2103b715cfc33e7d2baa090b891e564ca1cff902a5318c023e0f691da5b90ca0

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
05/07/2024, 16:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-05_18064b7ff69bd7ed8eacf60140bbc70f_ryuk.exe
Size

1.1MB
MD5

18064b7ff69bd7ed8eacf60140bbc70f
SHA1

0d0f7d53a0b170cb9278152bc69730a05db69cf5
SHA256

2103b715cfc33e7d2baa090b891e564ca1cff902a5318c023e0f691da5b90ca0
SHA512

f44d794a313dc48fddd3d133c7500f1a6bbec1841d27ef0633343bfabeadb42072b8d94f5fffc9cc916e3d4a616aa55535b6c420ffd32d7064284140a0d7b920
SSDEEP

24576:fSi1SoCU5qJSr1eWPSCsP0MugC6eTUdCN/j2GLl3iFSE33b9:XS7PLjeT/N/j2U4FH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1192	alg.exe
1336	DiagnosticsHub.StandardCollector.Service.exe
6076	fxssvc.exe
1876	elevation_service.exe
3800	elevation_service.exe
432	maintenanceservice.exe
1248	msdtc.exe
4176	OSE.EXE
5464	PerceptionSimulationService.exe
5072	perfhost.exe
4128	locator.exe
4352	SensorDataService.exe
2320	snmptrap.exe
5736	spectrum.exe
3636	ssh-agent.exe
4540	TieringEngineService.exe
3124	AgentService.exe
3464	vds.exe
4052	vssvc.exe
5616	wbengine.exe
4816	WmiApSrv.exe
5200	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-07-05_18064b7ff69bd7ed8eacf60140bbc70f_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-05_18064b7ff69bd7ed8eacf60140bbc70f_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-07-05_18064b7ff69bd7ed8eacf60140bbc70f_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-07-05_18064b7ff69bd7ed8eacf60140bbc70f_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-07-05_18064b7ff69bd7ed8eacf60140bbc70f_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-07-05_18064b7ff69bd7ed8eacf60140bbc70f_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-07-05_18064b7ff69bd7ed8eacf60140bbc70f_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-07-05_18064b7ff69bd7ed8eacf60140bbc70f_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-07-05_18064b7ff69bd7ed8eacf60140bbc70f_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-07-05_18064b7ff69bd7ed8eacf60140bbc70f_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-07-05_18064b7ff69bd7ed8eacf60140bbc70f_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-07-05_18064b7ff69bd7ed8eacf60140bbc70f_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-07-05_18064b7ff69bd7ed8eacf60140bbc70f_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-07-05_18064b7ff69bd7ed8eacf60140bbc70f_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-05_18064b7ff69bd7ed8eacf60140bbc70f_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-07-05_18064b7ff69bd7ed8eacf60140bbc70f_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-07-05_18064b7ff69bd7ed8eacf60140bbc70f_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\11bd42d5a46faa3.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-07-05_18064b7ff69bd7ed8eacf60140bbc70f_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-07-05_18064b7ff69bd7ed8eacf60140bbc70f_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-07-05_18064b7ff69bd7ed8eacf60140bbc70f_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-07-05_18064b7ff69bd7ed8eacf60140bbc70f_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-07-05_18064b7ff69bd7ed8eacf60140bbc70f_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	elevation_service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-07-05_18064b7ff69bd7ed8eacf60140bbc70f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-07-05_18064b7ff69bd7ed8eacf60140bbc70f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-07-05_18064b7ff69bd7ed8eacf60140bbc70f_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{811F7F23-828D-4957-9744-9829D7875C41}\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-07-05_18064b7ff69bd7ed8eacf60140bbc70f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-07-05_18064b7ff69bd7ed8eacf60140bbc70f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-07-05_18064b7ff69bd7ed8eacf60140bbc70f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-07-05_18064b7ff69bd7ed8eacf60140bbc70f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-07-05_18064b7ff69bd7ed8eacf60140bbc70f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-07-05_18064b7ff69bd7ed8eacf60140bbc70f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-07-05_18064b7ff69bd7ed8eacf60140bbc70f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-07-05_18064b7ff69bd7ed8eacf60140bbc70f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-07-05_18064b7ff69bd7ed8eacf60140bbc70f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-07-05_18064b7ff69bd7ed8eacf60140bbc70f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-07-05_18064b7ff69bd7ed8eacf60140bbc70f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-07-05_18064b7ff69bd7ed8eacf60140bbc70f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-07-05_18064b7ff69bd7ed8eacf60140bbc70f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	elevation_service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-07-05_18064b7ff69bd7ed8eacf60140bbc70f_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003e55d0d4f7ceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000076f308d3f7ceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000055174ed3f7ceda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b4ecc2d3f7ceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001d9830d4f7ceda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000021552ad3f7ceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005ec4bbd3f7ceda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f6b90dd3f7ceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002b815bd4f7ceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1336	DiagnosticsHub.StandardCollector.Service.exe
1336	DiagnosticsHub.StandardCollector.Service.exe
1336	DiagnosticsHub.StandardCollector.Service.exe
1336	DiagnosticsHub.StandardCollector.Service.exe
1336	DiagnosticsHub.StandardCollector.Service.exe
1336	DiagnosticsHub.StandardCollector.Service.exe
1336	DiagnosticsHub.StandardCollector.Service.exe
1876	elevation_service.exe
1876	elevation_service.exe
1876	elevation_service.exe
1876	elevation_service.exe
1876	elevation_service.exe
1876	elevation_service.exe
1876	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	5964	2024-07-05_18064b7ff69bd7ed8eacf60140bbc70f_ryuk.exe
Token: SeAuditPrivilege	6076	fxssvc.exe
Token: SeRestorePrivilege	4540	TieringEngineService.exe
Token: SeManageVolumePrivilege	4540	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3124	AgentService.exe
Token: SeBackupPrivilege	4052	vssvc.exe
Token: SeRestorePrivilege	4052	vssvc.exe
Token: SeAuditPrivilege	4052	vssvc.exe
Token: SeBackupPrivilege	5616	wbengine.exe
Token: SeRestorePrivilege	5616	wbengine.exe
Token: SeSecurityPrivilege	5616	wbengine.exe
Token: 33	5200	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeDebugPrivilege	1336	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	1876	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 5200 wrote to memory of 2844	5200	SearchIndexer.exe	111
PID 5200 wrote to memory of 2844	5200	SearchIndexer.exe	111
PID 5200 wrote to memory of 1496	5200	SearchIndexer.exe	112
PID 5200 wrote to memory of 1496	5200	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-05_18064b7ff69bd7ed8eacf60140bbc70f_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-05_18064b7ff69bd7ed8eacf60140bbc70f_ryuk.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5964

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1192

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1336

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:468

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:6076

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1876

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3800

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:432

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1248

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4176

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:5464

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5072

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4128

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4352

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2320

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5736

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3636

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4996

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4540

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3124

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3464

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4052

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5616

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4816

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5200
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2844
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:1496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
f2df741791004541fc4cdc37d49afd3d

SHA1
c9800a46ce40c57d93a18053a1ce0c2604e618c4

SHA256
348cbbff4527567bba18853dcbcf95a1687882123dbd2d7dea2253bde2885b6d

SHA512
cd354cd42f12a8f68ac08b243bb7b757dda78ff44857bd4e1643da6ee2fb94b19caeb388710bcb4275aed53bd1174109b10a73364283bde67d01a10d538ecdd3

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
91839e290ed89bc00607eb83fd514adf

SHA1
7d6fb092d8c513d4897860795b833014a27f9488

SHA256
2aa861e4f0f40dc5c28062845edeabcfe4cf8e5a2a60d3fd307f5c134da2f8bc

SHA512
e391abb4b958a34b0b94e3199cd31da850191ca3f60990cee58c482d93ff75d3fca8d82dd5e352602ef15491072ed203810906dea4261a89ff30e064fa1219ba

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
945855c9f3ca0b822d2cbaf0e9b3ae32

SHA1
40b7b7fbc89d56bc98c5f9aaa4e69b44b2bc0780

SHA256
ad62e9d5b3f213a01fa11f187bc1f09e338197920c70a1c3b61e11eaa2514deb

SHA512
62ea2d94368254cc425b80f9a5b5858da6937a593d1b7e5de2bd64896f708ed58def9d9fde255007b3d21a84717ccf0e611ec55ba777358dc398d027abff3107

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
84a5aedd580f330260d73541d2baf553

SHA1
3c5216fdf1df0727051cf9567cc1836de7aee62a

SHA256
c7f849d656afa0dddf38fb50ecb270f1a76ecdaa7c7355b6b075531f529d20e0

SHA512
eea65fe8051b686d1a45cae579923f81bf0f1dc66997807d833d46dec9b9511ecd298267e412b47834ab58be7fa2290d84762d026f0777ba7cfce6b88ad24263

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
9947f41526aacfcc4aeaea3044e56c01

SHA1
606022bd27f4ae92bd94041809c76f833d5b4481

SHA256
8f0abca55e417edd0f012632c71baaa3d924d658272736d977402ebdd55d94e3

SHA512
fcd5c0505cc36e76505ad961df8ff8b8fdc458dc71e2d1155379a1d69befd2c4bf1872e035cf3a9e86706e276bd16bd19ade45bfe5e95f0339a8ae25f42bf117

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
36e96f1b24a92649154b5e84c718a58b

SHA1
9622d9f2d8716edb2d49190d97c335ed0ecd347b

SHA256
9231378d682d3b4fee1e107e9666853633e9bdd98a908a665aef3d4625424cf8

SHA512
e045325e1d9ba608c8d7e32d98a9daa71031ab5bffd82cb2ee45f9a632d3aef8aea2575706c3391ce4d3a4ceef710d0ae9d7e6c7b90407091e82e62f5866156f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
13c6c4a010214a66fdde5c9c010f623d

SHA1
60d915cdbb7fc2a2d37528266b68be855fa984a0

SHA256
644c676d3916cd31334ecafc3cc3a8f6e5212c7aa722dfc446fdbb771566da0a

SHA512
1beabe3cb05feb6b61eaacbcd3f52cf3f70c9501c4db71e180e3bbacb8f85a4d2871471fa6f7b540071eff34c6d8652c70a2fd2af3133afe49d38506baaacc8c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
5a0353d23d1ca2ed6f9461336aee3d6f

SHA1
4620cc993808c63e46cd005b8c4b0c5c8badd200

SHA256
c8e2b37bbe90228545195aca152fd1c705bff94c73ca2047831e9e0043a4f900

SHA512
5d1c444dd5937229756dab7863af870357b55c3193efca07fe971612d64f05a3eac7778591677d4854c240c52ac7c4d09370a7c83c372896aaf7c90f7f8fc2fc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
0496b9a870615f2ccc2bceeae369b98c

SHA1
bd016d02639111b1453e67a6a0fe15fb312644e3

SHA256
338da1a9b8a3f0c95dc5403a3a2a996dbc99624b2d376b1c255aed4d8bb562a9

SHA512
1937a58f822ad3efe8aa7b8fe7aff4b0ff1aee19c51c8691c58a27efdbc8d74fa9365116fce32b6f28664a057703a2dfc9e046c45bc9bc0b9b7c26a6a68688c0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
595cd81985114b5fe16399f9e816f9c8

SHA1
3b7f272b0c655af3374623bbf620934546eaeb77

SHA256
92474b40fe046002a678424e8553f6740bcbb8899a6554a8492f5a4672cb35ea

SHA512
a4bc075f93dfc05d2f56bcd24f706912563f1b224b3ad243daaa5ba14e20372ab4fa14bb0315c9d7726969c80b97ab2a012eca9326c70e0230e89e3684333255

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
59283841790d30be144f0d378a4ca416

SHA1
2309e10d863040350f1cdb22f05e0fb0d1dcf0e7

SHA256
edeb161d45dcf7ad37b7c6cdd028b9a7157cfbfec9208cd49b2d8133f4b63914

SHA512
4951ddddca3cd0dfc6272eb98b62d7ce56f5bfa14f3e2b75429e4e83362622e3238db93f30181410f5b1e331fda6023e8ba3a64f7e37f7982da41207690f74c1

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
9e0d32e6d90dabf5868f32d1793b83fc

SHA1
7d6fdc2f6c865b4a87be74b38c9990a4c80ce610

SHA256
57bd0f45c438d5ae1dc7c78476f75f37c8894f5e108696bc0c88e5d0d4caa34f

SHA512
d5eb1d7159c16ac9e8374cfde00aaa64c533218bb7cb8df090bbb94d7f536835c8d345ce4721ff508932a08d4d38aee0a08a49bfe885cb3d5eed712bd9087165

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
d38d02a9474d0069d80202ae8c628783

SHA1
8a7ee3a66c2a80c5ef2ab2ddd6de752a62bce746

SHA256
19580cd934028013cbbe02d186d9ac3524ae277ae0b95eeb2bb8874d1d455f96

SHA512
8ab2da9a65a946f05868aca005e9b705efe271d9f6bda8353b01246bb144c237228e6c5563668ad15a58a25f1b8a6409bd7b752b6913b49d27213a9c7746a45e

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
93a955b9a62efdd412072618d51520be

SHA1
21f267301be32fbc13e53b02968fd0787e646d5c

SHA256
4b041f5e19b0025aceec5df1c260bc78b62e473de4b7e2208931907787cc73f3

SHA512
b2e5c871f2abbd2fdecd0b7c44385fc8c1b17386247f962704abab07756a8efba516b8fc3817f118a9f0c08b7716ece7cd5dff7fd2293e62e4b01517ba1faee5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
edc47718342b846369d70819d1aee262

SHA1
a506ab035b379dc9e5d425809abbae248c3e1440

SHA256
904199afab0bc8460c040a6f45266ba725820163faf542bb02983745e8649449

SHA512
918d27f0b5acb6eb6b69036fe322d1dcc6a1896d734a023b7752dfe23cbaaed6d060a67ddb7a2dd2898b5d76c53e48da66343561e109a41574afc341c7ec19f5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
6d8be0be45f52a953554e72840d0f066

SHA1
b660ef2f10054cf58cd5c11f918f57a64ece70d0

SHA256
95b67945a4ab14e7ca36de37bedadedd85969dd7f6b39d6b00f864a5a47ad55d

SHA512
d91c11a559677e7f38029a68236340be8eb6cb2c4f18276312fc9e12e989fb1c2f288bf855b44678f90325dc52c022bea60d32211be0c2b523d180b0ee8bcead

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
3417dd251ac3341d42664704649ce9a6

SHA1
eeb13ea5f27cbaf72b20c50fa7664579f8158192

SHA256
7e6dae4686ca47cd89e3d694e31c974f609bfa5c8f9d0429fa2c847b717b944a

SHA512
60ac2f40cce90e645806ea92280f7f5af608e38ab7126d96b9ee6ee89c8a9402b9b10c3bd9d3559e44d386fcdbc11655e49ce8e48cded4610b59bf891f852d1a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
243b72d7e0f284329733cf1bc7fb6ef4

SHA1
b5a8bc5d53aed002c1fd24a875d8754f2dfb8008

SHA256
17248110105d04880431e392e75f4b69d61b5df29e1628180ae5e641736d53be

SHA512
28c486cfa14250cdd2e3f7e303a0d6d31419c461320371e970f44736005aa344d7718b8911476660cf3cf1f836322a91a40fbaa41df564f04e886e2dc1baa50a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
38fddc375e259fc7e79e151601d886cb

SHA1
50b0d22d4d63fdcb8ab0f88c6167fd147d3a0ef7

SHA256
1acd8ec243ee2e57418ce5d21fc245a2452fbeeabae6d982ddc295630e2b5a50

SHA512
d9af5b14b3453aebedd082430ac860310e1a39fb26288484f6dd8c06df17db6888187099666192e259a5ce9bfb702c1bca2307084e863a83263e830ea7639230

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
66a4420c84fc3c0b51b8360db18c9c16

SHA1
9ae84f6d47a557faca15c4f3d8ce4e911988915f

SHA256
ba0891a695783d8db7987840d4e62acacd7ddf6738721a74988cd1e9727a590a

SHA512
ef7c521db7f77d6b6f3dfa19d975c44105073a0aa802cf4e33c4021f7f25ce17badc6fecef8e5ab42a9e25cc138800c6f1de81f7c2f6efdd26ae54b1ff98ebb0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
6fabe01a9943ea08d6932bb0ebf720bd

SHA1
b4b1a0e6dc2c40d6c17177e7df386a8893ca1dc4

SHA256
53ba0dbd5f5d3460fb235b43df17de7475a6b3fa552957b41b00221b6fe93c80

SHA512
5addeab33499f9ffbe8e4d24bf069c547c850539af4d32bdcfa4e71e3e0e66c4d4dc043eca719523eed88596d645055a5918d42cdb89e74c7657c9d92bdf2b6b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
fe0a011a71e95d6edec96432f897b830

SHA1
a4142f2947d5ca0358fb96d469d0bdb15061281f

SHA256
150e90d6ffdf9062ba3d16a2f34f1c29c7a2594740da39c911f9886b785aebc9

SHA512
c34f71fb4d7f493b1b6d8b328c72e42cd0d5e54ae56f54806c1e05cce162501d49a9bbedd6cfe31b98c418ade4600e365d483af3dc28da0cfd33ea5e3c9372be

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
fe5463f6f0f6f3aebacae287719d5ea7

SHA1
bfcd3670af584403b370cd8a1181e9d97321bf12

SHA256
ca34c116adf418ac5c815cfa7eef63348966c028582c3e243a8e10579dfba720

SHA512
d52654f55b1006f04772a763bf854fc3ba5ccb58d76fee56dfd13d0cd3ae6eb2668ebd3e6ffbeb73b9fad3791bad4751607af8dc649aec4dda085b4294a87a00

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
aaeba9012cb5425ebc331144862e2237

SHA1
1a108ae9b19a17096217d95e773389eea8997fa8

SHA256
1c917d6205625789ebefe4cbb23247b313d5b2a28d6f54382265d508948f006b

SHA512
187828bf52b411a5a4ec63bc40145088941cc2568ecc2ffcab19692d8067acec6cd832c21642ad60c72d22ef01e36a07892bd1c90b143bf89bfa3c8a0f886ece

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
d8e8c2d3f0510a240cca5e28a83911bb

SHA1
cbeeabb1c1e2b1bc0c92b6a4f5e520d53f1cd47f

SHA256
004f41f32d4ef7eac5761fd0cfe56640c77b4cb14925a8e1112785c996182bbb

SHA512
e33b7d9403c066f4cc1e66c9e3f5292eeaf53e3d18d59bddbf72f9a1d3ced72e6172e6bfdb15ec4c7897738df3f1bfd0c6be51260e2d5b737e20ad89a5c0bb6e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
c9b287d3a896f15e753892f47a176705

SHA1
d483c7304578784eda38bdfd435cf07b8a13c8fc

SHA256
e550573b62055fe3fb07a42cfd1d9856906e4f602cbd16de070f3088ef73c317

SHA512
d46afa6c19c245211053155adbd700ab559a79305987cfa8eb5b2a7e1e53363eb4a7185ce190bb1d8b5ff43b14ddacc62b99653db6b8a040d1287e9a5afa1a23

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
8d6eaa43acdc5992af84f385585ac273

SHA1
b993d37437880e7da6861465a8aae33b831a401f

SHA256
252a92f65464971de11097d8f5c6ed2ab9266f13ff2d4310c2e49d62ab657b07

SHA512
e5b9d3fe524fe6be1967e668e331bb5d52ad2f67efe175881988d114dcbf7e17ac43719e52daa25429132ef7edbe3e9a3a7fa93af82d8fdd5e3b729b884389d1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
57be1fa4e10bf3c0d3461579861f2a4e

SHA1
7832a7898fecda3d89abc8422dfd42765a1768c4

SHA256
ce4b3ccad26ab05acebb4a144413767e1c835d270de15226df2854a7d2b1625a

SHA512
a637f2e898693411e2b2e4ed2c7612a03386cec1cdc2c8dcbb3613c118e7e7ae637eb4792cc6e919fb47e653ba0a2ff37e5a6f1bc8bb7c815a1d06f9a0a0a0aa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
506e275ca954a0febb76ccd1fe87c48f

SHA1
7156c568681aec422e23d6863df72888f85be57b

SHA256
db2d4307f93dfc31769acdddd608bfcd4a32592f921ee7f0bd96ffaf9d40cf75

SHA512
1e5ddf9a068f41ab87d032d114c044bfeb88503fe079142f3891adcba7a8aaa279b63a530d2f938abb6d185230d491b301d64f01dad7ad0cab0b9b5d8e79b561

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
608b9738a47f75e4db8721eae666cd7b

SHA1
89fbfd8cb42a75516ce9247171da6690baddd3f6

SHA256
538102d5395bfd02fe05de052375d29272b349a8cdde7e34ac88b1e093703962

SHA512
a0aa175b2df024d93e3f67d136e5ae0f05d5d5cd8f5f233c9b0e0230f53e91ab7c2fc0868ab4a7e3ecdbb21604e96b489a15519814f0442ad3ee967d98b51f33

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
4d8ab575a8d8a1839a63afb1ee30229b

SHA1
89a59de36da91a642940db4378bcc91766ae8d96

SHA256
7450b55fa160bb0c684d46e513c6887193d11e77c8c3100720af675e0a3e9f8b

SHA512
a3f605f093acb0ecc00b75dacc4b17b4a10c72ad612128735eb9458d0513a4d603a84e92799934473f2a58b44d028ece604ac5e4fc342a993f343c9ca9054309

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
370fe1afe0e67155c679784dae22a17f

SHA1
926cc8f1124d1005cfbb4ee69ab54cee172e8dcb

SHA256
d5dcdfb069ca0af49dfe4c299ede91c9b78b3d5d7f7e77c7ed3bedc8360e23b2

SHA512
949fddde6e59b59cce3c32f4bd9d35bb621134c39912f6f79c18d2c3678b2e3bbab133a2c75cb4109ffe7c35800afbe2a2b7173c31d64453d92af482a59629ff

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
6118e41b0664ce55ba2f30e693b6457e

SHA1
d14d7bc2868920417de8f24f6e180d92bffd058d

SHA256
6950f0d39ff6e596e8ddc1385c3b6ca8f0d55439a30bffb11aad6e4e4340bea4

SHA512
35b88cdcc3ccf4150c47a2ecb4399a0c0f12d258524117cd7bc63bc58ca5c6a3ba0e305f255dc57afe8c6d68205c3a7e23671372327e0c68bcc2703bb8f509bd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
f22d4c15b27fb9eeca2818e9ccba66ee

SHA1
e7cdbacdf6764af05f208386308224566e6936c9

SHA256
5194b035af9f8856e037ac0a10b64a9f453840779ef188df65b82004356d985e

SHA512
81a3df183c5f0001b9bf97288f2624778b1dcbde8978d23a06ae915a9fa8eb6dab5d47f5415973f38972fd100954ad42f243f007b449683e67aa747e0663a745

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
8d2f147e8da10f21a1751658417d71d8

SHA1
15eafaf468dd0428d1504f26024bf90600e56427

SHA256
68c8296fe0447e3abcdc5311c451086dbbe118e3f27e21ba61234581223465bb

SHA512
372a6edd645e8312fa5b43536c02e5e44b0903b5b53677c47628881cd1126f7b33826acb1f2c4eb77f9d050e09671c09aeaed37fd57e0153bc597f194a144874

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
aa040dbad47c6be8ccf2b9fa3c5af882

SHA1
a283762b676496ce0f753749dba2fa0daf62292e

SHA256
9981ff0da05001af43c97846089d45812b79dda15d786c0962faa1e86b327246

SHA512
ae14317b340386eaed541aa2348c6a02ae16490b2fc10d90aecc7852a1f4bde4ad0c02e80a766e31fc01f21c3771fd5a562c0c958f6c735026c9644b323fb03a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
0011b74abe27ef6ef92ae89b1e258b21

SHA1
db6d7e02e80b64f8af3a57f8b4344f43b837cb2a

SHA256
2766ef3fafcb835d3d25bd38db359e55254aebdbfe39dcf7c78c497a3ca6a766

SHA512
04351ca79f0455ce47b47fee55da12d57f80a5be4d9c6ee606b9e8bfe5fa9e086cd57bce2f06b431b622640c84540e6915b87b4a18acc9884827068d6f1d6c25

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
0bf96d729990ecefdfb4d3ec2dfcc5d6

SHA1
6ad90e2b6503b15af6f3c51ab1525f9cb5100b0f

SHA256
4bf4d1db0b9dee83e1e5e77896049a68d3dfb059155adcb612c4307378cd70ad

SHA512
7dc4498376e4c5b0d88db84433f68611d5a89050e0f03749c4eeca9e64a8e9c346b52a7564778d59b6a6195ecfb70582aef2f11958c453b3ce26d3a958b09e6c

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
111f8e9598b1b478df95ad297a0f9c8a

SHA1
b7aec025e0b8eaf29e61818536ec676e9e14157c

SHA256
307459fda425ce2a58d63ee2e772817b769e6eb77ecaf2094d044f3e13e06b3d

SHA512
883198178c17f00bbcd332d6386981e0d894288659493c945984e6017ee3d3e7ba1288f7b0e96a071d51898984549961e94c82383480fec3c679b33f6d777bd9

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
8f66b66ee2137c9cc92f7022f1c0615f

SHA1
fa7c49395397a34c11905633d0a997640e74bc71

SHA256
d6d9092fe7a10c092d8bac9c7edf6c6127eb2d798b2eae851fe0a529725a5a22

SHA512
aeebbc234ca22107bec83473ff36dd66cb712d205b6f7e647be822dd37d42d1967d66cecf8ec908e2df921ff6b886397520cc00e08b954636fb53a30e54582c4

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
c808b7942234c983da21be2b6ac7008e

SHA1
580abaa2c3ac54c8cb03bb850363af43fada3227

SHA256
95f20bebdf9688360c3e7c412c553a28d60d4d24f44cf5de69912f38e62abe5c

SHA512
95350f05291d9d651220cf5180f5d8fda7b5670ecfbf093d3ba86e7eb4392c8c32e8cd671c80ea437eed7667cbee650b5f7ecebcd9590a73da8b245cfc93c937

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
9e9d1a8330c3a2d0ee847d6c3c5cb0f5

SHA1
22a66aded394907de4ddd6bd5a7415881117a92e

SHA256
7a761d625624e7923ed614d90b3185119cbe093aef4d531df4215f5c0e1eed07

SHA512
c2040999a3f38d5c06bb088c246fd0625c4331d714b7e76c9ca937492ca10077ba3cffab0c9766f1ae40c1d3b5b7ecedbbd94d8d446551360c12b2f40c4dc134

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
626fea1f6dfc1d58de5ffcd09f566138

SHA1
fb806a6eb7a764c19ac04e15bd1d33c420e362f8

SHA256
92004dac482f65fe86ee358205581f117b33111ba193c03f1cee758ee07c5c0a

SHA512
de1d065c7179d1235baf86cbb9a406f90eac8e4eb573e0734eb1ac0d7357b38ec70c44685ca9c07ca6a2f69242b51e818033096b05c4eca7b3dacab31c393c0c

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
e85f892b8cd08c032d7c59f8c155b6f6

SHA1
24c7a7486cc9bbb9caf4b2158bcbae057fff79fe

SHA256
b33a95b21de5ebdd3c420aab36bf8d847c22e09737f151eacf997365cc58ae8c

SHA512
07faa5de126ce614460f6738b4f2c62269f59d9aec8c263cfd61d8e238ee3bd550066f843e13c790d2b6eb1097615a98b0e36d857eb07f1eb44211836bd21d30

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
bd1916e28154885fa6efefba7a4ab2f3

SHA1
276aec288d6ae6b1fe017a452be627315e4a1776

SHA256
8d1453b8f221e5e343050b9c77f45bf02c3746ab4e251f43b9a70e16367b7abd

SHA512
392aabf92ffe859b22f8ef3c63a4848693fcd6dbba1522f9a7279cee0232c7f88060afad75be8b9c30092350d0fd7b423b36ce0b5862c02483e95a7ec848a27f

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
fa77b38852d21f21d5175081a9de5e21

SHA1
1e278866fdccb245cb5e4fc274a8086d58f4dca2

SHA256
67880469e25ba33c2de55c0dd73552a616b4e23d0d6389aadb151183ac59e14a

SHA512
61faff05bd74e319b47a3d0eacab001802f0c03e086f01be82b377ca7c9a79eef0ef5010be9454542bd421a6ae91cd2e95e77a1a1ce86e1d2ee3b9be0c7ce025

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
d86f5825f3b9e14d939d342337e4bea6

SHA1
2d46dfb886b528de2274eb18189e3b85739b5ab1

SHA256
b9b21fccb248c837777b552e4f49c1e27cd105e381976f07738aeae0f3c4daad

SHA512
09f39ba8c8363aeb02298ab5e21bb430f7c1ccc0b4b8f370ad92e15360239d453e5f74edfb6c53482f6316317ed63e2f636ac80b82adc6d2819b0abc516633e5

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
cdfb5e385de71b59081929c949f2fd98

SHA1
35af2a53a70eec4c2a81ed3b3c178a0f16cbda98

SHA256
a228a221c69bbae2d45c05fdf8c23e5290aa875e37cb5e239c0a0141984c5e53

SHA512
2907c0c1e8342b064169690cc39211be48614fc73bdbe602f23a5fe6f16f4b4b84daa6f26caa565bc55832a1c33f3008c7d13925dafb9a0b607faeaaa2e3e1f0

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
9afbd2d95d90441925978da089d3cbeb

SHA1
5ca64764cf7c4ef4a263e03d3be819ec23571bbb

SHA256
ca327644d1839ba4f5f384b7355985bef3b9c365947b02670c0e48c980f2a0ef

SHA512
eb9db0935839537faa11b3b2ceb246c9dc38d5c1c472b95d66b773bf41da7378c3771cebf06ffde6a0a0bac0fdd39a74bd3cf245e65c454ff4838db1b9bfe454

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
2b0054b533ef40025c1ab066eea1e004

SHA1
874326feb5a3396facbdd3bf27da3c76ac0b745d

SHA256
5fd9878cefbcb40112c56eb8a1b8e9bf965a2e0fdff623275810c0b5718b650d

SHA512
53cf271265c76d65ae597313650edf52aa61030f7adaa1e9a25ef86c783abbd1ab3e6aa3db52a6a5aaf29e27cb39438366f5d72df2f46de8988f0d4b2b18b3b7

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
63e28a3897aa5246f73315930b4390c8

SHA1
1863a1ce3eb0d479183df4976d38c3f0db541ab2

SHA256
d4547be951182c79101d452c9e7a4693e2c59a3f7220f60d324e1e4ad0caf0cc

SHA512
1a5e6b7f75c5c7b0f8bc2069df97afe4985b29642a31b0c7461c2aff4604017e080fca73d7a77dc2599dd5ade71c28b7a97fb37f6a9fefb8d700a5ff8231f0e8

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
70ca9b8d499f343b40fc15687e52e396

SHA1
66714b8f941a8fd086ce9c759307e7d6fb0ad731

SHA256
26ca2f9355b0acb5f63020fdb59ddd75e307fd93ff5509d93dbd3af0fbe18794

SHA512
fa831b081ec41828f68525bdd96ec930550478758dc1d446c4a32a7f2ac192723a23150bf7ca2e7d17a66fbef5b8e5ac922153cb045b665ef5a90a5a958bec75

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
45d311c417939226cc960e99e277d601

SHA1
651f516f920e763fb72b652bfb4af6f67c7f8e0e

SHA256
49c9ff6f93da42d4fe69a09183c39676085a82ffc24c7449db076953c1515fd8

SHA512
4426fc2fcb4afd2249a2a01da9017fc46f866ce78bbec8df7b6479f3a3038c093b9fe0d85881f1eccb9a35d4522ffa8950aba350335fe413a9d64194e221435c

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
b39c878022b8f50dbe28428a2ca12433

SHA1
11ce0b411ef99bd6b34d5d0a63e23bcddb939d5c

SHA256
25278bdcbfb3989e10f50acc710d2aedffae5a0fe334ade0211b56be786c554a

SHA512
ae7b2eb4e7c080c3ef0525e2a9edb69d9bd94cef80bf5e10988472e5ec560d5dc6dbc041c59ae482721591b1e4c842cc3dc1399d55ff311b90c1efe0d81f8d55

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
81094c62e61836338cb56b3c933e9dd4

SHA1
8dbd57c82b3c39dc1d9cd02b2a26c563f35291c3

SHA256
9493c72a701f0520ebf3799165d4e4169d4c30614d990adbe8d8024386011b2c

SHA512
45cacdb1bee6eb73b46e8c714239bfac80c21333923a0adfa5ff6390b061c9cfedc2138389ccd623e36b4d843047b38159cdcb983ce2734cbf8977488adca540

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
9c46a7ee0df13b6fd7a85818fa2d4227

SHA1
6a8fb628aa134f424bc82d8ba5701a7b8e175a24

SHA256
d9f2e2e1c83d7151448937cf384d2732bb8ad52bf91cc75a43bc1fefea4e4cac

SHA512
033c7f0bab5ecbae943625b26a02aaf5ee18e443c9595044c3f6386a4a4d784f2f9374a26145db765a48e658fb040b7b3d508b24f7684eeae66be13f4cab2b4a

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
aca6d371cb8e23a60bd3eeff92ce0459

SHA1
d1071841d1cba9d7c5d0c17a59b0d251cbf2495e

SHA256
4a3aaefee3301c9f4a1ff852958d56fb7d3f9e06cfe0c6b3c72e41171c2b0193

SHA512
0db85c4f4147bbcc3b1ac970cfb8a4809491324676444407bcb44d6d2defe769861840dde7cca71be0079d5fa9e8fbaecde11a689f31fe98514ff1b7f346072c

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
f1baa8647cabe06836d08cff85b9de29

SHA1
e203a5e3cb0e51befc884afe90707c951b17761e

SHA256
db97cc6e1085f0362a01530b75eb873922acd1ee668d3bb8fdc6f50832532a5e

SHA512
2c95c195b8da5a22a5e55c42216cbdca9d5fece3fc4a52612385fbea011dfc64cd1eb0b5b1c37c48fade642be165efa57fefa5a4a89579180f30be1592eec885

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
4f2a9a70fdd7767b636b1a797b1dfc8a

SHA1
0385e9ad8dc7b49e58172aa83d70b531b7c2a2f3

SHA256
512f903364690fe359890cc7c002f90933f76cebe3ee52116a31459e9f099c6b

SHA512
2954894616f0e6e63a87264bb763d25026d98e0418b382a25e7267c7a35a13207c2f6b0af1cf6b74f4d79410cc6ce297aded342695e76345775ec7f373a7862c

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
318397b216e20c40f20d239534e47708

SHA1
e93d7566586b956a8499e1e474617c7f00011947

SHA256
e7de7211b261e26761dd33cf8a0b232972ec7e5ad4621433d37938c535d7bc51

SHA512
c2590dcadaadc2e9cea817158fad0490f64bd9c7842ea27106439f9520f6e5393fcb93d78d3eae67d21e20061f565aa840dabed71cd57685acbf2c745876f458

Download Submit
memory/432-68-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/432-62-0x0000000000D30000-0x0000000000D90000-memory.dmp

Filesize
384KB

Download
memory/432-66-0x0000000000D30000-0x0000000000D90000-memory.dmp

Filesize
384KB

Download
memory/432-56-0x0000000000D30000-0x0000000000D90000-memory.dmp

Filesize
384KB

Download
memory/1192-13-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1192-462-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1248-153-0x0000000140000000-0x0000000140152000-memory.dmp

Filesize
1.3MB

Download
memory/1336-463-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1336-25-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1336-26-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1336-17-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1876-468-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1876-40-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/1876-33-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/1876-42-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2320-159-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/3124-136-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3464-163-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3636-161-0x0000000140000000-0x000000014019C000-memory.dmp

Filesize
1.6MB

Download
memory/3800-51-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3800-469-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3800-52-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3800-45-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4052-470-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4052-164-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4128-157-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/4176-79-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/4176-73-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/4176-154-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4352-158-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4352-395-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4540-162-0x0000000140000000-0x000000014017B000-memory.dmp

Filesize
1.5MB

Download
memory/4816-198-0x0000000140000000-0x000000014015F000-memory.dmp

Filesize
1.4MB

Download
memory/4816-471-0x0000000140000000-0x000000014015F000-memory.dmp

Filesize
1.4MB

Download
memory/5072-101-0x0000000000830000-0x0000000000897000-memory.dmp

Filesize
412KB

Download
memory/5072-96-0x0000000000830000-0x0000000000897000-memory.dmp

Filesize
412KB

Download
memory/5072-156-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/5200-199-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5200-472-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5464-155-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/5464-86-0x0000000000B50000-0x0000000000BB0000-memory.dmp

Filesize
384KB

Download
memory/5464-92-0x0000000000B50000-0x0000000000BB0000-memory.dmp

Filesize
384KB

Download
memory/5616-165-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5736-160-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5964-9-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/5964-302-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/5964-305-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/5964-7-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/5964-1-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/5964-6-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/6076-39-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/6076-30-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download