3196109052c16c2a59834f9b99b85eff0ec3e0c549c790fbb686eb8f3c3980f7

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2024 19:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
Size

1.6MB
MD5

c496f160ec54f9a8ed6f43b4fe45bac4
SHA1

1c5cdb30fc6c02971486b14fb7a249162bba65c6
SHA256

3196109052c16c2a59834f9b99b85eff0ec3e0c549c790fbb686eb8f3c3980f7
SHA512

7c8b98db3884279d2114514c67c2b4c91558040c45f2c038cab0072f3f125f4de7f4988a3969ff346aa5a5b8fb88f95cf0c2aa05c6a7248a428b9ed30ff69998
SSDEEP

12288:2+0r6a0Nl0JVDgEZXIBaxqCKi60RoaItZICRtjch0Kp2H3HqFShkPUzlZjOJ:ZbK+EiAkbwRobfHRFcbK3eUKUzy

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1664	alg.exe
1372	DiagnosticsHub.StandardCollector.Service.exe
2652	fxssvc.exe
4716	elevation_service.exe
4432	elevation_service.exe
64	maintenanceservice.exe
2756	msdtc.exe
2164	OSE.EXE
3000	PerceptionSimulationService.exe
3428	perfhost.exe
2800	locator.exe
3124	SensorDataService.exe
1984	snmptrap.exe
3732	spectrum.exe
2588	ssh-agent.exe
208	TieringEngineService.exe
4400	AgentService.exe
4840	vds.exe
4328	vssvc.exe
3092	wbengine.exe
4836	WmiApSrv.exe
4316	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f64ce26c8648821.bin	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\javaws.exe	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\java.exe	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000041c45ca856bfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000013dad7a956bfda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000899dfba956bfda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007be947aa56bfda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000772181aa56bfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004272aba856bfda01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
4564	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
4564	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
4564	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
4564	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
4564	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
4564	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
4564	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
4564	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
4564	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
4564	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
4564	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
4564	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
4564	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
4564	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
4564	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
4564	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
4564	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
4564	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
4564	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
4564	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
4564	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
4564	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
4564	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
4564	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
4564	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
4564	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
4564	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
4564	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
4564	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
4564	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
4564	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
4564	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
4564	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
4564	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
4564	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4564	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
Token: SeAuditPrivilege	2652	fxssvc.exe
Token: SeRestorePrivilege	208	TieringEngineService.exe
Token: SeManageVolumePrivilege	208	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4400	AgentService.exe
Token: SeBackupPrivilege	4328	vssvc.exe
Token: SeRestorePrivilege	4328	vssvc.exe
Token: SeAuditPrivilege	4328	vssvc.exe
Token: SeBackupPrivilege	3092	wbengine.exe
Token: SeRestorePrivilege	3092	wbengine.exe
Token: SeSecurityPrivilege	3092	wbengine.exe
Token: 33	4316	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeDebugPrivilege	4564	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
Token: SeDebugPrivilege	4564	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
Token: SeDebugPrivilege	4564	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
Token: SeDebugPrivilege	4564	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
Token: SeDebugPrivilege	4564	2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
Token: SeDebugPrivilege	1664	alg.exe
Token: SeDebugPrivilege	1664	alg.exe
Token: SeDebugPrivilege	1664	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4316 wrote to memory of 312	4316	SearchIndexer.exe	108
PID 4316 wrote to memory of 312	4316	SearchIndexer.exe	108
PID 4316 wrote to memory of 4376	4316	SearchIndexer.exe	109
PID 4316 wrote to memory of 4376	4316	SearchIndexer.exe	109

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-15_c496f160ec54f9a8ed6f43b4fe45bac4_ryuk.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4564

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1664

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1372

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4248

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2652

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4716

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4432

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:64

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2756

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2164

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3000

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3428

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2800

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3124

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1984

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3732

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2588

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1704

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:208

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4400

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4840

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4328

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3092

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4836

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4316
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:312
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
a51ed18b9c67caf4908a330f612a7c01

SHA1
744cd9fa403901f91e31046227bae98237e54df4

SHA256
c13e0dcfed02d18725586c2acbf4cf6e5066e12d940c2f8eccacc20f3d216524

SHA512
b144ab2908e32c82481fe5b1310344f8d0cf1eb4b3e04f89d6cfa94511397501a2b0fb41201bc98a3ce2911e0ce1ad311920a9aeea6a20b5e247ffa6b2ecc3f7

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
c27a2d428da77d5ceedca64b1b94664f

SHA1
e630b75f9417701b88dd8b661005590d753c384b

SHA256
2b8ca0c696dec222f3b65f00a6ba6c4bf1491c409031765777a5e6b42aba6537

SHA512
f221e309e4c298230b5d1d66237c1ced15ac18e0a4570f20a52d9fa4b392d5aefc6a54ba1694bb11570462db8313e2972f95e7387710facbc174e2128bb31d65

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
f2c47bb40afe2a7e58dbec725948b970

SHA1
c74d05a07676631016e04e06738b9f3ce84140cb

SHA256
dd21874a1a449725872638711401df9fb490f5eed35db9c01c6bf4ed97e5778d

SHA512
e560675ea3bd1a88697c37178a4371f88307b22119f4fc2721b1661681d6e53daf0974df42378f1bd0af8a437bf793232be7fa8026dd6edcfa678490a4c06e57

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
1108cccad3cd27022ed423114098fc2c

SHA1
1f6248132971e97c88583db483ed40ebd69400a5

SHA256
5f11fb75c94efa28b0b9e018b809ca14ec89c4a97ab761587486f9c8ad5b1116

SHA512
271833daae64e68a3b1e387f16d3e94c5271e75d26b2fbfc362caeb9658510483989b2e29c4943129eb91aaa14cabbfca61c8c0560d4294968d19d82f8ec9bf9

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
17d61863f40a1ebdc6e04c3346f53eed

SHA1
0a9045e21cd00eb953e7484d4d730f0340093d15

SHA256
fa7ea55c58aec0b153473fb16dd01d09c09788a13bc819a000851924689845d3

SHA512
7e6ee7364ba42b3379366f7240a48909dc592ded6475f10d928c4cbb9512037d7ab641e3e01b5f9534c0e6dcc5f88ee8d517a90dc053a984df73f54574ec2bb6

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
3f64a9fca1513ac3869612cb8f1ff279

SHA1
24897f04126fe565ef7f40a21f906e264ee4a877

SHA256
dc4a7f5dd807d8a90c1806b6244a791c8ce5b32f061647c967ec72a201b0c5ff

SHA512
f5c4d039365b976a154cb6f004b85513f56145b1d134b2a5ca912e186f6e7f32783d1b7ce2f9de122e9747806e487b4fc8907196c55a0056d2f72a680aca66dd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
20a7258abd64cc03fec865ecf09986e7

SHA1
39367c5b4b0eadcf87cd8bfebf42efcf8bdc29c7

SHA256
7afc42d45dc3ce32050e1cc2f1ae6193e060c525e642f9d1dcfb2f46821987f6

SHA512
3e94c8b9b04f62aaf39dc9f0a399df4350550c545052e0b12219d05637caa4bcdec7bd5b9d437208ec282e3a62aff7062f330267bcc41ac7efd8094cbc48b401

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
fbe03f56b2672c7d0f6240b856c003c4

SHA1
af1ba91dbbfc4e1814b731b2f679945427e72ee8

SHA256
dc20559c37465b5a9d07f8513ee34f05dc822bc4f1721cee20353b369ce47516

SHA512
f5a5e04cfa63a8208d7b8d72e6825a5b3dad72df3437c6098acc53cc1ff4c43adbb3879b3f9c5bdd89653b7f0cae93cec857da0ab8bc3e4dc96a9d6ee92ae9c3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
c46710d3d894d26aa4ca23a55474d334

SHA1
aa2f353b69e85be239a348d075d8a429c973cfcc

SHA256
84a51443ad18821b19cedeab349f6a4213139dc77673a7753eabc75ed801497e

SHA512
c599c83d227ba9ad4f08a99c28c26a1d304eac6a2423923e3b5bd3e77be82cecf454b938d85faa309e02cac42081b7d81ac73c5b4d615a7c60488d2fa6700688

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
1db203edc568cd20f2d101e32302d372

SHA1
f3ed0d0a09ad0a5bd04f49e5a7fef1eaabce6a90

SHA256
ccedcf87320838de52379f5ef14f21dc4d72ea90aa954f01d3fe640c0d2cb784

SHA512
6b27173be1d68b0ec1b584cff5ec0bcf9ace7a3022b97a3b1eb90c55831bc18b267ab7fb8b842608c5142ce1f5ccf2b1a650ad2f6403f83a864fcd37a205f129

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
c5cd01e1676d954ad456631821ee8385

SHA1
8d05b40bedd3eb33220f271156c83a012bbb50c4

SHA256
4480ed669c9e17385a08ef84833ac7f0322f372995ecaedd2e8708944d89af7f

SHA512
c4fd39fc8a8e08e89b44cca691161fa15cf9671184701e2b4448c7d427011d52459b3ac197329ae3bd33499fc32f2639e47d9ef8b18cfd9415b975b5443ba92b

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
7fda08c947ef1910b75a4765f4e8a916

SHA1
c8825569bc67f82d5bbd1ebbbbeec4c51eaebb12

SHA256
e7bc065ce3c658abd57b560babe935ee33c4130ec80abeaf97c7508196a13752

SHA512
1efa543b7e7923a1f763faa5e0cb226185832fd8b7d55af9fcc423f0d5b5b3c63db5f9a34cdb962e2f155839986ff139cb1f82c298375ff7ae585f8ddbd11abe

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
1d2ba9d57cc8900ffad5f78ff783883d

SHA1
2474d44f25ada7ac25f309c4059ebdf41c237c37

SHA256
e740457e4500f80582213d63376214b79e0d0a0b69e02a44d5e21a952cd43406

SHA512
f798d5d4d37766511d89335d7190d059b4c21cc21ef8f7f523f2cd791286a3ba9ed78180678de546af8382bce3616dd307f63ea27768b55f4d068fbe643602ea

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
bbb1fb1d8592321da16833bfee0cb170

SHA1
bda178d2318cdc2ef594f64508e24a0866a1bbae

SHA256
69e343a0cd9d8a4fa3e24a6a9311c39b2f9add739727f09b4dc75058727421ee

SHA512
0ae489d8d92ae5536bf1c4d3ca52ee0f1d3571086f4334d7cecd7b04d6ddc5ce4a0ade24e74d9d222e6a3820d34d7d38a859e39e8743cff3cb4e04afd145544f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
8a8b4d706906f32cc2d922970b5129bd

SHA1
1b12ae96560c4e953e6d0a3f45a85581e8b65fda

SHA256
262852c3112b9e467c5b7ea67880357c4abfd9f1ea446e9925c1db47f05bd94b

SHA512
1ab12c2eeb56e310f20a0973a1f9fee41cf07b50445c5d55fcf426168a9c3ada413179093a7a195c6aefd50bd0b7cf246069d7bc2fe5a18b2ff3e9f604fdfba4

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
b92be73639e9393a36fb9fcc33999f4c

SHA1
727382accf4bc52f1ce022b2abfc53516a52f2e6

SHA256
d241c41b778554ffd976a094470ba081fbca3acf4b352905067a15b4ea5c9caa

SHA512
7f41953ed79cbb926e3105a8502af00b1401cac290ea262a47700450b8e38ae1e548fec5e1acc9ae5dfb42efa1e7664be6ad29e32ade33301375c156468ab908

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
9d033fe384ed0242b23aaf1685802236

SHA1
a78d08fe75ff2fda5517b5da7feffed362bc5edd

SHA256
88c787891b36bc3c5696b8830476be5402a7b7378199e0dcd56c697cc0cd9599

SHA512
13785faa51b4f49e7db1e6aed79f497700dda2f956dc4b475191768573094dbf3abb26d879d21b9ed4aa6d03f88179340717c124d1dc0cf692ac54727e3a0edb

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
fc4a7459d439900b387b6cb55fd25cd0

SHA1
21d0102bc0817abff2d3f14e82588b339a2de75b

SHA256
c94f6083826aba100d9ba135ea2d469c3d49e34835a1531fb25a9142cf7d9be3

SHA512
f4d8cfa1b1af7fd9e907d2d94abbdd71efc92d7f0119193067df231bfd7fac38d3bc18c4820939c827c60b1adf11e86a47e6c0029961da6a027c16dde6509c88

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
fa99562424f868dc49390d039c15f0e9

SHA1
17a374ea6c95a5289599caf348f03c5644b70243

SHA256
7fcc17883f0f5a25c0db71427539d74b1ae5a58078dfd9117291aedca73d8627

SHA512
11dbe0bae273516a06db01785c3bafdc5d529dba175eda689aa4b7055d77b38cab0f0ccba8acc36ab7b88447c445fa7ba4bf1d7d8268dadbb55122e2ea560919

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
2815fbb74e7e2ad54012274ee2124709

SHA1
dc1f505b174e005cd4d4c7837066e94f1848518a

SHA256
131e6d8c3832fdb72de31ab2344a135fb1e654c493dec85ccad31180836bd609

SHA512
6c2cf721ec48675ab9ad997a1571102ec02b0c2c4e0cc308086040f8320d7ac96fb75e3a0624605c0519187921fc8cd113fac52c761108ebcd07bfbd7991305b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
eed1440fcff27d5b5a07546092f4cfd3

SHA1
e7dd5e9860ed8832cc2b5204f214948cae1b8956

SHA256
9f8ace57f577f0a934ec9f02446a5458f84894fa41b37e3873c69a75b00408e8

SHA512
88f85b51f74fad1d5ff6b67143ad7fbce2b44437fcb15f0cec10bd8f8222349d77509d7d4513e3e4cfe7d1d094d92615c04da257c0478f756926907866be0d66

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
399af11d952bb8f153082514172e5eee

SHA1
32c780716a21fe185cf2d9e76047dec478977f40

SHA256
2946f1a943bd46268821c7eb421f863721bb09aad353a45186d3f48b92d1a0ff

SHA512
4511cfdd257726051b2d4d5edd0c321d42a283353222f99d8d07116d7334ee46e5aa0be786ce0b9f26a855daacdfbd86b4f224c925a5af8584d6105657af3f93

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
fedbba1f713cf3059c75d94583dc5c9d

SHA1
fbef310719dab8f2a1aac2ef373f2f5c54b425b0

SHA256
11dce758f7f15efc63d1dc1073d1407a354193728fd47c9e9dc09ca9bc351f7d

SHA512
fe9fc0b592ebed9c0e7021ddcc0e6c5d66b6a7e5c5d5448e9077cebe0bd3cd6ed745b4334354ac0a5ad3394e4e5c05abd54f1e0ca0dbf53b8f9ac0f57360032b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
471e0d723c32a24ece2c60be358da1ce

SHA1
bd7cb30f3ed56e0338d8404f153a76bcd640f2a5

SHA256
6c6ef170e1a362f1bf6a295cfeb8a6eeff0f5d325ee848fbbed1f3065e4f4f3b

SHA512
dbc0f79e8e418a67fae6512b51a7b18b3d3fcff063c9aaaf39aa0b4306cbbaa8bf3f656549149e442b7984cf837316e9d9c941b8e41c095b9548261b2e0b92ab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
c0c170fb8dad1beaed04a809e683d579

SHA1
d34a681ec5941ed2e2b2452332a26dfc0e92ff7e

SHA256
86659ccc99238fe109bf1ef21657e5ab297bce673823324ff72d91c50d42f2ba

SHA512
c2c067372339701b137698b6236a4db65f638dc54fc1aac01f9130b9f0615f6c521311b17789b0bf32ea1fb09dcd1e9186f985fa0b1a31e0fc0c06d44dd113f1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
a867f85069dc404b3bc0f2a9210192f9

SHA1
9678cb74b7eb0c2f37f8e59e0de76fd58a8f6ed5

SHA256
20bb98f42cef8bf5219b5998d53852a521872ca28ff2f6f7b8f2ae4e70b3d89a

SHA512
7f58956907f33c83c1edc3427c77c467a763747f54ef16cb0523154946bdae85ca5e41225bb77576c5316dc558b1bc0adcc0223edf62b94c740c378ee5054d55

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
975321f1d672d5f56156e106b103222a

SHA1
bb712b17d2a65f1439f1addc914648c5950ef2bb

SHA256
3424281f2d52e91bce3e88393afbc0f0feb6632b30cda3d74b1adcc1c798f423

SHA512
a29d2ad25ac8e789f77c963a6c182905c5d80c838937361044b69da9612034ea39cd840c81a9e524bdb8089fe02a138d0c6661d27b0515d4df3bfd64d2570a41

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
7c543299d57f4c23e27dfb447cb921c4

SHA1
e32426139a270bcbdcb6afb8c620ac9200730447

SHA256
3f43a605e428c05db2546c7dc1ec53dc97376860e11f32756f8f26a75dcbdc3b

SHA512
aaed813ec9a39162c5fb1cec763d9194aa497895cb1583d46eabb9f94087bc0e24c0a281ab58adc9a8d694e3bfd62b1d3b0c2c684888964493565f37c17468f3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
c6914b0d3472a4d4fcf66074b3f8944b

SHA1
268f92c04c2030c39a21a19a759f1cffc362dfd4

SHA256
86070b574b1696ef0b78028836c09f936f3df3161d99de55502f76ed8e3c7ed0

SHA512
412bfcbfd83b36829bb8b2f39e17b93fcda41a3165f2dfdbcf79f81574394f557365e40c85e93fc71ad09b8c3ccc48f48192fe59034d17a90648be4926addde5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
8389e833b8f2969dcfed375b74bcb755

SHA1
e2d77061edd2b4433e7ee232210b4e380ae23d06

SHA256
483807944e2ecbb8d5f48a1438d63e65da38c30b2c78daa0e9938774ae38fd11

SHA512
c779904514c59535af4cbaf6c155b6e2473fec177829929526b7807406e0fae81039dd354b45ff8757f9f639b732c9ce7dce3f24be0b6bfac6f8bb41bf091f7d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
ee92a659e720cbc56a5ed8cb2b427062

SHA1
8bdead6115ad64d86a3450b91188055e3e105977

SHA256
6f8eec514eccdee93bad1664f723fc4c8a8a20b1020ea61b0dd34d4b61e14590

SHA512
cf43a3f34aa8834a8d8252d3944d2c0832c2b0aa7bd25ad0390a691863dfd70d22ae1afff6c122121a3637f6ef3caca136c6f25f6d1f38f65e34d66215404eb1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
9d8e6302a62aee7f4a10b9dafd979e61

SHA1
ecfdc7d7d61801e2b5b409e714eeffebe42fe33f

SHA256
2ca50ee5b76a87b5c7a8babeeb7dda5ef8ade86eae2cffc6f93f6b83d961a5ff

SHA512
752e9fcb49ab114d17c5341293d6164e9ed259c0854742cb60b5400932929039c4c47b511cb3628639b98431e1d5892fef2f3f1c3e8434d118375ac41818c799

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
fc686693802798482e63532833018bed

SHA1
49062d9ebe555ed483142b0e05d329903de833d8

SHA256
5fcf294d31b31f1cf6ad52755028d3ec6e9859a227583fcb66f343aea9cb33a2

SHA512
2c167866f7af4c75cf4761c309037620a899865bf2bb6f370ea6ee7c0e9380dcf4ce9d7694fc7e4418b81e050accfbde5f651e5c73eb2de090d5be2e0961a54d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
42533eae60925d6b340e91bceac367bf

SHA1
8fd2dfa34c89789ca63a09bf6097947f289fe982

SHA256
0bd9334b85bd37abdea729be3ec7a13f1f3070d6036860ac33e56193ca56c3b0

SHA512
d149dbeffa1ad6a79a5493196e815e061f5d01ef80c7f00e6cbd6331eefa584c88a51a223d632719f8c646c2dfed7c61cec4adbf756ff389b1635504e34aedb5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
153e3957ce6241848fc2a42aecfaa4e4

SHA1
fad606671ee2c7ab194d7cad68b3087545f0f276

SHA256
9962f1c929e2c1b858f026b4c6f5f1928905bb181390800a8d1a1810646f14f2

SHA512
5142e1e441ee2290eecec5af7ea1d40d483bbb384a3d6b34c28c29c1a9714b106ca720373927ffd41cbbab876a9c0c0f17ad0d6bdea1fd775d91e5fae151f4f8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
8241a0d189d79bc3dbbbfd0523763f63

SHA1
afde319241b75e2564643be702955893d0c12942

SHA256
0df4e754f9f61dc2ffecc5f2788bee57d3f1cb995c67d0650245d2a946ec52f6

SHA512
6560672a02b488681fc70dd37d4529acf9c7bc9d70ed748fb7f43d9e86d7e038a2794e77cbd455955d3f40e400c83e92599f78bedf52f2d3208819a06576b14c

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
c99ac8e787c7c0dba40fdb2d2cbd266b

SHA1
67bb541b1193ec747d425766e196cafd6fd4c2d2

SHA256
22edd29941806cd20571a7117001f8a905027850927683b1a97e37f53580bc12

SHA512
6f572ebe1c9e0418ffea5dd30ab0d07864059a93fff3f47d6bc4099a838f78d8962ed811fe060d428731c1852c286f78191b472e86a25cd2e2c75de42d68d6cd

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
52dda7d7af6fb85f38925d35fe63f168

SHA1
34cc164ce379406d633baeb53d61833ce407312d

SHA256
d5ae429aeeea7aaaf14b5492b09e379266b051c601930789a936b28a81ff68bd

SHA512
cf349d4c76c0bb729731ecec40f6ae451dae8fd608e9e27482254d89deb03f139485933b4e5bf05b884e3254c4c92d440e3b9b69aab2ec20e15f5c97f260f76a

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
28913748b7903294433b9f3bc324536e

SHA1
f64389cd9c67c11f5063d223eb52800f25afce1c

SHA256
b3ac494054ff59902305bcc3af88fecc1ba370891e45e47107345c7991643175

SHA512
4a315ae1a269da5009876c75cf01efde22f05186ae3ebe0f004b133522fb9cf1253b8bf7e0772f3e5862625d3020c02d750598f98bdbc80f174d3bc5a77cd364

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
2fa6b3741abc5e037a8ca7db9eb672f0

SHA1
02cd966fde1d3eb569b40e2f856c12693001578e

SHA256
641f96e911f25a5b591c9c16062ea9d1828c21c5d6c1db8aadb29de0cab9a2a0

SHA512
4485d2a682d87e6338c3f17704757cb0a835bf7b77ccb05f71721934c21c82596bc40f206adeaecfd249277b5beea41b24da51a391c504b195fec2835f4e7961

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
ff8d43f02d9c1d1e3a5c5e0e3a9b4184

SHA1
6c9b65b7f82005f5fa8f5e9db124b193f9e398f4

SHA256
5d76f2d70bc117b978a28b1a19757f85ed707dd1dadec91079263eaad4e95382

SHA512
d90c55be75e58faaa567f9fdf2a1c4b77a33b43d9b4016da212374e0f5981bfea61d105fd6099e203921d440ff9884f31ed0c43efa3fec9cf744147ed2a4702f

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
4753b181a56c732af91549af628e719f

SHA1
b0747eff45853716497829f146339ad0995f7691

SHA256
32f78b408a691fca9bb9fe7563bf40056f6c54a4fbf038880d2e75485c3c9b9e

SHA512
3536cd3cfc77bd2fec3116ee1558b6cc0edff9f88ec829a0d1384566de516a0c85e309bd37bbf652adb6682fb9c16ff7f6519274f3c53dc32a23817ecfc7c8f2

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
167dae69325f9fe059405686210cf49a

SHA1
e61ac4c1c125a9d5010dd70ad86ce56014dd6826

SHA256
47d87fd396ac0264281cdd15064fb93465c7a3ee6209c48ff80de615a63c8ba7

SHA512
7b04159c6d84f6c4dc9720a3d6eeedbb80c2731a71d5ac8cdcf2fc3fa37ba79dbf80d25ec5b5509004f9294770ff46396fde159a0ba7fc19c61b0c25a0599ccd

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
464a9b08525e2d212aa4989a75ecc5f8

SHA1
f4e176651ef92d78db9bf16643da086b589951e9

SHA256
773158b8e02348e301100da90c0be90a445d0988d1c40f4b3d1eb684ad3ca01e

SHA512
d4c0a995298880ee3d8e146334b5a95586803ddf8d8556bf1961f6586bd73f32fba5975e7649b7422270f1acbac8a1babff39d750c9946fc9d256ae5eae5ab78

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
6932add941866a7d19eac00f7681ee3b

SHA1
18a6ad2fbd386e81f206d3db9d0a230d450f97ae

SHA256
5df9a9793cc6fc023cd996c76e68b92addb7efb69ffa30642a36985a96e7b644

SHA512
1b7bb76f651b80f845feb425eece55e728247c9fb84c16629e69f4c6f6713a89af10394f72b3c87bf7079aab70682c465a03ad7076b0f524d69254c4e453d857

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
ee38afda4c97d5d0343ae446b9b3de38

SHA1
064c4e963e0dbcf5c43744431d6d53a9e7b38867

SHA256
b4b5ac4d644b353f18c51cc15b670028fe04e41ae981fe4b48edd4db8e91db49

SHA512
669b1838f256debef595affdc29a2579b7938297c5920a8077fd2cc2d0ce4fb33baac1a5df554914e65b9b0ba35c0c56979264d7d879028bb6ec6eaffc634374

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
4e0d4578546431d658b7e5b2e009c230

SHA1
72747b9472d49ca8381b4a37d5b5d1db431f4034

SHA256
6e315fea5689a4f6db7f5d934640e8d5db0baccb91ebc239f754577fdc498de6

SHA512
36ee532a0debd47e21669d3924ffd7f934a6812fd4d1be8094bf5360c2ce31286f57addff41fec8044f0c771da04f876401442c2ae3bb48ec3491462204aeb16

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
a93a779afb4942467a3f12e7f7ba8b68

SHA1
6fc5532ad27ab9d78e2c19fbc1578fd1b5b90ca6

SHA256
d28536b1ff15bee7dfb55161e64aa87ebcdb417f2aa826fe05b290503a04cb5a

SHA512
87f41bfb9c2ba3f89a5420cf535bba5e44c5fed7c6e6efe301680bb9c53e9094b1f2a533e85e2e324da4ed9ea31559a996549a138731d3c32c5413b9dd926fc9

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
6ee241505d3c5f6243e8da986c634aef

SHA1
78faed900921139d954726b915812ec234ae26ee

SHA256
a95533bbeef5b6166155684c957cd2f19f6337a7bf0de4dced1a68778d418b67

SHA512
db2f2e59d6a8cf47638fdb79f0ac9ec3727018e214e7559bf8ca5feeac69432b16f7a7638b41dcc7c9ea153f7263874f7156ef9e5edd30521c23623c0307b10b

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
743af2b315d557c7b9bd3c3f41a4d222

SHA1
eb3e8328e23067dc98aea2705f64cdc7c2d4af32

SHA256
c80847f7b2457e8fb69ec76da97a049d70e9f5f5ac83a04734afbc49a9be7fa0

SHA512
63b338aaacdf256004e1a4ce24afb4e35a27fd2d64815555ccf125fe804b2d5f2ba889794d9ca2cf4c9c3ed15f4c473b9c7e5918fca6f558ab10af93d58d4f32

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
1a76c3a06d4902c06c2435765794a8ed

SHA1
ef10286a0f8e59d568dead3046eee3c429e2ec9a

SHA256
d2f3f8779f9362cbd522fb489f77841e17f8bffb323daf562f7f5e668e344f8a

SHA512
a7a39e9b90544ed312a9e4b1378a5f2e1b64b14b8040f567f4e92dc694276b2a9a01eef8917032e3b3b1bde5b50801246c8cb2f045e7e8790ce602a3e02ddd2b

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
59e3324418a4790f9e6e39641e87044a

SHA1
2995b87943d4d820dec1802cca371c417c5ac7dc

SHA256
6af450c0677f19970d5afab640a3cf378aa220efe2468db8dc3ac8a9b4aa1224

SHA512
01f3d8bc2a2e3ab512f92022ff6700a56ccbb38160543deeff7626e7f7d117521d38ec0db8f043ed668c1f422a981cced343bcaf73a57e0bdbf86f1da4c8f991

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
71369f096ce2e3faf5f26520d911de86

SHA1
810c9ec75fb4b5024d2656565005f8555c5cfecf

SHA256
2ce4896a21a3919a7798c45969823f67d91292fe0193e3619835fca4633579cc

SHA512
136d101ceecb40b7cc2693c59ea0d2e577c5733093580cea5ca7e65903a2fa11ac16a9a6b51dcd8901f6615e1968fdf1dbf645c97bf979918eb429160fbb4855

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
70a6f28dcd577a6d80ba0ac887b5941a

SHA1
1d9d833c61b953f87e979a3a72e9b5dcc69a158a

SHA256
9024f4ce95efaf522d540ca79697755ddcfe8065dd103db2ce5f010f2f4552e2

SHA512
9a7200d79ae3f2cd4ce9bb053ec68da6f28548c354570287d85eddedeb4459ef1724a0abc07e3322f8b89f53f7f1ddf6bf9b4a06059534d2cea4ed9a42b8cae2

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
0d7a7b9e9b57bb657e9f95423a55e197

SHA1
fc24e3a13f62772214354449d43197c7763da727

SHA256
22cce6983ffb769447aaf803bcddd3582dac6455f43f2c0db91e6d210594a10c

SHA512
bc6e2a41c8595635d39689481992723447618bb4c6f54a6a493cd33dd7f35f2e5fd30774eb80100b7b09d8761d9aede9373fe2b02afc268478b658adfc1c76d7

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
17318243ce7fdb025fd7729866788a8b

SHA1
e551ae5bd77c2fed5a6f5fe712b1c28931bcade4

SHA256
651942b17975e2a99ad0d73e2fc538983540115fdce8124468130d319d5e1d8e

SHA512
943965f8cb1c970313575b2de54460ac79b84de55fbf78fae8ba3db27f507a4ce330fca26359f3011cea9c03775d85fab9456d27177d96e4c1fe544f24c23875

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
2318744d01122f029399dae942fad377

SHA1
c354a2ec1973eac8f4125c8e11d3d66bbb4395b6

SHA256
92503c3c32299acdd3e3f2975419e0363caa5b950ddb58dc5c5ce084e56a98ad

SHA512
156c6fea98bafad20dd350bfa8fa8da7be353bd7b9d93df0e1975387a10b96808d633b47fbe0a85c6d2a3416058fae4b7d60d6c4cbc9f9c8b7a8e92c474295da

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
6f12c9d296627757828048c100cb81ef

SHA1
bd0aabd892d62ffa4f1267c31928d05bf8c96fb1

SHA256
faf88ba2f0d7dcb4c93ffe93c236ab7c05558ef2469c2ff77fbf30e72d895541

SHA512
286f0e6914ed2d9391af88e9280af03f7fd18eb1a7b751884d4ea9c6933180159338bd91f0ff3128cdcc1484967441b4750af9e724769f8fb26a9800e22fe644

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
c9fb09a26254b668ae318908960b9bdb

SHA1
2031e51f4bd43a05a9d8415226fe834088657b3f

SHA256
2e6c35771116b90d3ba407fd5b2a21741e643f8ca7eecad76af95013f2bcb613

SHA512
fece2a9cd83ddb6b6b47adfb8e8984f226d620c7f2257f425f5e434cab20f8560be9638ad9a2c79db78b9bc29235e9c31094614ae0b4fccf4e1493a398490656

Download Submit
memory/64-88-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/64-86-0x0000000001E90000-0x0000000001EF0000-memory.dmp

Filesize
384KB

Download
memory/64-75-0x0000000001E90000-0x0000000001EF0000-memory.dmp

Filesize
384KB

Download
memory/64-81-0x0000000001E90000-0x0000000001EF0000-memory.dmp

Filesize
384KB

Download
memory/64-83-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/208-206-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/208-568-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1372-27-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/1372-128-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/1372-28-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1372-34-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1664-21-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1664-90-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1664-13-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1664-23-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1984-162-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/1984-448-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/2164-106-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/2164-224-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/2588-187-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2588-564-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2652-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2652-49-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/2652-45-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/2652-51-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2652-39-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/2756-91-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2756-209-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2756-92-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/2800-260-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/2800-139-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/3000-236-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/3000-125-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/3092-573-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3092-249-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3124-158-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3124-281-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3124-567-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3428-248-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/3428-129-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/3732-182-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3732-499-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4316-282-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4316-575-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4328-570-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4328-237-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4400-210-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4400-222-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4432-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4432-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4432-186-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4432-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4564-1-0x0000000000180000-0x00000000001E0000-memory.dmp

Filesize
384KB

Download
memory/4564-74-0x0000000140000000-0x00000001401A0000-memory.dmp

Filesize
1.6MB

Download
memory/4564-0-0x0000000140000000-0x00000001401A0000-memory.dmp

Filesize
1.6MB

Download
memory/4564-9-0x0000000000180000-0x00000000001E0000-memory.dmp

Filesize
384KB

Download
memory/4716-58-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/4716-60-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4716-52-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/4716-173-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4836-261-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/4836-574-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/4840-569-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4840-225-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download