e6de8e4206c0c7de932f9

SHA512
25a6597d71048f1b2f2409f477c29229a8628555c73f0a99497ea3518de13f19d718662d5e8075fa44ac27718240bbdce88d24309196b024664a3e3307705d0c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.4MB

MD5
a777d0817a6097c94cd1dc0816ebbd1b

SHA1
2a166e78d5f3e6e94e9ecc82309a440ab7829812

SHA256
5732a6d195bc62ab8f1bfc306f90faafb04dda36fb75e0963c9206e52bb149cd

SHA512
02f7a4f1e2e1ef82ef74dc5c24460f2c4ed2319ef1b22e6d810944a7f236fe95ef7dcca4a6ddc16cb3c2956af4a05837317817057ca627fed3c7c6639857ae72

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.6MB

MD5
300419a03b577943d85a9e6dcd87e19b

SHA1
39a03dd0deaf14a983aa923be5b346f13de04e3d

SHA256
fca10c1029e7ad56598a145d96048a6f6dd4fb6e1878c40d216a2cbd89cad702

SHA512
ee2e1c49f4e7c8bc8af157d6f613b8cf4a3ea61acf990d324ada27aaba3ba00769f9ed6e79eaa9164a6d444deb3078a9977739b42721502502b429b149631615

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.7MB

MD5
8b57b044e171a57b011c04bb23d7a96a

SHA1
a0d7a0ea33948e093cdafb941178813e6ae124ea

SHA256
4c97c314b73d01a0621d239ec7c07ca544794ee1d3c8dcd50a32a480bf8c6c3e

SHA512
83ffacd99710b133526c73fcaee2a44b20402333a8ed88d49813f63b9ee731a1535db5f7e7cf3b888a2829097baf33f86f3fdd4db8967de7ff6900225dc77b08

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1.9MB

MD5
2b13fe96be465ee586f468bbb5d0f462

SHA1
266a5ad05c268aed680ee31c63fcaac79c18fccf

SHA256
17d458f0ca82cea6dc6152640514102782da062fc1e1283aaf05ccc2b237e760

SHA512
ac7a8102b182df8f126b10a98aa8b065ca2d4d42875b38b59d330f2675950248ad9ea5d6e1ce63a149d2b54b2c23c0ea9050eb4a4236720bf4b5b729102ea210

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
1.4MB

MD5
77f1caddde5955f604b4af808c417c02

SHA1
9ede424a5772392fc0ee104c8428973d0bf5a999

SHA256
9ca0ff88fe1d27a75b50d6bb33e703739ce4377deb967353c5616c2766f6f30b

SHA512
f96ef8f764f80dd594e5807c03bb9bb5b873023fc88ea0344f4c4579de87a3efae29861fc0b1516c51060e38d9d90d865b54bd00d9d4c89c76904703970eb8cc

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
7b90127f2743a3ba6b9ce287e1b812bf

SHA1
e4c74a183ab882e71bfdc1c7cbc1e60220028797

SHA256
ab5ea6176cbad12b94c83ada9a8880858152127f9039eb2693751771fee7a633

SHA512
4a652d7209dbd939abf33486736ead9718e0e70361b3e530edba641d57c019edf386494e0cf4adedc78354fcacf9a68362e6d4ff7ec2c0b5ae62480779546bfd

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.6MB

MD5
da3036239d44e409c3239e9faffeb8a2

SHA1
2de44af68db7300c9422e91acdee2df5527fc2bb

SHA256
59c33612befe818decb283b264738a123e7a6867fa7fb1fdee00d7ba58fcb0b7

SHA512
29e35777e68b391b2965f9a8199bd22115a6461b80a5d3dcd5ef393b2fd47cdc0959a6887672fe4d5b3fc4b98b593d67f30dbf01f468760b701bff43362f0806

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.4MB

MD5
89a1c1ea717653719301efe396d69619

SHA1
527e2c0effffdf0e9e56953994b0495c882e45e4

SHA256
9150ea703f411d4b5b6dd095f771da87d151f6d129fa0ea86438fa7ec88cd775

SHA512
0cdf8496c6f3c76e2aa5291d2eb1dfae941e2168d903510ae5dd5f45a09bbfeb0bbfe5923885dd627de5027008d0d49c0735b28eba3696f52b463cbde7756b7b

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
99860f3eeca47650ba9af92e91e550f2

SHA1
6c3b9033026feb7661a1cb896e357dc67acfc2bc

SHA256
9c756da118c3b2fa0ce694fc46e19fd1ed792bb8cd1f427554af515d0a2c1e52

SHA512
9744472088d4ac748b165a0aaf56931e4ecfef66d3892034f4d46ddafa4b097f1cb860003fdc10ca79a60268791ce4e96899113e96ee22e89a1e9246e740c2bc

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.5MB

MD5
ad2d0d3ad529c24514552195ad14a8c9

SHA1
7eca3d1d6364e81b7d5b0ecc0fa8390a9e468081

SHA256
2f378a681f3aaef6c377dc7d385ce8048417cf14604ea0dbb970484aee598c0f

SHA512
3bd1b122f74dfe0ef234d9ef53182c0bffca1c62baea42eb2430039b029a7339505399c858f49729c58a694f9d1f3e7470101a8dbbc077b837936578e13a7925

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
54143593cd8995ff95e8899d7d2cea20

SHA1
50c8b93a89996201107a0cbb72058f9ebb1dbe84

SHA256
b0f4e94d16decc19e99464c2a07943f7a8d970bc81c32f99ddfafd6b626f0565

SHA512
faf55f2e6b5dd672e28ad3d127eb4630f41481f865b910916742d16436435675336b60e078e9e8d669d15b2704052efb01c1fd69dcd5273e054f6a7942402966

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.4MB

MD5
5e5037d387bcbe71df1afaf5b6617ebf

SHA1
2c99d0afd67bc9e28310a511ec1fa3706920169a

SHA256
bc73424168847c292fd3a839c1ae6faf947ef32907467db4d87d79b4838bd5de

SHA512
7e09f2a2d136a2345f2d171b0306eeec07e94fe77436dd3dafa485d220f34ac72eed39944c45412c0b198dac6ec5321a5a18e3a74b9de0f6e79eb5fc86e36736

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.8MB

MD5
75894d9b899e5bc1cf3cf28800bd3dfa

SHA1
4d321374cd49883a1b6e92e85357726cb3bb5e10

SHA256
064b60d2cb008a70d33ee694eac3e54d88171f4d4a0821e1f84b81a679b1e441

SHA512
3d1a61913ce35a20cc8350d43ab870ab23473030e17ab6e39f3d86658a1093f5d3ca1744405d8ea7658f12d7c6d16323f54e2e67c3fbdd797e48d9bebe460faf

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.5MB

MD5
55e4e6e4a433bbe3481a95d2abc6c9a5

SHA1
d6be8d3d64bd50e2fb587c9cfe937665036973f6

SHA256
5983ef91522da0c890970778f811463ba55df2feb28a3b51eff03d8953419560

SHA512
c73f3cecbf7ecbadcba2b7b24ec53f1251fce8a205cd2bf9fcfcda73397ba132451220192fd014b4b9dcc8d0337d95716fcaae5873c23176b57f6516987dcddd

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
d4ef1179ab5a67f790921c25fdd11994

SHA1
6b8ded9a82d5b47db756b51a0e788dcddb306dc5

SHA256
a7c7bf9975c64229d8c049190bfd63b4174dfd30f16f78cb809ade3eea4f86bb

SHA512
483cf06d0edf54d63b4fbd54b04b52d350ca535e40209dc7ae8701d7bee6788693038135991e05d872522e6031532c953a25d8f0853598783ac17aa132d268b7

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
6f814fbadf6fe01ec94c3c2cab75e847

SHA1
08a5d97f9d97306b266aa78ddbd219f9e384e68b

SHA256
ea6ef1a3b3c5725a1ee3f750af1d8e9f7720e1fd13eab1fcff70f1d600c6d99b

SHA512
e1e1407de036390f40eac788d567a2a292cac415cdad8b25eb4301b4e6823a61f619acc1009039cdaec4b235d239721d47c8ec82ae1f64a2b93c0eb505580727

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
0199d5c581748279e0fdd4a79c114023

SHA1
fe6578c7e3f5ce3f7b07f92581ad78d634adbd25

SHA256
b75b83191bbd52cb6c650472611562f47560b89300ccc67b104b5c9d393bf53a

SHA512
429d77b2d1d2b387e007fdfdbbd2161704c1f11a6f9df9a4ae9e18554a43b1ea82ee08bb74e36492d6f5d86aefed966cf416009611aa2b50e37e557daa65a3b0

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.7MB

MD5
6f2c2dffb62fbb972aadd7117326168d

SHA1
890e92b49841fb96975c1fb193aa77b35d0cd75e

SHA256
5851f7e4b661767530fbee8af3c4c16a040748edcaed38b5102ab363b520b44f

SHA512
48e82152f84a3fa3e5bc0d98a119dda390025b01034aa5d42ee3c187e6501b04d99a9366c2d0d755fd1fa35864c800e0858bcd25bee2664cc690875e2b8aedaf

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
9e64c7b21e6d37a744d361f5009ed6d3

SHA1
55aa51f58dac108e24429345c57ad3f9c27e3068

SHA256
32de38bc178ff9e9c24ba4461c61cba6f84ac30dd79a7a517ea71b20fceb7027

SHA512
5466f8228a2969a479e2fb477abd0ce3687ec820fce21a3b54f5d7057cc644d0ab0f458194db3ff7eb36586a601c553862632ed57a3792662b545a0eeb0ada0f

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.5MB

MD5
48ca6baccd084f41934160faf1030c7a

SHA1
fc50acf0cb712d9e4d47c6ac0f0f8db00d5fe5c7

SHA256
09e6bd5d037649713ce173e9dcbc5105e6543b0ba39bbbc498ddd7af23c427b2

SHA512
d3ea69310c13868b978c02fdc1e2c34b61526a4215ab68039e7ba625a25f41ecc21ba4f8dff3bd346ac78a24f4240d154f73be42453e6195f65322ae2f5d265d

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.6MB

MD5
b66fbe0b47c433f238648b17be557d85

SHA1
1b5193fde29fc7ebe6d247da33349fb6bea27887

SHA256
3a7173dd758934aa32950623628f5a4c3cff45f462a9e53dd9b3c4bb810823f0

SHA512
646c691cf58cd89b2b221013411fa6c58a5602098fc31bad9078c9e084bf8fe124da5ae9e970945bc9e3b0d0041e089a2493c286c4eabed43102536340ef7a92

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.4MB

MD5
5bea3eb10c28f68d869fd38f417c2b4b

SHA1
50164a31155174c9cabc98c69ac750937974380d

SHA256
75826bb048f69021645569ce0a2961dc5ca94003beb639438f5b07c3e16deed3

SHA512
e04151aecd884804764b9a7ef23147d9b67b0d1c1adc31a278b28ed41402d0b2f86d02ecfa126ab529e2ff617f7c66fa594a1630ba34f3bdac6cd01537720313

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
f2b4c09ba3bd9626db78c58db91bd61f

SHA1
67634db2fc0176ea996064457ff3db49d116c7e9

SHA256
e275f98d069a9df298c247a40d8105fdd8760c9e2156e83d14086c8c27966765

SHA512
ae26042063285ea5e781d56e72e96bbef66dc967b8eb510a86e07b864a64a22becc5b9b15aa071301a73047f98ad6485091f23d790aa2574201aa4e6edc7b58b

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.6MB

MD5
f402e52d90b954e95fc8e4daf1daa1b1

SHA1
b0fd75655b5d3a86447e4d341602079f191a7475

SHA256
dca41f9f80480814bab47f5d93d39ece3adbecd212afe046e55fe9ffc5370da4

SHA512
8225699dc8963e87599bfcbbb6518c05f9d0b162ec58c9afd32a7b519b48b3f54ceb0fb86a260ee3f7c34ffb675243dc1a440f19e9e3ea0fb81e70edfa0dd365

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
6c465479de9e768194676ff4d1df55b2

SHA1
dbd60142137802f45548b51529b9cc90286daf7b

SHA256
39b6b096ebf3c737ccb82545c34e214f12445b941be58caa80c51d7ec3737ae8

SHA512
03cc26cf18988e70edea480ad5981b909a61a10f1b0d7e8c1b6981c49049fbb5a3ea1d71cd4e6bf0f3c5975db773e3aa562a6005c890168dd2a7a14fc983c625

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
d7b5d2db57a368e3025c0a248915d563

SHA1
fb46fd34d0c908c3834e79145040956687a19e0a

SHA256
08e94b29a2cf08571d1b4f86d82046c026a03e9536b3d1999ed976c284d37de1

SHA512
9375523210a7cf51684c59c3a9f2f1580615569543d4d502a73d0cd3905354d8bc9fec973515e34db040c709da7ffda447c8b7c7e4e966298f7277ff54df59ce

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.7MB

MD5
43ef7073a3b08118378430850debbbe2

SHA1
dcdc5e1ba2c30b986eb8eb64dc18221ed55f770b

SHA256
2a3caa0c159f760eb9bd895279d116dda3736ec7a180748675f207e8be8a6cfe

SHA512
ff71d1c5eee3d4958be3186ae030e205f956bcf6d3b7196f35c1b076d1dabd850c0fec85f8fedef53897b2e0f76857a387e76c82f8fbea2d2e2eac4b21c13195

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.5MB

MD5
df077caea24d60c144897a1cd22eb841

SHA1
aa361931322743da98dc03181791bf06eb673445

SHA256
6faa009c17eedcdc443f9d86c47d9dd2c685b0a4916f6c8f6ca7dbbe465dd4f4

SHA512
db20c6fc84dc92db73d027a58a113b41232bd3f3c9bbd663923260413d5be94f178794cbaf259d00a671e29e8b748b75a4e381c55c9efcee4f1792d83cdc906e

Download Submit
memory/392-265-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/512-275-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1028-262-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/1028-87-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/1404-83-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/1404-79-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/1404-85-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1404-73-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/1608-442-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1608-441-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/1608-0-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/1608-1-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1608-7-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2956-271-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/3248-270-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3424-545-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3424-56-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3424-48-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3424-54-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3460-27-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/3460-510-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3460-26-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3460-33-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/3500-267-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3500-482-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3640-550-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3640-285-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3736-278-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3780-509-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3780-20-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3780-21-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/3780-12-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/3852-269-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/3956-266-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/3960-44-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/3960-38-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/3960-58-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/3960-69-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3960-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4028-279-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4316-203-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4480-283-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/4480-549-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/4520-263-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4840-70-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4840-61-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4840-548-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4840-67-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4908-272-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/4932-264-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download