b485f1d60406e95aaed0f09c321eb31d3997ffa04245799d8c4e7c4ca5edab97

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 20:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_361f12ddd9ef3e403e771ed9860653c5_ryuk.exe
Size

1.1MB
MD5

361f12ddd9ef3e403e771ed9860653c5
SHA1

afeeba77ff2b314ea2193b79e09f92486cf620da
SHA256

b485f1d60406e95aaed0f09c321eb31d3997ffa04245799d8c4e7c4ca5edab97
SHA512

9d1a6056c07e5293daf9673006150caab3da35e9aa4329c93a8106f5ed55a2a31fac544335a671f0604fc89287c808801aa51ab1433886b78a86a97e5be20bbf
SSDEEP

24576:LSi1SoCU5qJSr1eWPSCsP0MugC6eTZgPvod50p/TXM2s0espsODZjB0IP:rS7PLjeTZ0vo05s0eusONlP

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
216	alg.exe
2104	DiagnosticsHub.StandardCollector.Service.exe
1488	fxssvc.exe
5072	elevation_service.exe
1692	elevation_service.exe
3280	maintenanceservice.exe
1376	msdtc.exe
2120	OSE.EXE
2372	PerceptionSimulationService.exe
3548	perfhost.exe
1420	locator.exe
4112	SensorDataService.exe
1116	snmptrap.exe
3740	spectrum.exe
1020	ssh-agent.exe
3424	TieringEngineService.exe
4028	AgentService.exe
4108	vds.exe
1208	vssvc.exe
4644	wbengine.exe
2248	WmiApSrv.exe
3280	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

2024-05-24_361f12ddd9ef3e403e771ed9860653c5_ryuk.exemsdtc.exeelevation_service.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-24_361f12ddd9ef3e403e771ed9860653c5_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_361f12ddd9ef3e403e771ed9860653c5_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\855a8a3a293b476c.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-24_361f12ddd9ef3e403e771ed9860653c5_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_361f12ddd9ef3e403e771ed9860653c5_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_361f12ddd9ef3e403e771ed9860653c5_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_361f12ddd9ef3e403e771ed9860653c5_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_361f12ddd9ef3e403e771ed9860653c5_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-24_361f12ddd9ef3e403e771ed9860653c5_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-24_361f12ddd9ef3e403e771ed9860653c5_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_361f12ddd9ef3e403e771ed9860653c5_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_361f12ddd9ef3e403e771ed9860653c5_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-24_361f12ddd9ef3e403e771ed9860653c5_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_361f12ddd9ef3e403e771ed9860653c5_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_361f12ddd9ef3e403e771ed9860653c5_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_361f12ddd9ef3e403e771ed9860653c5_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_361f12ddd9ef3e403e771ed9860653c5_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-24_361f12ddd9ef3e403e771ed9860653c5_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_361f12ddd9ef3e403e771ed9860653c5_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-24_361f12ddd9ef3e403e771ed9860653c5_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_361f12ddd9ef3e403e771ed9860653c5_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_361f12ddd9ef3e403e771ed9860653c5_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_361f12ddd9ef3e403e771ed9860653c5_ryuk.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-24_361f12ddd9ef3e403e771ed9860653c5_ryuk.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

description	ioc	process
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-05-24_361f12ddd9ef3e403e771ed9860653c5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-05-24_361f12ddd9ef3e403e771ed9860653c5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-05-24_361f12ddd9ef3e403e771ed9860653c5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-05-24_361f12ddd9ef3e403e771ed9860653c5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-05-24_361f12ddd9ef3e403e771ed9860653c5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-05-24_361f12ddd9ef3e403e771ed9860653c5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-05-24_361f12ddd9ef3e403e771ed9860653c5_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-05-24_361f12ddd9ef3e403e771ed9860653c5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-05-24_361f12ddd9ef3e403e771ed9860653c5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-05-24_361f12ddd9ef3e403e771ed9860653c5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-05-24_361f12ddd9ef3e403e771ed9860653c5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-05-24_361f12ddd9ef3e403e771ed9860653c5_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-05-24_361f12ddd9ef3e403e771ed9860653c5_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-05-24_361f12ddd9ef3e403e771ed9860653c5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

Processes:

msdtc.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exe2024-05-24_361f12ddd9ef3e403e771ed9860653c5_ryuk.exe

description	ioc	process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_361f12ddd9ef3e403e771ed9860653c5_ryuk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchIndexer.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ff03ebac1caeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000011781fad1caeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fd9594aa1caeda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008dd840ad1caeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004fc44cad1caeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000edfe66ad1caeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b76e8daa1caeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000001650cad1caeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000001650cad1caeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ab9775aa1caeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000089624aad1caeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

pid	process
2104	DiagnosticsHub.StandardCollector.Service.exe
2104	DiagnosticsHub.StandardCollector.Service.exe
2104	DiagnosticsHub.StandardCollector.Service.exe
2104	DiagnosticsHub.StandardCollector.Service.exe
2104	DiagnosticsHub.StandardCollector.Service.exe
2104	DiagnosticsHub.StandardCollector.Service.exe
2104	DiagnosticsHub.StandardCollector.Service.exe
5072	elevation_service.exe
5072	elevation_service.exe
5072	elevation_service.exe
5072	elevation_service.exe
5072	elevation_service.exe
5072	elevation_service.exe
5072	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

676
676

pid	process
676
676

Suspicious use of AdjustPrivilegeToken 39 IoCs

Processes:

2024-05-24_361f12ddd9ef3e403e771ed9860653c5_ryuk.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3760	2024-05-24_361f12ddd9ef3e403e771ed9860653c5_ryuk.exe
Token: SeAuditPrivilege	1488	fxssvc.exe
Token: SeRestorePrivilege	3424	TieringEngineService.exe
Token: SeManageVolumePrivilege	3424	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4028	AgentService.exe
Token: SeBackupPrivilege	1208	vssvc.exe
Token: SeRestorePrivilege	1208	vssvc.exe
Token: SeAuditPrivilege	1208	vssvc.exe
Token: SeBackupPrivilege	4644	wbengine.exe
Token: SeRestorePrivilege	4644	wbengine.exe
Token: SeSecurityPrivilege	4644	wbengine.exe
Token: 33	3280	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3280	SearchIndexer.exe
Token: SeDebugPrivilege	2104	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	5072	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 3280 wrote to memory of 3564	3280	SearchIndexer.exe	SearchProtocolHost.exe
PID 3280 wrote to memory of 3564	3280	SearchIndexer.exe	SearchProtocolHost.exe
PID 3280 wrote to memory of 4088	3280	SearchIndexer.exe	SearchFilterHost.exe
PID 3280 wrote to memory of 4088	3280	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_361f12ddd9ef3e403e771ed9860653c5_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_361f12ddd9ef3e403e771ed9860653c5_ryuk.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3760

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:216

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2104

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1580

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1488

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5072

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1692

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3280

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1376

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2120

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2372

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3548

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1420

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4112

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1116

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3740

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1020

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3144

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3424

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4028

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4108

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1208

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4644

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2248

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3280

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:3564

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
2⤵
- Modifies data under HKEY_USERS
PID:4088

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
44b0f547850a9ff1d2a6e71f82b18884

SHA1
4bed4c3fd8e50397ad314f2968541c470e9b3259

SHA256
bf5e6b4d6b564ee07ff778442bad6d708b41bb803b0b6b2b6d149641298e0e0d

SHA512
79bf5e1c915fb37a97b32a8850456b77238a14f895e635bf1a06a799f35e8c8e199f23917a625120e5e871f56271ac895e634f108193978c674873e0b370d7a2

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.5MB

MD5
ec9f9e98c3ac0e381e9cce460880396b

SHA1
e7449bbacb4af93a000675903d75e8a087dc7275

SHA256
64bbd21b40e6a81f316f283028e1fe6d7c393e799b6d536f53f794d8b5faac50

SHA512
f4dbdeea8132a3846fc62710dc04aee704f8b4f118b1cf19bae093aaec3649d0a3d2ee3c4f553b76d9cf9fdf8c39c336a5e61adaffe39138676fd19401e4d7a5

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.8MB

MD5
ceefe5d381a10b53f99357ab2ba84474

SHA1
0e11e5b0c0c85806d8816b334098ee2c00188aa9

SHA256
fd84a8c87b85008606903137fc32e8c292c3975528cfdd4a98cf8f5d3ddd9d6c

SHA512
0124ee21e4a04e4b3cf82cda6a7b3acba07efe0e1e29ab3ec9ebaafa696f9eebcf5bdbe4cf718970cc2aae4789cb8af69f6249ce08f307e9155e137f1eee0799

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
36a6716cba9cb2f6e315cdc8a27de768

SHA1
e7fa44a514cc1a17f74e1a8df53cccb82d46a4a3

SHA256
dcd13d9d145f3281a520df26201a25784d095f80640bdeec0f63aaf420a7a123

SHA512
b860ca9dd0b0e14ae543d43952f562762a4308dde3da33ac1614635ed6ef746d8d1e6a21a5d4ade502abf2ffb85bb08057134c2285c07bca8a16ca35fc54cbbf

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
5969d11517b683a35c3d58e98ef5a2a9

SHA1
0a86c1e8daabd6d31688450e8e95a4cc124bc5f0

SHA256
41a969f1ebca71b9d8b75e76556989e6fc420de560b513c5346a643c0fbb9c4b

SHA512
bffd843a481ae7e6b80c586e5485972bf3aaaca300c7f6194378ca50bd66ca9cf95a45de6584931ded745aa5c54cabbab1243bde8559dd46b8304e10a3df19b0

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.2MB

MD5
697e4ced4693fb093824a9eede71e8c2

SHA1
543242bc65017e7969416b5cbc290ad80a233071

SHA256
1951cf592d4dc7efaffd8f61c6603347789374aa89435039c0aff3fdc83f44df

SHA512
437e7e93300b7a3399bedf2c3977653149657c4e0bbca62638744f23e7f748bc0e6693bb568c620f04145d49b5a0f882b0101fb3e3ce246df7df375d636f25ff

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.5MB

MD5
44382b92c164f50593f695979be2f86c

SHA1
742d69a4074c067133ad1a8bf4995ef8ba1026b9

SHA256
a3795086827997b3ba77c5eafaaeccf5ee6389154947ea421b8e46403ff155b1

SHA512
8e2072275581665dbaf38873a4f59920eef46e32435a00525589891295374051f4def09ff845de31190951a4af8c1e2f7f51fa95b9d77187744fa22c6c74541f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
03ab4414f5a317e6536c481c3ae290a0

SHA1
06149df41c673500a154747c066feca07fd5666c

SHA256
84e82aa00fcf633398f52eb83e5123b695128bf1290efe562b87ac4695d06e1d

SHA512
43024b8b27a00ba35f3b143e263f88761fbfe37e95d11627bea3e21f1a67c0b09fbdcdbac217b3c7cabaf7d2a08b6958d8bfa6a1b5ffed611f4d8c19f324ea0c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.6MB

MD5
bd01097c0ab1749a3789c280b8727fed

SHA1
40318223759d841cf05e2498d557ab630a584ecd

SHA256
de3c70f73da3c4785c12df9cc49e0d0baa4201270db68d33b54c9b0f29c4dfe0

SHA512
ff39e0286e1bfa666a7e138db8e4d2c91fb6ac7bc1c189215b024e918b6a12faad23c999ff34fe4e389c19c76d451358a5917bdcedb2ca9cb701311c05e75b8a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
7afb2aeb4cc2b6d9017dd7ab3530d293

SHA1
c712778194b1679e3544bba57757be297143e0b5

SHA256
1a56165d5090491b3adcc9964bf606af54980f84e154ef3d349edfae79f030ce

SHA512
f6a7f3f048e7c5b194f90202a1fb8e200b31ffe091bc752440be86b89e13ecae8548364e3fa9e92a41ea86c13d34a53e02302920a681611fad839d0055b5ad52

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
58b7f3b0534f842529989278a3263845

SHA1
eff9dc5f85d092b6e72c29071d5f19cb605c17c3

SHA256
b0bec4728ab56d5a92da75f2a6434f6eedf30c1ece22b9bb3b7242e159fd4176

SHA512
e03e595019a7d57b701ac1c256903b45b096427514595c9b88fbbc96db9b6c82caf9b2c7822f3029d0cbfb126938822adfad069f7f7450a90ebc68759bb5d4e1

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
0416bfb1e10a81c9c3e99ed799b5c235

SHA1
62ee8d1b4959b7e90bb21c6e56b7f779a558db15

SHA256
ef12aa7a8451d4c7a2e4ee04cf55c48b1bd01cf81f670289f2c37a10a9c44708

SHA512
4c3270f5ab0ac2b9006f64e1950ec9507383925063e30e13fe5ad80d8cc795db9458173ea8a3952c92f1100b0305ed329fee21c4fd4ef717d8ee2abdcd2d8f1f

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.5MB

MD5
dfda6dac9bb4a4706ddbde8d3736ce83

SHA1
873153666f547b445f18eb00354a1377c326ea11

SHA256
c9c8888c54f44f3bf0110a66b4dff69df7a22126b0881541cde6f1ef2667fa33

SHA512
c6fd72937b20f2699527354e02bc528d96305a307f4b463f5f29007fdd7442d79ecc85aaf5ddd49c8072951e39232518cd01ae027e4dff8be01f5f157c107e37

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.3MB

MD5
af968fac51514810bb10a30f6133f79f

SHA1
ed01b7ae8f5ac2e890ca0980f73c09781b566ff8

SHA256
258adbfa77571810715d79a8dc4fe266e3e6d3cc4b8c6ccee4a8160557e31e78

SHA512
5fc0a1b461c4f8397ea8fdf32c7f481657084675a3f5d6b48941ed256a200834bcf7cbca3429b38a953420391f9c393f2212dad97549d774168ff646db8d0d70

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
73c08db4906bf39b26a967d65828753a

SHA1
8593e5a1e10b5b9e2048a9468da49c2eef8476cd

SHA256
82bc2853f56a7897f3615a37de49aa2e85f1e8563ed1c7b012a344a3d2551e89

SHA512
0deb17e9fbd4d383d5470c127fa909d6d65713d1635ec699c148de9343805ee1ce840029ab305884d409e166b923abf96b75dca7b06d4237443405beef5f423d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
56917276073fd61c0d55c4861232cf93

SHA1
5af4ec760a89b357f819576cbb101c271c159830

SHA256
8fd2639f3d90dfed01b500d6088954edb8af73062551e35d15da63aaa7a2cb36

SHA512
e3676e0990b1d244b97c2f6844519ba3bdffbe5cdbacc1f1f3913a102ca8c3d31bd8f033238f8046ce41a14dd927cc299485659d222d140095b8ca7eca7d1bca

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
4e7fcc8714790171f11233a7bb4bc4bb

SHA1
67cbec236b48bc11c1e8978fc9dc799b43f3068f

SHA256
a65053514176e1d1dc2251ae23b9019beaa25b8ee21028a766c337134a2bf8c3

SHA512
1dde5782fa83b85244ccec040469a275f202b4aba2ebf722b627fa396971b91503c29e9f2a997813ee2ebbdcf4c4f977e4a553d676dba4064d000795bb90cc78

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
ceb49be0ea211da1e4b0dd1cc0e5ca02

SHA1
5aa1d14c2886caaa900c40bfcb3a9308bcaf827b

SHA256
f498fd3c0f417c339f9d121132e730e8895ca523477fe5c0b600a4b7936a0fe1

SHA512
ff034538f1c42d263f3383d876ea471a3e7f6a54029aeed4f21827be9515090069a6f77192613ad51fbdac66c561026fb25d750ae5037142a695d91608ae9022

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
165fc214dbbf6695ce6d09190bfad7ff

SHA1
2168f74b72a76d88b8cfda935448e5586efcaae9

SHA256
22d6c3b6120c9433061c0386456f671a1dd901313c0e89b974cc32ff603dfccb

SHA512
63bc783f899fa6428b69a65f4c50ac2c1e78127fdffbf919ea6f7e240e5a1c437ac3947768106f05d813b47d2feafafdd8c12035674856150924f9507a744768

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
9213fa006b87039d8460330105f1177d

SHA1
9c8df4c8a60de49096ecabdc1df6ce4eec034908

SHA256
ad2bd72d3e1491d179b8cb370b5ce8f59a963213211fdd4f12ceca6b125a9d72

SHA512
d90abe804327c7491b9832ab744c18e3a0512da4a3ef9bbbec71c3762f1b3693afeb338acc656fa4d0cbf9f64284d9c24fd993cf4a80784fb38c49436214bfcd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.2MB

MD5
ac8059472886c783c65dadb96fac6bfd

SHA1
20aba038849f7bdfae854ed20420e3e81f33a9a5

SHA256
d9d2ea3a839875aa8a774415ae719a7075e5e325e2892221a5527b81f71ddbbc

SHA512
4944ba110a0c48239ed3e0281bc0e9f0c90bf7271fc47d5c694fa02a0bec163ffb1ab71d6fbaf1bdbee4bd393e09d111e40eaa9ac890919471f01a25eaed07c0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.2MB

MD5
ea7cc4971d6d95e57313c640ac18cd06

SHA1
1f99023cce875ff0e38b31d6c0791e18580b93de

SHA256
255b20c33582419e66f74237b81c6f44787d117774530b2a9a29ed064fa8fecc

SHA512
b2c4c501ad569980c38101c9bb81fcffb18018a85a8e86d68cad9a6d4845d9d0b39bbf0d51fd1df603e05bea9843f6c487423ada4b84e970b64405f022105bee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.2MB

MD5
bcb88124bb5eec732840364f75734c50

SHA1
a03d23d6271218ae6e9cb6f78905befc8e3a36a9

SHA256
bc75330bdca37456103147581ebe26394160f7a84415de40eb4434e98fcbe39a

SHA512
f46739bb314956beb5c0c427179df9058792598432c8d587f038ec9ca6feb4aba98e113f17b5c5a4008e88b97f6d7d2f37f0865c6c7fa770f03caffa0db28ce4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.3MB

MD5
d1569b5179125c336397dfd980300e30

SHA1
5c3e878847efba13b13acd1339bfd0b26c5d1d40

SHA256
52b80366e6295f7c06f92b06053d4e2129b47f956aad4427b10b4f30fd54a1f4

SHA512
ade36f6ca4739c82e566c356c60a083ca01720531ed9625b1f1e83496d509e5ffd80e6a5791fcd6823300ee4469237fc2b5e73c079cdc7690ce1f944c30bdc30

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.2MB

MD5
77e8d648048e2ec552f999f6a437593f

SHA1
c596b50dbee076361b6edd3f2f6e084f82a3898a

SHA256
f2637abcb697b4da4dd2fb9f6f92b754a73dec24e9433d37490bd120a645e101

SHA512
c5393f1ba1fd0debce1ec294b73384a471a12bd729740821097933cc78991717737e0ea2afab0f20b09af9fd76005fbe08a6da35af0e9e159a9c05c8ffa39145

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.2MB

MD5
44c490970a8d30ce1c5677172038c3d2

SHA1
37b6991c100b6dd9f30bd16eb366b0296e6b3e05

SHA256
6bb0ee8f0e4b5c2dcc13db654697ea8278ed77a660b5c6f05cab233143f398a7

SHA512
d286df2a40a7c5a8ab574a00842414d7568792bc9c885b0fbfa3deeb9378e080c84b71e8734c49c4db2127d18e15c41e1993d3495680672e16683569fe0b2726

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.2MB

MD5
f4bc3ca6c2cabc06fd1e265c26ec2379

SHA1
337a4d3094fa31d33e1ca00ff3d4ade410f838fc

SHA256
01335204471ea650c68b756c253093818092318dcca2de04d2a1aa67cf1b9760

SHA512
e1a7740a07c7daedc7dd8263fbc00b92eceebb9f73df347469e53ce4a4d6a180d14bc8fb69aeac0cfab684e8f2620bf8cc4a4cb83be2577128721cb673a8e430

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.5MB

MD5
b20faafc106dc0efdde29f11ab5134ce

SHA1
5f336c5edae5a79c34b3f6a3964f1a1fbb5677b6

SHA256
88b91dc0b8f007a1419e48c49af6ca3048078f057f0426e33fd7e8d41b9702f0

SHA512
46df6e8007f102102add789207c9dd78019447ffab3e759138e25fdfcc193608473ef74e4aa5ed4f25878ae17ed67dcb21bb5de66ac080dc1b2341c94b0b0293

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.2MB

MD5
44ad5aeab838901f02048e55fada00f6

SHA1
690115fffe8f4f598529b5b908607b950a41df94

SHA256
7db76bb7da6a74d389bf0e7997d669badddad3a5d78c09d8d0969c25a55984c4

SHA512
c03707d4bab7809a81ebacd855e6379fde0c5a30dcea6694130c17934dc53efa24edab3a6fe1e9cde6ea4652df88e7b4f9ee533cf81239692ea6694370407dd1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.2MB

MD5
48e7eb97e7a747ab4abdc97ba910c3cd

SHA1
5f3893d79c99cdc349d4b102ad3c184da5428981

SHA256
ca7f359751f0be85210adb46602b3ed5351296a34f5e7692c9c67104f060dc00

SHA512
02cc74f4ad8a2be2a92df3c80c4e8629ce98d029f5326ea42e25d3df7a7bd8235d595c7f9ae633b190bf9287fc784b6bbe30e3475c21d03753d12c6fd4457fe1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.4MB

MD5
e68c2c945315ba2c2c6ff04e68a87b38

SHA1
71d3f4d94fe4fb672bf8666dbf44c3b2a622576e

SHA256
137eb255e14e517c3abd990659d85a0cf4db3196680eb11b730d1ffe3ed00bd4

SHA512
3afff99f46c7607857ca785636d64db4386fc818ceed3d67f5fa73076701fd9b6f329d7506f00d14831a073b50d722a83c3cfe4d7d7886ec9722bf37e2b40dbb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.2MB

MD5
3b18d5e6a8d7b110dff838559cdec8f7

SHA1
456a225daaf390f43f8a4644d4ad75498537ab2e

SHA256
b648b359758e439a2e4cb46c49abccc8be4ee3e9f96b937247d29c3db72155d0

SHA512
d0911a981e1a8a1dbf5fe56fd3823c647476c69eb4bb7bbe189e663fbda5c8216aba5794f3ffdfa76f8fcab78f34c8f8815749f925de33c27a6a3a58eb543fa9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.2MB

MD5
b622577d10300dfa7275079eb94d16c3

SHA1
61293a8d3a9787bb95a28a0f87bdaa7959fb3b59

SHA256
ad6fc8b925bd9720de074dbd33a3f3f4ad955a35624609ceeacf0ab71616ccaf

SHA512
3599096bb85d38f1b1142528d7dc57c83bf6dc035a1e42003fb53355811f83b3c28c223c86049cc30c91e951613831ff77ac2238dcf8e588b43315002da0cc89

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.4MB

MD5
1c7a84f81f5d95cb5e05d384a9de8c85

SHA1
1976cb92dbd694662e68f4d99e81aea681e82c78

SHA256
ee61d07c0c2b322fa0306fe19389a19aba28f21362e0c8b90ae413ad78c1dafa

SHA512
9cd7d9ed7900dc3589127a2a69547d93cbc03d19b7925f3fe3eff2049ca54f6c693902ea1f125b8c07730c87e57408a9104fd8ca4bebf7ff464fb94afe242e1c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.5MB

MD5
f57c59157705de7151f4ba8a0ba1c981

SHA1
f9b6556d5531b8098797a976dfcc7dd8c39ee43e

SHA256
cd01182401bc184e68d85023212bc60bc4e8db81b7c1bde15cc6373bac0f3462

SHA512
d6a0083aab1813f83fefa8973c184f745539dd6f82b5b84e9c23bea2ef982d2fa8e7c50cc4873796893e2c78a3e244b6107e69bf56a6898ccc0603126d2a3351

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1.7MB

MD5
fe1aaa7567525507a17295ae50b9e0ac

SHA1
8b87106de4e57ba9434e94fb543991fee19c7604

SHA256
30da8b3c60a079945a5118824f176a3da0e823b8d8689a92d20ff6eb9cd0446f

SHA512
5973e68076eb4e948718b86931826a95fab89cb1084675be83c9f8dd602bcf0b944fd38523ab762904d8e52fe429fccc9077a2a74646225cc42233329f95b9ef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
1.2MB

MD5
ecb25e7b7c7f3f36c642de8d452bafd0

SHA1
81ab71596058d40305972709dc8fac225937ca3a

SHA256
234c197cd6c43867943ebfd12f9cc922f77633b7b07370a085a3ab9e480e16a1

SHA512
48515f4e800d8b90c5774838119e9d3292b6bb52e4df38190a255b4748d622f16b883b7d8a3b5a22ecce0ffced5d2a0fed6cb6b572271a28d6d9e86f81712068

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
8cca6c8e1932726f24a1852ef46a5353

SHA1
4f3c61bddc5fe583aa72e427750064fde3513d43

SHA256
eddbf21036f0d7f6525de43205a6e7c9e4f6f3f1bad40d6a32b3608e733c869b

SHA512
43832336724c0c4190becf1e500fcad558c9f79d6019d5eebf3f566a4f8e090ca58a01e087eb4115876ef0993e7a8f2684c44e64e530cbb7362307194f196113

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.4MB

MD5
9b7f9a9010fb0788355644020d78fac1

SHA1
131a38d16e9e7f40602ea0e3a6020211332e3aeb

SHA256
c75d19a1c64ea440cb02bf14814640082634889dfcafb832d7ca6769d972cd42

SHA512
2c63c872387f1b520ae96009394eb665f5884242d8cc57eed09cc0a5bbb766caff3c3ddaa4f9acd7ceed47cb21a7b402f358907e42cb6147f75de65740b1e09d

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.2MB

MD5
5068e47971557fa97809d9d85b0b3bf4

SHA1
26dbab40029e424e473fded93dc369ad25f5f7e6

SHA256
7e8b2617803504bedbc0b2471b21a5f79c0e3296b1861938469f759416a2ff8d

SHA512
f81521e4fd109aea355695b1c62a9909874e4b5addb051515b8d47d9bb4708dad18361b8b8ad477a899e4c3645f4b468bc9b8c728934ba3b46ce35e42816d7c6

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
da503e23375acb1b281caa3e4b28e156

SHA1
e17093411650a2962f225453a23b14f86a19dc80

SHA256
2fb582ea0b05f7e95a70c24467ee82e3ccb7b41cfa7a6eec0113e3bfb82710ef

SHA512
c24e48cdc0e253444a2d14b3c7ab128a3fe1696552f21607d980c8815a65bc485885abeb17e38fd3ea642cd601df60213a0cdc656e844205e7638ba90d4bcca8

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.3MB

MD5
17451bf8c22b436071de6ccd2ca3c757

SHA1
c4ca68613dc5c43f0378aee76ce9f34073a643c8

SHA256
dd7283e8fcf16fdf3f2b8f4fbff1d0367f3b834464682f2ec5bed57652c38e93

SHA512
3e3656a1c383df0cb18d7ef2255de151c9386953641c5186109349ba5f48ea1fdd2ea8ef01bb5e1c587b77f7f4aff1220fabb628d72eca2c393b709a39848051

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
65bf52abf0cf3804cba2094362fb4001

SHA1
dbefeed38a56584e8e28690d39e53f8f0e61e2f8

SHA256
4332e1a3b58660b2f5b82d597628ab39c5bd9c16255886579947351ca3ca9f1e

SHA512
341e8d81e65fdedfe2651b591262c1a3b773b64ecc367dc0ad7ae96b4fddd2735e3f1f495596053117826ccd63feaf1dfb919c4366d7e826b71a19f05bd5b372

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.2MB

MD5
304fc2f2c62ec3a052a553284dd10f29

SHA1
028a00d598bff68577c89c393aecc20f4f800481

SHA256
b0968a2fd7b636e0ada8674890154cc9a955ae61303da39c6f28b7f886a81fd9

SHA512
f2ae20c8ee99ce730e59aafee3dfb63012388911cd2f211c2c069d64f6beb2a0174586d41ac6ab16c98a0b7c98e6d7f39f00a7c98481e4ba1e7209cb3341250f

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.6MB

MD5
245d954804d7a3698a4025f31baa15ae

SHA1
1623d003ec1b72937627adb07db91ebcf1e1a602

SHA256
35ea2eff498828d2297c4dd47b7b7832f44288e4488c4876a2388ab947e96732

SHA512
f1b912dbed8237d666fdc3459d94dd0d6a52cc321e610bef6b24e9d5c956568ed61f34fe1c0a41a0363e2f69d36420a46edbef0326f93af1637b7cc60be19b95

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.3MB

MD5
ed8f30bcd3c27ddd61bdc0b30adc43be

SHA1
6386b6632d4d3620e6e4a69961c3e866eb5b6cd6

SHA256
6f6b18fe547ed412babe37756bdb1eab87dc6cd380b749ace2742edc5a858b24

SHA512
ef1a15a805d1d8ffb94834682488ec31183d8fb5888ed19ab3a475fae26ed33cc55222790152e06c49af0f0a87c7bbbf526052a39696ed5e74d752c1d985dd03

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
8af8e3fbe0ec8abc39201f834b766f72

SHA1
04607f103ff7a2ba094109a9d76bc973f2d5c757

SHA256
eca7976db5899dac7b91e2154e82b7d7053c3c378507b9faf581ac101a648651

SHA512
6bcb6d979e68ace08d989297a28d9a1f820e63320a9b6fb0639c852f93057446a4e7cc8349820582d9acd77a94a9e40ae761d12f4e2234d58357e8a28a7447a6

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
cac0a1b872780aced03c1034c4904c59

SHA1
ac2e64eff7c1f1bc3724ac6c5d6e2914f6894189

SHA256
b27963bc532d1e0e6c81da8add942b0bc6148987b2e7f03a4e3fb8001450e0e7

SHA512
314ed50660d34cf87901c6f4a386817630c5e1784c619ffd92de55490a27631e057c63c0b887b348e2a3dd091d1bfa6e4e759f998ce5b4a992e5d08a676ee94e

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
c7ad1ce538dec52253e92fe1f86556b8

SHA1
2796aea5f0c9dd4eaa1e38899d32d98a39f29483

SHA256
641de019e5544eea9904132c4b5d7bc45b4a6c086ab65c2af9fff38b33fdb9f8

SHA512
b1c78ab0aca88e646eb91005f238cae0b412ab015681177ae1938ed06332b08cd12884c87b34236cbbd90db9b48ae347374392bb99724c928c702934912ff26f

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.5MB

MD5
a61d9bab9175c58111c318b2c4c3296d

SHA1
3244b40fafef3b27a611959dcee247bf8d03ff29

SHA256
25a3ae04ba01ba8cd939ae964dbea34d5b94c653d6e78b664518b8f1e4252d4b

SHA512
e3a20ea6ed180bcc773af089f57ae02bb01d9c81e446036ae51da3c0b838b5d0284d924f36d46623fe08be694f8851df345239f3652dfe4e485cb1f61753fb66

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
e93860e44b1b99271548ed5ed4a83481

SHA1
e5607f46c1ab4c9c7c22ed36fc586ca8609b42d8

SHA256
e51de7a17b778cfa86913d268d9e014804f823ac936b8a513ca20b593ccf9606

SHA512
6d3049b59e14225e46e91a5be5cb632a1d2b636b3fdf471a72bc5cd419e465d423c1cba6903fb7592e1fd2d70fc973e53de7423fc21ce1ce09de6606681a1ef4

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.3MB

MD5
b500beeae021626660ad60c5812bac18

SHA1
2769c12201735429aa52c84635e2098b2ad60bd4

SHA256
418ce16c432bb5e3a2d04ec92e149e2e54519790cd00d7676cd8d7e0b4187441

SHA512
d126b9617d51f2528440255195b3754d4b9ccbcda3de7d827c9d61603aec8ecf4683f40070cb1a73dd6fd0bfa451f0473bd8bcd2532ea05a9fe2df8857be0a05

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.4MB

MD5
d4d5c931fb2a6e57b9eefabde9240c32

SHA1
65813cf48bbd79ed77e7689f52f4258c5969bf1d

SHA256
d24b956eaa15ea5485c07019e938d717d87893fd7497b64c5a5837b1f33b3671

SHA512
a4523cdecffce09d7d35bf5829f175bfbfe84d05f336bc689fd48cc5245f2b4950f7e4df98015fa83deb0863b1147cd7b760b92f21b07c3289548159af22d864

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.2MB

MD5
6f118ef006fe368c86ac28521b25187d

SHA1
1a5511fdb82d2e66f706b3083b54af67bc712d8f

SHA256
2dcea8bd3368b360e066113c27bedf8de58a8dae6a402a5de8dad8105182ca07

SHA512
5b6a9423d699d3015d35c76f079f393ef4b2d70c779f7cfe3d10c41b8eb0d0b21379172e02477536ed54d9d320ff93c45055f7e2806261070961dd4825b07109

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
97d91225e67dd4c20060968edd0a02bf

SHA1
6df8d7945c7af461e9b83629f0f4cc83f6da5283

SHA256
8c95832afb88242a221d18874846b027b7eb3586ee8f3c084f96ae690f57c830

SHA512
0335b2c876ba711c74da19ce8fe28333db1d761b2a55fce4d939e58e55572ce88226c56a85576daead6f5e94c03450aedfb9ab5c8005f1fbf2bb947cfd127170

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.4MB

MD5
55c9ccfb8c5cc731c3084f9a40527b53

SHA1
313b05c366164669e427b9a84906ef540ce41cea

SHA256
9ed6d0d4aca41e9dc3734633596640336cabaa122eb3901bc774536e868dfe8b

SHA512
b696072965639313090838a617deb890138c446bec14858d119ff065a097c962e68a44987e6f7109af9d40a305fbadffb8eaceed490022cec1d8e830918f889b

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
78f7116f3d3683c4f62b57180ef6754e

SHA1
99f49417a1a9e134e5a4586f4d198b9de809f18e

SHA256
1d79c28237ce3292261aa8dacebdd9d59491a9ebc61dd06034026d4d0a7d78c1

SHA512
9113e09791ab03876a70d07aea0111335df5e7722c6e0792fc260cbcb165fb4bcbe9918340976353615be85175d675b9ba0f4f44d18ffa490fe1aa4fe55a5bb0

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
520de37bc76a6cd2714fdb40bd1b5f51

SHA1
de7fbb8612e6997c5ba27d40391b4402a61ceb67

SHA256
381ae8669e09691059c94af1a44c5caabaaf8d69a606a5914eba8dadc931e2f7

SHA512
fe7ccf212cd0e97e9e8c2a94211b113ad6b60a4d333581d00ac3488b0f87a849135793c2b69935ca10715944bd64e80c63daa56432f3b6939e17bf40fd396bcc

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.5MB

MD5
cbf1c548886613f2450608851cd0b289

SHA1
017dba7d9183b74587a8c024d8a91f4b95345928

SHA256
f337f75b88154a01c02edc70749900d95e69162b65ee4f7f15ae9da0db974f43

SHA512
f0f9d011306ed1302a12cc86209483f15b85dc9cb936c3ee0f3af72b959b5b74249904edfb9702a316104e77aed198821ede24e24c63b15b357361086ea815e2

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.3MB

MD5
4c966636c70499c140acb58b54c08ece

SHA1
0fb7d6f632ec30909c71f1197ae6376d4df06d10

SHA256
6b35b5249740af9af43baf7e6b60aeba797b9d70ebf611676373ea7c8acd55a2

SHA512
dc3f6c91e6aaecc5311b3067e4029bd21dbcbf9975d0cda00d84b452650916eb29d854db23e813aed1fd909e12f713a6739a0c18d956eca2e6fb821541d15666

Download Submit
memory/216-109-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/216-13-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/1020-459-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/1020-142-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/1116-457-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1116-118-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1208-463-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1208-155-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1376-70-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/1376-154-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/1420-405-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/1420-110-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/1488-30-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1488-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1692-133-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1692-44-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1692-52-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1692-50-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2104-24-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/2104-25-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2104-17-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2120-80-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/2120-82-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/2120-74-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/2120-157-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/2248-464-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/2248-165-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/2372-96-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2372-162-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2372-94-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2372-88-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3280-61-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/3280-465-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3280-55-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/3280-63-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/3280-66-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/3280-68-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/3280-171-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3424-460-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/3424-145-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/3548-170-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/3548-104-0x00000000006C0000-0x0000000000726000-memory.dmp

Filesize
408KB

Download
memory/3548-99-0x00000000006C0000-0x0000000000726000-memory.dmp

Filesize
408KB

Download
memory/3548-107-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/3740-458-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3740-121-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3760-6-0x0000000002020000-0x0000000002080000-memory.dmp

Filesize
384KB

Download
memory/3760-10-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/3760-327-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/3760-328-0x0000000002020000-0x0000000002080000-memory.dmp

Filesize
384KB

Download
memory/3760-1-0x0000000002020000-0x0000000002080000-memory.dmp

Filesize
384KB

Download
memory/4028-149-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4108-156-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4112-440-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4112-115-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4644-163-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5072-39-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/5072-40-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/5072-33-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/5072-120-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download