f5aed332ad3c41d54c9f314e234a43d03c2257fad345a945838f864bd1f552d9

Analysis

max time kernel
146s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27/06/2024, 15:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe
Size

1.1MB
MD5

0a56ab399f727f393c8a1fb7c01eb966
SHA1

6592a27024a2cb97cc4ce7776b201cf651f312bc
SHA256

f5aed332ad3c41d54c9f314e234a43d03c2257fad345a945838f864bd1f552d9
SHA512

ad629a9c6638231d4f7305c925882c84cc18a7a37023d1823282b88a82506f548d0d83e3363fbb640996b7f3ff6ad1f024c24fbc51fe231ce64853d635651867
SSDEEP

24576:WSi1SoCU5qJSr1eWPSCsP0MugC6eTOaHsK+fM2jEaNZBqoeW7V6tGLfHtqls+0:GS7PLjeTOksDM2jh3BqS7YtGL/Als

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2012	alg.exe
3868	DiagnosticsHub.StandardCollector.Service.exe
3900	fxssvc.exe
5048	elevation_service.exe
4248	elevation_service.exe
2136	maintenanceservice.exe
2332	msdtc.exe
4388	OSE.EXE
3904	PerceptionSimulationService.exe
3308	perfhost.exe
5004	locator.exe
2068	SensorDataService.exe
3708	snmptrap.exe
4548	spectrum.exe
2556	ssh-agent.exe
3768	TieringEngineService.exe
2812	AgentService.exe
1280	vds.exe
3568	vssvc.exe
3040	wbengine.exe
4472	WmiApSrv.exe
2080	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\12c84d2dc3136770.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	elevation_service.exe
File opened for modification	C:\Program Files\MountComplete.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006c0431eea5c8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001544cfeda5c8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d169f5eda5c8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009431bceda5c8da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000181dc8eda5c8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004bdc48eea5c8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009f07f3eda5c8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b16bd6eda5c8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3868	DiagnosticsHub.StandardCollector.Service.exe
3868	DiagnosticsHub.StandardCollector.Service.exe
3868	DiagnosticsHub.StandardCollector.Service.exe
3868	DiagnosticsHub.StandardCollector.Service.exe
3868	DiagnosticsHub.StandardCollector.Service.exe
3868	DiagnosticsHub.StandardCollector.Service.exe
3868	DiagnosticsHub.StandardCollector.Service.exe
5048	elevation_service.exe
5048	elevation_service.exe
5048	elevation_service.exe
5048	elevation_service.exe
5048	elevation_service.exe
5048	elevation_service.exe
5048	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4524	2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe
Token: SeAuditPrivilege	3900	fxssvc.exe
Token: SeRestorePrivilege	3768	TieringEngineService.exe
Token: SeManageVolumePrivilege	3768	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2812	AgentService.exe
Token: SeBackupPrivilege	3568	vssvc.exe
Token: SeRestorePrivilege	3568	vssvc.exe
Token: SeAuditPrivilege	3568	vssvc.exe
Token: SeBackupPrivilege	3040	wbengine.exe
Token: SeRestorePrivilege	3040	wbengine.exe
Token: SeSecurityPrivilege	3040	wbengine.exe
Token: 33	2080	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2080	SearchIndexer.exe
Token: SeDebugPrivilege	3868	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	5048	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 2136	2080	SearchIndexer.exe	106
PID 2080 wrote to memory of 2136	2080	SearchIndexer.exe	106
PID 2080 wrote to memory of 2072	2080	SearchIndexer.exe	107
PID 2080 wrote to memory of 2072	2080	SearchIndexer.exe	107

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4524

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2012

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3868

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4316

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3900

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5048

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4248

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2136

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2332

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4388

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3904

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3308

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5004

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2068

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3708

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4548

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2556

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1168

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3768

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2812

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1280

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3568

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3040

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4472

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2136
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:2072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
932f9a3955aafc1bb035dad2c8de09e2

SHA1
a335d1c1c4997f6f8859818f2319a1479d769667

SHA256
db22ccc8802ac793675641b0cc852babbd0b3a17acea75585444f40c90ecc2c2

SHA512
68dc70de72e065e3f07b685415dc10433b83c827c597c18351755a03363d6d2f9a3d730bba6f8d911dc9cdec2f30a50f48e978d265bc9cacae8bb96f112d8dd2

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
8105e115529f9b49b67cb22a3ca9271f

SHA1
e085f867b65ac0236b0f3fa11f295a70a97e74bf

SHA256
ed5196a89f52900d7eebf52c75382c1a0743fcd5e5f795f9a6348c8094e33c92

SHA512
d657f74793fcfc63e014e72fdddada1bf9ce7028b2d8884fd00a654574a6d121dd998fe7b09cd1ca245e450a7d245281fef31fa2b6c5e3aa4488533ef8e7ee44

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
852ac139472add1a418e01281428a7e5

SHA1
4d3326a64d59f730d4efe2aa949c37d5020b45cd

SHA256
07e59cc0d60b906b6424bd7b6d1d5163a8310dd61131781277571477457369e6

SHA512
c491e0fa479fa9f2e8551e2988c80a8c1d94b6d7d43b1ecddd25352fa14d2b77811053d5e413b6a1c7f79f550c3ec928ebb2f8154c59ed1fdf9da2aaaf77ad8a

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
ebd282788b2cac5a7cb364edab6790e0

SHA1
d0ecd2eee72303e9f30d6e8650888744fded039b

SHA256
665e43dce1a16b6895ff67377bf428a08f0636185c6d816cf2e238bf557117f9

SHA512
790dc11ddb805850a19922de3e2713a126e54e8f8b95b5e593520b1a5c0825ad2d50728387c3adb979ad4b625949603ab2856e53f943ab6e5f007b920a83b45d

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
f030d0d727afbccb0eee7f58df67087d

SHA1
2c2bc46bac1eca2dce1ff53ed3a90f1894f6184f

SHA256
9707ddb4e22229f5763143c94a1bdcade53c000b68d4d4008ea4f44df057e543

SHA512
6ba1bb4c87a34b9e3c520f7432a58563a2a6c294722a075da4d5f4d0d4102c059109f6e715970822f5d00512127c783e9cb6151be9db8b2376ad079ef4dfe2d8

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
1d5430d3ca3739c54673bc3ee45e0c83

SHA1
935033900d973f6d69758abe928a4b75b82d7bc5

SHA256
8000cf226c0f077c3a1174dbe35a995624d284f8c38c0be4267e62cae055fb33

SHA512
c71ee648731c19886f39dfa1edd3e11aa8cb9611ea90d61c7bf4d42c96ecab04374c42a753ed14060f37d8820eec1a6bab9b1cfccf6b30cebea3485792d3e075

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
fcf830fc8a5d1b54713ac261c971c1f0

SHA1
f6fd352002e97de75f7871355f3cdc6517c712e7

SHA256
8ff7c2c92fd2118c2fef6fd58d68255c7e6708963936925d4b1ff0db7ac7e9b1

SHA512
a643739671f16776856584168e3933150afe59b0301556ba189303c37703959b1f6e902b1100b99ddbe2a2cb002d52e19e87fc9d120a308513d61cc66613657a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
68a02efab364c33bf25c9a103690be9f

SHA1
400b6a879173e27afd2cce2e67c540c894b4af94

SHA256
2ef38cbaf52ed77c333a7b14848d1d1db9854d0c6d409f5b3349958534f3dd1f

SHA512
2323b8cd96bd1182d3e32e61c69d7ea97c93fbefbfbf144768a9464bc6b479d0b35ef8077dadf64f922973441db998dac8bac342f826d25f156160fb516d19ba

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
ec3284a61361e4fba8ff3c2f4e296cc5

SHA1
dc8e6b73c0574f4b2142137faa1448f0a46161a3

SHA256
95d9c50f5805d1e05fe9b9a072738f6dc4e7637b2aa2d1347e2c5955e8a6c6ab

SHA512
e15273dfdd1f9dc650efd117f67a1bff154ceed254d1f87ce2d65dac91c933e59fc56d6f54e8e5bc391834e81ff79e2a75604e0f99f532a87e1328948bbd5de3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
ecce1ca85e2783b233ad21aaa23f0fc7

SHA1
bd2c7ae50299f94ec677b9cc69719c1b07652f1f

SHA256
6714238bf0c6d1c849fcf6171ff0f508bd6995d5db8dc12b37ed8a605271ab7b

SHA512
85cde73a0e0339b67934b729dbff35e8e2fe540a5ae873debd5690d053dc0afcd9c645e499fc36507fe5e5189439d89e0b7ee588c83b70c7918ee8dcd0992daf

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
7051ca84358461364612f668b7201ab0

SHA1
18a91e14699fe18b165bc41002f0f120ff857ed0

SHA256
71b852ea81d6c74ebfbed5ab89b5e5beb2dbfb25826d7b9a54e71e3784edc1de

SHA512
9e334b115c431a8bcbb43939073b871cdfdecb1ea39aa7b13a08e36a80b3c7bf50f34d0591d324c50557cfb98e392d1108e77e4033c77477e75d60bdc2259735

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
598d4410a35167505866a3054a66e00a

SHA1
91d8a305430b4c82caa9b9871c5d8e9078e512d5

SHA256
ad2e1169f2263a7f830cb0fc80c70a507dcf56163b06821ebe8f2f5d6792d752

SHA512
70f6c6bc2db757c673bc3cce9e910d299e6a4a07a3d682eafbffc76ef065a17d3e2f8c2058f98b8222d11b0cb6b85579d62810999e183ebb3d8d2f6e6ab6c36d

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
f82a1e5486df08bfb435d52196f65e65

SHA1
4b2a7445670555c3b87ba47c3d5212097f31e4da

SHA256
d5f97202c9540b6bdab1c63188c817ba1edb58e6084b9e3623fd9dd4f6f11572

SHA512
02778d71fe18878a957d94445f3fa90018d79263beb09fd0b5b38de5210a9cbe65904aedfcd165845ded114e3067697fdbb49f3b0a653fd62d3888709f227c69

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
481229ffdd7d683624c07f93a7ebca64

SHA1
ce03c5d9327b382facb2ef0d0663b1821c835ce8

SHA256
a217a993df88fd89ae1a84ac937ff812685fdf6689430443e3d70415404bf540

SHA512
68eefbf12dee6f0a7eaec52e320f6368837ea25be8e6996c894305f65924def57f6ed7cf12af4a5d5240b71ffef93c93d530cf2596c513146527491a58dd9b45

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
d19c18391814a5d91370f85af5173e66

SHA1
ab2438e9f401e6098c7a118959d1f0122f99f5d9

SHA256
8fa3646e8c95be2523e3debe9e7fdb57f2a5287a0e686a9852d01e8a663b03bc

SHA512
0929b09ecfb38049097d5572055c7010fabd45a895cc51837fdc208bdda5874426e2633d1609fc3748c67c65b2211dba467568d53a42f2d7e44b53c440dee61c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
9380a8aeaebea3de383e144ff77f342a

SHA1
7c3c230075ce85c7eb2169339d7007dd6c1ff39c

SHA256
abafdb1126e813911ffaed9bf91b31b0e7230ad32f00186451f2d69ac0ab0e7d

SHA512
4b590b0ac9b63feb784ce0f21547a7a3978f3fc17f3070da5deeb9d46082e9108750da24e565efc29df7d3faced382f2ef85d68d10edfe6a8b783abbe58c0912

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
8221b38aa2039f2d184c121b67f714bc

SHA1
7f1928224feb548541edf914b91db149d8feacd3

SHA256
843a12bcbd8f4c770f7057d94894199de418ff090d4c31fe6d7be279e84873f6

SHA512
73bfa513ad94a7dbd6b971997c5cc45eeb0046353365447eb4c62b3f9044d81a8e64f1439d13328337a08ded3510222eb37edba37cbae0fdfc6901cd7d10748f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
61476fe4004c0a4865bbefe200c29773

SHA1
870620809bf675a9bcdd309be3baad906a516fd6

SHA256
2c2a7c2080a38a9e9d6178c0053c3b85b7564f17f24693bcf90e913f46406849

SHA512
20530f461bd48da675add97951c9452fd305c8fcae02b2945303da58f44d63a16a443ac13fe6177f494654be725d40ce9bcba462bc9e684cad4168ad855fbcf9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
468ab389ca9a885a5ea1140ce9556123

SHA1
1ef3aacd86809f3704841549f9f0f4cce3ec6683

SHA256
78e53e706504d50b6170309ed66f776ea4d6f52d23f2405583cc734645756b4d

SHA512
fc4fbb5c67b4fd42dc581ed068ded5e4fb644b6fe3af18d82e1c4ea2e1685fc9ab030fac65542a6a305d80ca88c94f768fa356ae7dc0e2ee13bd21dfd96a78cf

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
81aeb38a857d850ae462228297aa6593

SHA1
097b56cd18022fce630fb9565e5f460643c00e14

SHA256
6458b7f60655690cd77ec22aedf1f2d8aa9fdfcf6cf4d39ff6e4ac9422120e0d

SHA512
ddb09540f55606e23a329a8b79f97421b37b361dffa3203ba6eb89cdbb8b1fa84898fa9e4964674d490b77b45b274eaa20d360436c239a1131075142a218af23

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
cc3872bc3681e6f2d8ea63db907b731b

SHA1
dd364cbe6f2a1819cc937bd67626f641f209b3a9

SHA256
ef526cc902b2fb7e7632619803a4b96d8fa29723d741da992536196cde506e15

SHA512
2553bf4bf89267ab09a3fb8a10067ea41022c62cfc25a7b9ea13d3fd293d371c74ecf48c4b87b177e8e10926c4f44b517ba7cb29c55e6c2ae9b05aba4e0500db

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
f59a47846d93d1c16575eed87b041ccc

SHA1
ba558f535de9812b48577da63994d8e479982d5e

SHA256
fd4bc96012b73f306b20beb979668d06e62210d3d4be4cdf1485ad27a4ea3dcf

SHA512
0a17dc6e0861e560cf4ee9d87dd48d8123dbf30c9178d4f992efa1887d909d7339369c7ffac40848e90fd5d7f06e4007de814e15888a4e361c6f93b584db90e6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
878956fe7081d177641d377f2d263f9f

SHA1
25f7cda447aef8d9f95f14f38d3040d1c94b22f7

SHA256
57e040e727368044660e4726869dae5b0fabf36f4166eeb5f1c0521eb593e84b

SHA512
1a5676de2b5416785d3fad9f89d6065713c70f20a89ad27dd1f263f65ce2e89c4dbc8e6a8d44be8113e9b553e95873cde2a8cfa8dfa194845fab3139d5b08511

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
5ee7c4473e6be77b5c0efe8f5ed0a196

SHA1
097109606bc854dde48bc69895986e8476e3c73e

SHA256
396c5e6777ee69a468801b28e32e498639d09c07f9ccd8e0e442509d3342412e

SHA512
fce60fd13dc5d71c4deb17d176aecf8b96bed06083ec124763bdc9c0a2db4ea72f59138674d35cb8248518cc8429a9cf656221438478f18ca84e9640b09ced30

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
e3038582c46054e14da1c167d8410c47

SHA1
44b831994a0e38e95cf4a5068bc90ae6a237fad1

SHA256
c132fafb598c23a7956cf6a8919baaa07bebd64bd721966f409ec60c241e9b96

SHA512
cc0836367c7332de97c450602aee678a4367dad287fe2a7c157a32039eeb96bc9f8bfec80dadbe75fc3de7ae594a21ccbad121c22e2fe024a7a6e336821fd41f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
eb06ac2e6e0c1ce9530a4aae90a9a840

SHA1
2c1cef55dbb0261849b1426b03117e4b8579d60c

SHA256
ad92813b9218cb5806bdd06b67ea311dbcc56ce5162e75f9279bd242796cf25a

SHA512
1107b82d091d20d3e401e242cb72ad357e8b9d7deb23d515df7928615109160f54e3cbaa2c1946d51c2b5d46d0263ef63e81b6435667ee7dba09da0191228553

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
854794859d3d159d61a9ee386747072a

SHA1
60eca51eec3ee42d679100267bea1e983b277d43

SHA256
5bcc04c5a87088013fa3114ac50dc068562d6289f5e0a89a10b18d29af992527

SHA512
97b4e54320dac7b75da4fa9e614c9505ccc277f641224b6b0e309fd4cb95f2b1a245f4666ca87abcccfc187fe5650ef6fb393642b66c332e948775a164918ac5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
f006120def421da437bf269ebd3a15fc

SHA1
6476dfd8556cdf742340d7351ef96b14e10f888d

SHA256
f467320a25b838b97a9b4c1d710e8d27b7ffae53816073b315ed3e615c1fb0ca

SHA512
a352705008ae70c0ac0a0e9b15c6de1ac4eaa28a64f3b9f8c7e1d3938cb8a7f42b0cf4bba5f4a42c0184b968ce8555203be6c1edd478e9a872a0a23b85991d48

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
f86fcffec07f2cc859ded9df3b9ccda5

SHA1
c7aa7312736e97a24f589e5736d9e7ea60745265

SHA256
2ffd9c6f21b86e775126db2bea89d6c1180366a54921c9d599c8e11522cd63a0

SHA512
893900e970e6f2e04d1076d2785c5518ca7ec7906fdb3607d93f47691ebed9acb313c18b7c15e8220d81339c61d2656bd9c55256cbc3e4db928e0baa147f540f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
02f6be3485f6d492d3e172989a28c73d

SHA1
ff61591c4c837fa588dc5b891b8e384950b4c01a

SHA256
746d8834c07f5d316044ab5578d41dec01b982dc47aa12f3b6ec4445f6724118

SHA512
a179305daa8b1aa6efb2df69464936a844f2a1add52342f27acdda9a44625e470bc3b292031bf2cd7bacbf6f016e5f418ad4be0862f5663d085fabf1f186ffa9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
0782d60a75ee9defed664363ab3120dc

SHA1
e818cbadf476aee26a6b81efc3caeaf332725efc

SHA256
823f307b0fab057864fba287e5ad6d62d7d19bb49aa687467875848a8c3c30a9

SHA512
230effed626fb11a0c364b27213bbd39dbd53ed96b3b7758b4bc1871ef68c17f682782ca17719755798a9186b54344cd4426b5ee7c5f975a8c968234253ee319

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
91dc95f4e119b3e5b3f31c8bee87069f

SHA1
6a16acfe22f915ce7e5b196d4c196252253c25c0

SHA256
8771aa9aadbd28df57790b919297ce5a19b345d2a8798f10c85d6674bcc07d30

SHA512
8aa7172f21af75e15d7b643e7543fbfd25670586ffa08db21e8ebc7cf9369318c739b74d117d3e6ab7e0e17dd3e834aa709066f7689822f3ee59742dd2240095

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
d7e22ff793eb358a6eb4241db3c12734

SHA1
83ca6950d4ae703179dd6d81ccac7594877d7f43

SHA256
83eb1689fa92431f7da36cf197c9ee171fc5d6c01ffe139346ff2cb602f2beef

SHA512
11e35f6ab94aaee5ed58df93118fdb3741578e094d9c614bbb4f3586db68ca96c768dae444c070dab4d7ea1913e381c81b8a93a7d635d14f9a402a0d1f12f221

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
bc7260f8b786854a5784c3822b62cbe1

SHA1
040c780ab38e02223ab4b78be9945014a33cc68d

SHA256
285fb7b598308382504e68a5355033ca78ca5f449d49b70f88c47bd3a34d4971

SHA512
778860703e47fb912fa005ca09c4a9548d249d3696e42935dd121f3c2f4d0daac0c0615b9413eeceea13df9894af37baefd478848c5b6f186da15e61394bec15

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
08316ba826aef6eb147eedd30a2ce90e

SHA1
5884107104a593184f2eefdafaf5e794773874b2

SHA256
1bbd3c2119bd221bdf9d550b1147491d9ab636110bb64ad03248c66142d24bfe

SHA512
a61cc04e8fefd0205e1676fc7f912ceb1adbecf3de6072852f53e777734c3dfedeaca8ef47c98fbb1d1930a6b93fecb311b904b1e42dbef795867b7675855573

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
46ed2fe891bb398b9e688e014933b912

SHA1
90704cb06c02b83d4308afe9417cee9a922d28e1

SHA256
a773cb1584e56688aa5bad94288a459ca2ed7d2270f98879ef0c2564e19f1071

SHA512
665b3526864540ff68b6fd8d2a310d00878a5a31fbb1a853c9dfd89e6a385c098f8d5457376c54bff1a525927f2f5e16fe9ba7353d2076698f64399f7f41156e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
4061e9ad7029f3dfc55ea8829bb33f4f

SHA1
91d8ef3e7007f32bdb73d40dca2e81ffbde0bb9e

SHA256
75490f7ccecd963808bf0f3b755dcaa5eaa7b6270c79ffbe67f90853d06f867f

SHA512
6155945d05ba7b899641f42adb51b071e928e4d6eaa816f92d62de14809ac7fda005db5832eaeb1f772c33a16f8b56846e88c83ada1d21e5f8868c2290a54193

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
72d15df04e8db59a5195b97647ef4836

SHA1
5178f1e9d16ea19dea1ad29b700503d6fea3b625

SHA256
b763965862cc788caac1c68d7a1767cba4f15a80a7a4f4f20bf98d91be764d10

SHA512
d36ca69902c28b5adbe1c704f80e923923516ce16327df54a0c9f70e0c0e5b0c1892daae16199a9e7b6be6e7ac8a92c20f968e4ffb1aa86f659a0d5d05473014

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
fd8a4140a0548261a837d4a94d37363c

SHA1
786689261cca4bb5b4e5782e306ca8717fbd3e58

SHA256
78473df5ca46fa3c2e58b036fce4ba7f1110d2003518131a5b63d402d55ee667

SHA512
29203dc51ff9df8bcfb691a510d268532bfa076694fa45d8eeaa4f2dcb0f09919382dd15eb7c3979e699ece112cf42383e6a4db44b2ecdc0d3938359ff64eea1

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
e20b6155afbb82cfa3067bbdda3dbc01

SHA1
36f986f7ef6ea01c644d0c8d33bc80b85b1c6290

SHA256
a6606e240b33fcaf1662e76d9fd0319e6386c8df18a2a97aa9a7afd4156a7864

SHA512
32126551b3de7d416b62bd780239e753dac34862b68daff67c6c245dedeece029523486c3a08deb6d1b5f991749a0e9e1e5df26be0de1bc91e20ecaef474eeef

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
4437facf7ed169b421df532c9fcd9fd7

SHA1
32be8ee978252946d99132939f6af78670e18aea

SHA256
2ea66daca9cc0fdd1260096ae9103a724c36f2bfec50d68a57b2c27583fe0eea

SHA512
c7bcdf2c3a9603c2c3a3d27d8c4bc041ef9c9a2d40003e72346117c647200ea90480861e2ccf39b3586ae5de8cac147158af3456ba4da8e2b9d07b28babb182b

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
7efe75f3c9cf0115e6932cbd89672351

SHA1
1828a55c0dcfd2e11c1d646c52a9cf68bb5353a3

SHA256
6016c978f89c89b4d0366c1a164f49bb6f9dc07f2303ba89fece3db210ced6f8

SHA512
4086213bd5a999d6c0cefc264b42cc913a19a6b0e84192eaa3c9f2ca7f278512be9a5796539266cd4fb98f0b863c379eb338139e1ee1563f63cff392b5e9bf3a

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
c903c6f71be45ae60034df94072a2620

SHA1
03a0c8a7d4a8c5df6404e5b36c688acd16e9b674

SHA256
70343e139a4dd17a96d395ae1bc4364488d64ca93031dbb48c5a62581fd2bb59

SHA512
c9527f20e640721006476761f6aa8fd111e2498170e32915600e86e99429d3a81e30f1b93ef5ed36d3f0a3889c523a8d4751a03afb397275d6b577e42ce0b3c5

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
f5afbbedb8a5cbe706a3811d1fafcd8b

SHA1
ce5db595a2ff0f8c2ef7fed88a2a5aacc37d419b

SHA256
9747767e7a9406f952fa6a52a8fd7dca741fa1fadd30b1aeb280fbe8a39d60d9

SHA512
d09dae2eeb6644af8350c5df6a98522342088efa62ae3c6788eb6cc38d12986bfac1c2927ba317a2c5bcdd0513199c730324780e7938850d9c876923d1a80021

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
036f3eacda921c95281b01abc46a0b97

SHA1
eed8d24065bb55a0e858e448701c5d0c1b753a34

SHA256
e17c4129f35cde9ef5de9e805f2ceb35c4fbcb0cde5312781686f3086647da45

SHA512
9f874cb73462f53831cd3ff9b9e8c41e4e6c2a74602ef1f286386df560d52b63ae9bd3c47ce04ce05909c3e057f35d5a8772d62e8eb3d454ce5bcbbc959ed1f5

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
77f7933801a7ca018553c5f637131914

SHA1
51e739f8cc76b1500945bda932f1c0af7a971e4e

SHA256
62e74d03eaadb4c8f4168ca9f074c6eaf0085129595551a288749e16360ea2aa

SHA512
89867e7fe33d86ef08c7fd8b5da394b42bdb180836e862372b4af4ad1ec4945a6081ab05818001087c37e5cf72225c1bdf5d0fc4e599ade97e1381fe00fe094c

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
e4844a497232c842646e805e37ec82b2

SHA1
47a4c6b74200ae1f553820f05c09dacc9a4525e9

SHA256
efe6fecb2e9d253964dbe7ce10ef0ff8994f21ccf9a87365197e9dff5892e494

SHA512
7217d77c394303010ed47934b4adfce14339d0259b5ca2137e49591ae601554231ce1aba692587725a7905b2b49f5614a9db81cfce868cfc589d25e572022a65

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
9d30896e2b300089547e8fb0ab0720d6

SHA1
41706c3d6ede93a562d3132a7e18b68b2b0bdfbb

SHA256
0889ccc23a5c05ef2203701eea6dff53915f9a62e813af5dce795b892bb0f52d

SHA512
4dd712a3399961f18f2ef30251e60509a31fdc72ddd2351fc07d272efa797d262d9007fea2823a5cb9b7cb69f0a977ceb2404cd2cf0ab54fad0d3ee0432f208f

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
75abe99e8382f7ddc45555b75c0ca0e7

SHA1
7370ddcba07e1baf10f77f54b6d1566b5cd32404

SHA256
d9f1099f209501f0d0d1cd8ce04530fd0df2ab4f1798787441ed2836274a2f01

SHA512
dda3e013cceb02f42cf3fef02adc042bd632e270244aed952313f727a1e1e2293858e852b4a1f6b497719f3714baacda2be632cc09b151e7b7a07e477049fe96

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
98148954fab8ae8340aed8053043626e

SHA1
ac6a67e126ea64a90a345cdd2e431f8b48dd53ee

SHA256
d3f7ab93e8b668348fde10ff66be195415ea84f21881f3a97094e678ada2513c

SHA512
1805fd53eb69e33493f53907f1f69dfd020053741606663f339931e4cbd26e4cad0355d96d855163a7300214c9c63adc64d158c0679f764584d28c779031d1fa

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
2d6d306935dd99f0dd4f6cbdd7c416a5

SHA1
91070980f02792caccc6ba0e5dc4a2fd5bede636

SHA256
d52d73a3cc6d77840e41876a22f85032f1dc402174ef7ccf2005acfe3e7d9a50

SHA512
18467c655d72065ae37f3c037f47aba73127f56aaaf2106fa2b68c0547418d43750067ef4f17352c8b4828bb95e13529a45e2f73d0ecaa5721bfa54c8cba7ac6

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
e1b2d9391439314d0d5d19995d99f891

SHA1
79c3d6fec356d54fcc8edc424089a871a4b91a1c

SHA256
62b3a0aa78c9a813abb6d853768b51824e8a599d9dce84ce9bc2762d3034c0f8

SHA512
3160258fa417c6c70fc70de2d05f97f3ba806ffb1949a403a117f8b607ed91ebe1765a6ac523c2beb7cadd83086aa5eac2423b8c7740e5094b972fc8d0bd7caf

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
94b169a14e8212f57091c38232855f55

SHA1
2f36a0ae7400e2579007e75fe0a871b202dfefb4

SHA256
ec8dbe9318ed22c7d09db9900686ab82e4253719ddbb78ee0e77ad9868d73639

SHA512
7da3d57baac12b28a5cc7ce7ac41894cf491517be5fac324f3c65218044fcb37bbb9c9b1c7838de21254fae56cba08ac2496099e282ee96845c57f26a0857711

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
9d05f7910ae4114fd834b054413d1ceb

SHA1
351047cb4f479fe7e3a42a8bff8705eb55a36a71

SHA256
437c428a017fd9a39a3f4a03f33627f90dea58efd7e2ae3118380e100afd7979

SHA512
8fdad06c07d16fea6cc7e110504a7f0da545f23f7d9d245b3525ba36aa70cf1b399a1f7a044560d14f47ecc011cfdbb4442af2de477e31f383f9124b398d568a

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
3061fa2eec4251247d81abc42f3f9c41

SHA1
e71a490b5e8ea281a69ce40ccc0b3e6004eeaff6

SHA256
f7c4502fd23e0c1975c0f120071929ab367ab810a3c2ed8c4c89a7f616e77a1f

SHA512
8e0404688954a89fcca1a7d2800e3a7728c9d6cb45660ca1dd1895c29d49ceb9ac35001bf36ebd333156895d8fdfa7d2f813791f04719afe3a5dc3f7967f53e5

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
e27f7e8082f60b7954deb447cf592255

SHA1
5e8f07d4bbdf6d7d40a48e3363561d9694107347

SHA256
b80c64f1010242ef0fe086d0d5f9e58b039e138942633c3e2d84bdc627aad429

SHA512
9c8af45cdbef9a78f83fe41b62e6e9a3d14b75347caee474fa9a1599d88cc0e3c805c130c89216ce1210f86644d88b3fbeaa7b9b6cca83cc70cead1943a9381f

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
6af7a20e60f61001116fcf379b8c9a12

SHA1
83b152b0a5591f7ffc6480e04b77167ba73fdc0a

SHA256
91b1a776596791470138f37decaa8426b5a03db947cb2dfb112605ca25bc1bec

SHA512
2a9ec0f379915ed85703a9cbe812e38c1859c1b8f880daa2e92292e483dcb8d85f80eb9c5c1a754a0918fec75d4e2d9a88b92971802e3035ffdaae873eddd5d3

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
e11565bea8c8cefa4fcd8a07b8ad1286

SHA1
becd5812fab9d611dc671ca14bfd974cc4db339e

SHA256
caca675bd7a745270f8a7d0735914bfdda993345f05981ad6f2121a854e42d6a

SHA512
f77b348e459452f3b5845502c0fe8579711b6e73d8ead36277a9cc0d239a5f01e37e5df379009f0202537e877b205c3b92b0601e02a883fc59f72a33761c7a3d

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
c787107ab83c3c53575ac06b677e116a

SHA1
440dd26c2438a03a1f68ffacfe4e92472c670d19

SHA256
68df143b91f5ac5eec61bf53029e1387f59dea4bc8b4831fb937abce0cae7d80

SHA512
acb10d777ec9a57f1dc3868ba199c883e14a778c9fdd78872df11045be3e6cf76bbde630f48b57a7e3d39a444d3bbdce0c1f65c253b48d5d4f83fbfa9048c1b6

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
7141a4065cf2332ac37a01b53f5b5549

SHA1
59c10c0834c6395a83de20d2741827f0b1277287

SHA256
88d869a6d8204732fbcd274982a33f663192dd72ed1683053e9f0b6c2949e674

SHA512
1fc917648b11edf2f42157acd1a991391cc02897f595c24a2ada3fc9862404ed5f27c7bcb278ab7b646bfa591e957c8c0f47d0b3038aa97d2b1ebdf64c56b076

Download Submit
memory/1280-155-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1280-480-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2012-15-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2012-100-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2068-170-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2068-475-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2068-115-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2080-486-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2080-171-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2136-66-0x0000000001850000-0x00000000018B0000-memory.dmp

Filesize
384KB

Download
memory/2136-62-0x0000000001850000-0x00000000018B0000-memory.dmp

Filesize
384KB

Download
memory/2136-71-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2136-55-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2136-57-0x0000000001850000-0x00000000018B0000-memory.dmp

Filesize
384KB

Download
memory/2332-74-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2556-478-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2556-136-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2812-150-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2812-152-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3040-484-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3040-163-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3308-162-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3308-107-0x0000000000700000-0x0000000000767000-memory.dmp

Filesize
412KB

Download
memory/3308-102-0x0000000000700000-0x0000000000767000-memory.dmp

Filesize
412KB

Download
memory/3308-101-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3568-483-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3568-159-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3708-119-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3708-358-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3768-147-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3768-479-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3868-18-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3868-111-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3868-17-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3868-24-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3900-41-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3900-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3904-96-0x0000000000B30000-0x0000000000B90000-memory.dmp

Filesize
384KB

Download
memory/3904-95-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3904-89-0x0000000000B30000-0x0000000000B90000-memory.dmp

Filesize
384KB

Download
memory/3904-158-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4248-135-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4248-50-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4248-52-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4248-44-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4388-82-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/4388-154-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4388-81-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4388-75-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/4472-485-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4472-166-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4524-371-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/4524-0-0x0000000001EC0000-0x0000000001F20000-memory.dmp

Filesize
384KB

Download
memory/4524-8-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/4524-70-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/4524-370-0x0000000001EC0000-0x0000000001F20000-memory.dmp

Filesize
384KB

Download
memory/4524-9-0x0000000001EC0000-0x0000000001F20000-memory.dmp

Filesize
384KB

Download
memory/4548-474-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4548-123-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5004-112-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/5048-33-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/5048-40-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/5048-38-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/5048-122-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download