ca48629ae6786d8680e26c6221ee758d155f721100a1eff0f62c5daf26b5d83b

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
27/06/2024, 07:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
Size

2.8MB
MD5

4177255726a54cb9fac7cd7d35b12b24
SHA1

9eb99f4a8c360a60c6b34079d3eb1e146ff989c2
SHA256

ca48629ae6786d8680e26c6221ee758d155f721100a1eff0f62c5daf26b5d83b
SHA512

94abe5090359193296e7f47baa9b3323e21e5b56c8a430c523259a5c9ef8dd010b6ad0b48ed719cbfda1108807601f091e671622cb7882bafc6034cd947bb825
SSDEEP

49152:k2AnP0ny6BKau7kcSKI/a8QgSrlbsbrJoonScyG7y00ibS:k2AnCy6BFcmMwJAcC00ibS

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3556	alg.exe
1644	DiagnosticsHub.StandardCollector.Service.exe
3620	fxssvc.exe
3328	elevation_service.exe
4024	elevation_service.exe
1460	maintenanceservice.exe
4952	msdtc.exe
4428	OSE.EXE
820	PerceptionSimulationService.exe
4212	perfhost.exe
4208	locator.exe
4856	SensorDataService.exe
3620	snmptrap.exe
1384	spectrum.exe
3688	ssh-agent.exe
768	TieringEngineService.exe
1124	AgentService.exe
4696	vds.exe
1896	vssvc.exe
2456	wbengine.exe
5192	WmiApSrv.exe
5316	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e4b561d485dff9a7.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95953\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006e0238ce63c8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000044411cc63c8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001388f8cc63c8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b3ffcfcc63c8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f34d3bcd63c8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000066be8ecd63c8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001d5462cc63c8da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ed62d2cc63c8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
2556	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
2556	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
2556	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
2556	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
2556	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
2556	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
2556	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
2556	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
2556	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
2556	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
2556	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
2556	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
2556	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
2556	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
2556	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
2556	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
2556	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
2556	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
2556	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
2556	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
2556	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
2556	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
2556	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
2556	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
2556	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
2556	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
2556	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
2556	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
2556	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
2556	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
2556	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
2556	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
2556	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
2556	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
2556	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
1644	DiagnosticsHub.StandardCollector.Service.exe
1644	DiagnosticsHub.StandardCollector.Service.exe
1644	DiagnosticsHub.StandardCollector.Service.exe
1644	DiagnosticsHub.StandardCollector.Service.exe
1644	DiagnosticsHub.StandardCollector.Service.exe
1644	DiagnosticsHub.StandardCollector.Service.exe
1644	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2556	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
Token: SeAuditPrivilege	3620	fxssvc.exe
Token: SeRestorePrivilege	768	TieringEngineService.exe
Token: SeManageVolumePrivilege	768	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1124	AgentService.exe
Token: SeBackupPrivilege	1896	vssvc.exe
Token: SeRestorePrivilege	1896	vssvc.exe
Token: SeAuditPrivilege	1896	vssvc.exe
Token: SeBackupPrivilege	2456	wbengine.exe
Token: SeRestorePrivilege	2456	wbengine.exe
Token: SeSecurityPrivilege	2456	wbengine.exe
Token: 33	5316	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5316	SearchIndexer.exe
Token: SeDebugPrivilege	2556	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
Token: SeDebugPrivilege	2556	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
Token: SeDebugPrivilege	2556	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
Token: SeDebugPrivilege	2556	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
Token: SeDebugPrivilege	2556	2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
Token: SeDebugPrivilege	1644	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 5316 wrote to memory of 5856	5316	SearchIndexer.exe	125
PID 5316 wrote to memory of 5856	5316	SearchIndexer.exe	125
PID 5316 wrote to memory of 5916	5316	SearchIndexer.exe	126
PID 5316 wrote to memory of 5916	5316	SearchIndexer.exe	126

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-27_4177255726a54cb9fac7cd7d35b12b24_ryuk.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2556

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3556

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1644

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2704

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3620

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3328

C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4024

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1460

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4952

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4428

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:820

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4212

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4208

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4856

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3620

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1384

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5044

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:768

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1124

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4696

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1896

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2456

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5192

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5316
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5856
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:5916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4056,i,8447163055677043976,7218082390179600880,262144 --variations-seed-version --mojo-platform-channel-handle=4060 /prefetch:8
1⤵
PID:5640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\elevation_service.exe

Filesize
2.4MB

MD5
8d1bacf63bb1fd43c73f75d00df76313

SHA1
23780833ad6d3c12feb20a425c2c5917bb69844f

SHA256
70bc3d63c7a2d75cbbdb6c86582f42655256690491cad6f24de0f25b9cd5c74a

SHA512
443be152be3cbdd0d7b8c7ed0f0adcb13cfc04b4c226d1e01b57a4eaf638e82575e97742feb0ee5a2c9549b03e330d55de283042a8c0dd7bcdcdca2ee2fff44d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.5MB

MD5
8e0aad902d9d8fbbe4d24ddb913ebd8e

SHA1
e3a2fd4353f83475e4870eab4575882492eb551e

SHA256
3f116391a9a9eb6392a1a1e44a9dcf0083fc90d7360ea8e80ba5a954e42830f4

SHA512
afe4863084a93c63f70bb66307f2147cb6625311976768ee4571e09e8d25f9f995e3fee1ac218101d27cf93260dfb09c3aef376bdc23483941efd399b19250d5

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
c7cb78e0e608bd10d7f6c2d28dd2321e

SHA1
d78d064fdfeac49ca70362c09c7e9ed1fb182c74

SHA256
07c15d6ff73ebf2d801032a6bd72416844d4f67b363c4f01a11cd7417aacffe5

SHA512
5ba3ba313e48990daecc2e345c7656b3867cfcd8f1242208411bf5d3fb933008bf52f3cb767c6ca8be6734df357176899e8fea8aedd2df9fc5f740e308c71ec6

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
06c6471f4112aad18fe0037651e61da2

SHA1
b663f194c79ba4f9d508f60a8667f228b65ea35c

SHA256
f91e30ed57393a03fa34aff46238de43e2d05a2480bf5bd718680fe8a8b7bc2d

SHA512
5601ed12d26f28dc24ae1d771a0df8b0758612df7d6434a0e95f7d6081a34cbb7a252f25d2f0166b2866eb03e84d30d212cd0104eeb099d4937ab4161b362e3a

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
fe0bb671fba7bd57a31ec8d1acd1b535

SHA1
bfe0312c9d3653387974d90b43cb49f6bcf14016

SHA256
267a643d53e24c1be0351d2fbfbab121c0115653784d9085c16ea5d3742d3544

SHA512
a600581d2f9a07691d33b4aa48cb12e1ce6132fecfc1bb14e3dee05471c5b092f9e11e1deceb45ec2e8238f35586bb23822b3cc3f33c1ae1936dd5aed2571fcc

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
86d3889ec9edd786f7cbaf11bc59585c

SHA1
ac6a83c5f5d6af6c7f230388aa2b727703499bb0

SHA256
264be510127ec3eaf7cb032f1841e812e7da1b7951b8c9e69eabb6985a9cafc8

SHA512
f63fa37fdd659fb9afd806d1b7287d428c2916523e966801e52fb7ef0e4602713062975f5232898175c63779c48630b3da0ee144f23f9f9a9f52c51b939ecd6b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
a32af16aacc89b0dc5d98e66068d1a03

SHA1
212894f1cc35b1f396e7a5aca294ce0c5317b7a9

SHA256
50f4a8d65a044807620ef2f51433de8ffe55164466cf145357407a01ce36dda3

SHA512
a63d4af3e3701dbd28eb38fd72a01e3479952701c4f980032807a5bfd51d06c1d289b60f70b79fe0cdaa351aaf717623253b3988aacbe15c611fb8abd6608d98

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
2b15653475db6aeaae290a970e640e5b

SHA1
dc1a4711c99288fd87b41ef87bbf41a21ec3a180

SHA256
4daa9b31f63078af3d9b2c20fc1493921dcde6694384f0c049f701ba0d9269ce

SHA512
35a8fd360dea5274d6bd02d930d93937b8ad58dc0ca1bf46787a766fe580c7bf743825b809a1a65663cb9b86e0823833df1ac9edf2423a37e906dbda3bba9b65

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
876e2276b2b7974889b9efd412760edd

SHA1
3c30dd213613e0cef6c4e632d373b10e64647575

SHA256
83b9b660dfdbf7f1e4e33512517a705597c8c60b07ccff1c86b02a27f6c8ec5f

SHA512
8f2998432eb3dc6456acd4dc87db91ccd7c7cf0c3525690b041f517374ca8d2da95dc22de73f7b292bb40f9165f67823813d5874e6e723c49d9483b1232368ae

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
2cc7a27cba19bf8dd97910f84f36f5d7

SHA1
dcbbe7bd28d22277c11f487a191902e3708ca380

SHA256
a436d87928f04a831129beb9b78d7cb9ae9b5b1652f049a90d6bc5e43821ca8c

SHA512
9b1cbec4e838f154fa026df43b5c1f5c854eac0ac51852ffe1c3646a0f984349076b6458add3e038fe68e270cbf787c0d5204b4ef6da314f5cdc1d8fb23edb45

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
be421bec071500208d9c2ee00853ae38

SHA1
56386d12af3bb4e45511c039394f551df7c22c16

SHA256
c5687b04b0d5adac2657f06f3c059903163135f9a280c6cfc1f69d4dd2d636bc

SHA512
d33e76448241795322be41843524f15e1dd153cc858121418c3907944a2a284c4b372b888e7b5eb2b544a8f869f41cf00732977ed2103c52af76af25187dc95f

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
c57f7d816e16a9ec534a8a2977fd4f6a

SHA1
3c9144387d4bdfab17ae5151ddda30a9c99a282f

SHA256
7094d7c915b351de411c868579bae7a020ef17098bb32db630e51d4b584cc670

SHA512
70e1b4053c97d430a834a9cb2a7baed6106a6358113da2f45596d87f188aff915984d48789b0cd65607c72652069443aa1f1c6ce3cb06209ea27b66f496b250a

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
b5a3cb5299e1c30f1f990b4705177696

SHA1
4cba0584b179a5c028701724537af7e3ef33d3cf

SHA256
e2df1ef79b14e5b7f1002930c4c1298ac08acb21af6e251ead4e7a4064b83b6e

SHA512
a230e361dea9464df93d2269b419ebd27799e4276a3471a50ec9607d667cbb4e43058742bd3bdaac45b4f44f191934ae4514ea8421f401f023e56c078d1e3ffd

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
cccd1b1aee724242a31153e1443d39b2

SHA1
fe0e1d5a51613bbd44976372906f025dd24c7511

SHA256
176aa0fd282b786151318ca28dce592a659ff93de5f3ea4bad5d95efaff13255

SHA512
ae3534de88bf7cf2fe8fd1ac6d5cd96b53930044578b55c26f7b79a582fc8431b776c8870a2727c1db806d24545e2cb798380ff1c07a64c997b0e7a21af738bc

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
2a6021cb9d87f162d242f78ace166ecf

SHA1
b7ee62d7a4d7868bab87691c11b0cfaaf1828741

SHA256
5d65879769d30cb7d1d261c940833442a4185b1f92538e9ee45708920d1d2723

SHA512
63ce5e1e6e77e2b85f187eca201e37216e0982968acdeb64a3fe2e0c619b61a3fcef5b9b54239b8aca8eae9e27bc4256c773a17314bfd2b4de5d1a1a2c835b55

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
687245de230443b2553afd0e098cd0e9

SHA1
65389dafb452890e1062dd8e8ba35ea0ff2918b0

SHA256
745618b1e3e7711d20a91709531a08d7869676718310d46acd344bb480031e64

SHA512
7ca4e04599fda8c6703a256e6202f311dd8775f667859ddda050fbaa8f111a6294b20aff7f7b75d2120b751e20fe3d71dd1b3a074a2532988ba8fa3c5fe09806

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
29007224adbf5c8d34afff0f2dee82d3

SHA1
e7e6cf6deee5887d736d2f8e900ecc4ffb0aa4a5

SHA256
9097d380827f24f1b2bd2e326a3695e031d24ae8ccb6a7b258ae7b03bae069e5

SHA512
66d3e345ed38a3087e4b164b0e656175187e2f0d0d9e81712c53deddce6823fe16dd37cf979081950610e02f82e71637bf0afad317906be2524624f879352a3e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
1ed710d8465b8d0921462621e96c2bc1

SHA1
eb9c001b5ae1e166d1143444f25afddeaa127894

SHA256
d7fb23f02a1d0970496cc860b6408085a9329e6ce9f3d3c3a2051609e94eda58

SHA512
0bc357a10079480576da33fc71ced53e05836b8a7f9f1ffc5678a968792e3b8d772dc0f21bbc38d64fec92ed72d0310f5e2adf786ed6df704a39de72e0dc7c1d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
8cdd9846ac60ceb8b49d03800b66c2a7

SHA1
5ab0503d794a7805bc7acf7be912560f315d97c0

SHA256
647dd690639875947559fa57c8fa3ccf88514dababd0cc50c79a4b1310a3934f

SHA512
8e894ddfec5ee17fce33831f344f400223d98f600c106c158e762f57aa7f7c2ab402a11023130e8f995219ee492af886cd3157eb16ea036592fd965b1065c385

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
849b9eb0065b088a04aa9d5cf0244d24

SHA1
0c3f35fc54312066a6b13a296030e9e2dbee856b

SHA256
642ef82337e3253d30fbcaaf400c850b19152a85f689a2f4407fd8e08303d3d0

SHA512
ebd78ea43acb996a6c7421e5d85e688f04d57569461711563cb6cb9e24bd1392457999bacf9d68cb5df91cae40ba1a9006bcbcdd721c4e18aa0c50de332830cb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
2b3b7266a107669135fe772b67ff6008

SHA1
afa6fa8d722262b5528344532eada10884afcf66

SHA256
30338fcf89fbfe33dd9fa9f78e8d873198f122f3914bb71987240a80fc35ef17

SHA512
6fb5d4794e14a1ec438afd60c61d1ab52c90a175533cd4a0b7cbfe92bfd04316773b8143da4d321ed30777846f114fafdde22eb20551d4a2e4f63076986e71ee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
4056889d5612e52eff399fb17c1acc14

SHA1
01c8ff587ac0fcbd16d59f54f58a9d4255529e3d

SHA256
c1b8185e0da4309d1ef77e4e7a32e231b9c1418e176684a74dec3ad8b94aa4ec

SHA512
b5c50e6d614c0c325eef04c6c8a3313b937cc3ad8b34231a89dd9d4748b07867775a0df9eeac4db2d12509967a98aaba4c49d17ecb50d5cd2a55cc819200b75e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
6a928c009e17a800788d9861b6c6e46e

SHA1
0dd7816a723a0fead83bafb429590708500cd17b

SHA256
41dc9814b40cd6838551962669e5a17d16525031169e4d8b72fd866f6e7c83db

SHA512
a7e483eaccca71be9ed65f1894a579c935a9faedbf3afb196386abb548841a6e759b6b73a861fb1c115e87090060689d1a28cdc2bfade635c95510e9f579d503

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.3MB

MD5
f93987a9f24d2eade6e9671747c19a91

SHA1
c5740e98258a3d49d1cc53a5c5d0bdfa2d242063

SHA256
b50044bc53f0fcdacf3abc522b0f7e06769ccb78c43b2e8b3edf216ca52230ed

SHA512
945d14b82e8c265e4aabd5766a81711a3280a8f79e22f78dd18cd1a6314aa80a6e2f369b6b0638b1cc80a3261a3fe27d7c6f8107cae4ba0672473f84e80aa9c1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
4d3efe898c5c21793e7f59a61a035a40

SHA1
248d784801485abc1ec40e65966e5936f25c2515

SHA256
c61c741f2ae6ed5c7366d1440f396c82401b8c90f239ab35bb8d0e91d2839073

SHA512
9e48e43ef95e2e7e404b879731e93f2dcb8c520d3e632e8edc256862f68667b8dc5c20b3ef51b38543f6e14714d1833d298ff36d571d79cc52f8838a9dc6c453

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
1c8268fed644e3ba139a80a9cccc3d06

SHA1
a17417c031176be5d666da332af1d0b7cb8d71ec

SHA256
5790296d278284e655bdee1b9f422dd9e760df1c0b9e4a1b4380c2ba99d65bf3

SHA512
52a67e3360f0d4024a35b8541bc0374611da0463b332abc9bf3d82fc2ba2ab86b6438a3061b41f89d243953ef736ca699cf7ee3ca1cad58bfc6011a5a8ef589c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
f3afd38eba8df909da3999665d6b9369

SHA1
ab99eeec3a2d42126de49a72400be30786925ab3

SHA256
9ec253b63fbda916ac2e75d0081a3136df1873449c89b52d7af5c7ba8b14c0b4

SHA512
9b04ff6872c13e2c3454f7eda5729c55f98b46509612f3f16145bdd2746789cfd19a0a646d7cc273308cf8dc6db2eb5811f7f7cb8356341b85fb2a42c998038f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
2a1c9f118e98f97df6f3bd02298413b7

SHA1
c27e8a08b303724682c4576d6d5e9f13efa02517

SHA256
c504b9bbccea4adee61541beb965e406230f68c738655eb09dd2b092b0b2a613

SHA512
f02e1223275a352c375d890d4f35c6c181f5a651c9c5046837cf02afcb10c9d381bbf494c9dbda28373de62db63a418a2b70ed612b834fc8a38b4643cc2d80c1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
091e3e0e8e3aa493c1f1a8c8be1f5d89

SHA1
cc91fea92afae9fa2eb628966d29f509e6e342e7

SHA256
48cdf0ea8eb6a89c30bcd0d36f8e1cdd13eb1f8f69e130dad64a8d20665a0684

SHA512
8fc6464f0fdc042a042ff498ab76461157874aa6832e604069fb7bddd916cbaa178324c5f33f7888bf66ef15082da33b49909f7ce1fbc0a08d263e0547fd31e7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
15b99a988ba1257f7fbcd2e805180e97

SHA1
e8bae72ee88a09e4c43c31c44f1cbec75e544a2a

SHA256
18908c07ea77f8d54fcda81cc349fa338af20a0cee25e3b291291ee94946a646

SHA512
49373a79e060e591a93b702516e7d1b217aa26c4beca24182ca3fef50d07c236053601fc9d974d33cd88db8940cc14cf1bd0a61212610da82b30224f9876e868

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.4MB

MD5
1eeaa09d1471b967a3a1c452ae1bb2d1

SHA1
36fc234a535c252e0d1d56f251f80972c74296bc

SHA256
0e419c8a5b8c076ebdabc6a9328d09902d6413b4252a03f62eaf7af3094f96bb

SHA512
296dfb2c1ef2c6333568a2f60e4b94c3e4f0c3605ee029b9f990d18acd8eb8f0d55ec9d7cd11f77c2f3ff3b1d90b646175c00ec8856301c2f98d328a60af25da

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
d8d808e25872f26c44c4dd378c4794e7

SHA1
9b7dd40e27ce48c2666e26b78355ecf2bb23f652

SHA256
8271252217becf327fa7b0914ff1fb0a80089fffc74bce10aa59ade3e10931fb

SHA512
01fd0e2678e167d701c50b4fbf24cbef7153e7b4aaef3f1f377da8f93a096794146b765b00853d87d8b02c7a5497a3bced2e0373bdbf2772f105cbfdfa334850

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
653ab511956dfb924836e4d40339bb50

SHA1
1e944c7f9b9a8ee9af188aeb832f00d57618524d

SHA256
14f9f614091ecf4e073285500375c41ccbb630815e816ae44954b14ee05790b5

SHA512
b3a3a976330256ff08da05342f58378160e9522867f55401e2cc0f138eda4e144eef3ceae9d631217881d4df515055ef7fc807b47647a2d052777da72d24b588

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.4MB

MD5
be032059c695ae3956d2b1d175e6e13f

SHA1
75c479a3feac0e2e2c3e819174f6c821be39f50e

SHA256
fe0e23b38f2957744ec9d63692631e742fc9a75802a12e83cfc126424528bc13

SHA512
53afc67a6287f48e951371ac46bf3941fea284dfaba47efd5b135df154ae42585b71c6bb34f236d24c9a4a65287f87cbf0ae1c4bf5dc64fbbc34438f9a82d71a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
8319cd66d3edca40567367ef4b175ced

SHA1
8f47ee28d45648099d54499f04d6d8a9cd0dc386

SHA256
ef568a610cfa1440c05605a4ce57f5ba5df7c15ea792e8cb89cb06f6ccbadd7f

SHA512
4887a2dc407c41b35b8d6b4e06deb98705b5b7988c0a38c8f3de6835a96ccd780428d7569c94d868b5a27851a7270d8fd051d01fced09715464b4cc9f1395454

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.7MB

MD5
9e34574756ce5e839ba79db5383f7645

SHA1
2c6a8b7aec633431e4c5b1d13d9982b0e8a626ee

SHA256
86fe59799a8ddb7a18768e3001c92fa2dd4995b5c31f8cb94e5c994f9ee9023f

SHA512
0d216039cf3b2fd14751b7fb29df4f6a9b736400c7f3a2628c5726a087472e819eb24b2a0dfe46152b617fe433867e40fe7e74cd2ed84eebc4c082ab46061ee3

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
d1a39a6b7d693bfebfb87822de3217e8

SHA1
f68cda12de1e3c9398b2fb39c97f639d8b92ac40

SHA256
36ce8eb1e6fa5d9cc532bab2c19f5b02cc5874b53082f5d12f186c8cc181ff75

SHA512
70e14403f121eb68af4a2ca201c175395fee0ba45bb5e14bf4154b660e355bbddd5dc46555a03970a12333223cb2ba500fc8888b59e2ba9b71e20ed473d8feb8

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
68b325840f433f3db147a4caf5434e98

SHA1
1c5ca9f64bb33d3c8bbf8da868d2f43b0a15b867

SHA256
011d0bc8728c02d19e8b0b3e64089a094d0181ec68580417739c7171579c2ad4

SHA512
06b13a57e87c0b7d07cc88e8188f4c58b2a8369086799affc5ae40346b0fdaaad499712310e60e9ab2f3bca844d6ae6daea577f5b9ecb92845b67cd47925ee58

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
e9025a98a544547a476af31b9067fbe4

SHA1
22e44271518433aaf6438436c4b475bcb5e11eee

SHA256
6675ad865d061af8733ad14438eb8cb8b312efbb205b87364e67196ae65a4f07

SHA512
ffcf739f0c61a7c0f1624edab476a59d55679c00a436260096119f72348be02d5bbd6870d92c6d9a88c2d8a628b9ce1299741731f0efc00fc9da47b408a97c55

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
11a722c58557f0806cdf5c737d687fef

SHA1
33466eea12f7a805bb42cb70cf48c444061887c8

SHA256
22360b0095f701bf2097e59d756fd66512698ba784ec73d51eefa8a0a38b4912

SHA512
7474ab562e3264a4c0fb876b66a72c20b9e9f76d7abb1197872c652c92857c680e02276f0b120aa49a0ab99a36ea8f2ab888db621ca0e77bc5baca8992fa43fb

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
b56998e10f1f67198c9f3a401927d207

SHA1
ae2b5b563f070d23f8478123d5326481d6a0102c

SHA256
584d8df38e055f6b5dec2aa1c2f5eb106e902648d4114b576e65efdc0515384a

SHA512
9907bed0f61ad750189106d8b2f8856dea7a199bd8f444709a81fabba89fab730768c70fa6e0a966aa7f0c37987d121c94659b6b6e5a8ece9ea533ce42422c5e

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
b2730a5aafe9dfe7fb899ec182be2417

SHA1
e9803c0b2f36ae0fe445a77d79ce821c21ad67e4

SHA256
f74e5b759a1657c0bb0121ca5a8fbf046c6e5a88139ffc92835b1028294d5fa3

SHA512
dfc5c374d068d6133811e038cd776331dda4e65835c1ff50451a36a38638b0adbdb513502e4551f71562dc04af84d89abd0d6802e20e3da65f68d90ac77a600e

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
6541f2e33fcebf5f91627ace00f5ed99

SHA1
97b8de23dbd7fe71a013a34f3cb2a67c0f57da5c

SHA256
7e2190ff08716d28c998e222b2c7d8f852ced84ec0e792204f44f582e9a7c928

SHA512
d76ef9b07e12471f32e106cf28a8ced87ef7ade7a905d6ae81bc7cac44911a90f800791ee939d181f739f88263952088e5275b3cc50bb11abf5ed8f12253e989

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
766e6c1893efc14964cb0b5d17ddab04

SHA1
d18ec87e776a7578d044c5bde884fdc48c39af2d

SHA256
f56bd66b2e8a1746a448e9b0f7deaa686d4257cd4b70de94c05a7955888c5044

SHA512
8c7a1e797d4ca1c114e00711dca9bfbe2ea36dc4cf252ed7699009acdc75e46efa7466afb28fb00b2ac15225730d84d3d0ab7a35a99650f60b526ece86aff5c5

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
a104b213b939548c2f4e8a4fde4afbbd

SHA1
a280b5f6d7f8b2f43c49cb458743c784a5ec1d4b

SHA256
23a7d7dde56ea7c7e64cc0b4225bce6f60bd8dc77e84d066c36c39933d03415b

SHA512
09ca1610f56c4401ed8fde97e21424c3d88fb05a86de5212a914244bb202534dce998783ec1790c4fbb4bfaef66bd31d9da18780e664d7b1810d3c019da3ccd7

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
3410722cab457500a38934a7243500f8

SHA1
64a39f85446ab0272fb21ce1d57c85ad90a1e677

SHA256
afd35d9560e1ea2915d703c48906229ccef0f1a8bec5b4897c2cfef49469c6d7

SHA512
59c2312044dd3f2495b7c5468897f549acb97cb217ff881a038d62b95921367dd733801843d0f4c9af2bc2d53a2af9f4dce732d976cfdc1bc6fade76eed04918

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
ff22f361c37fd9ce6a1825f43889a671

SHA1
f1ce244dccb44bde6c368223a8deb7543e703a8b

SHA256
5d1c217d2d83c202c598479d6941833ab9ee9a3cf267dcd407b834ddce60345a

SHA512
d83ccaff9f58c7e7493bb6a9cdb99bdaab132728137aa0034f81d1bcb1bc36c631c817da62d73a1ce87aed7ca022d4e5e0c71d171334f976d0da232e8e99c494

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
2ee67902c6ab8c859659709bbc5d20b4

SHA1
6a1e2def2741fbcbaebb0dd88f97bc81ae405a05

SHA256
3bfbd2177823adfc11d358125a0dc3d55b498c7a3555db16daba943b2f10e47f

SHA512
466794f2e71d6a81c40b2f28a3fda701edcd8b59400e6fed3748b0e7af981c0c1fba63cd2bbb652959938c03b2ce60d958e52ce8f8e28dc3f32f9b647a01d9c2

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
a24c6d603b8054bf3b97faef3576fcf2

SHA1
feb469af0eff9027b8495feede070592ff405616

SHA256
231f595f7c19e146c1ad450baef28a650f1a133f08e8113a82e7834fae80c7fe

SHA512
bcdb8d68eb3da8f1ea07ab46ee25160fce2ed37e5fc0b29e849d496c624510d65b7b7ac73e41e3b4317607d197849ab664014806b9bf0ab8ea5851f3d4e70dab

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
372a2630ecd6fc40d7251a3778c42aec

SHA1
201dcb0b190003304410b2100b6616bffd2696a8

SHA256
826a61c4c713684914984a4c26bb3f3c4283fd3074e22de28da09aada48e8efa

SHA512
b3eeab7c934f9f024ab099dba07bab75166d5dd5a0569384259e506947128b0b38b512fb412c06848e73b264e68ecfa66ee7557fcd8896095b9d73a640dede8d

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
087f2e8a181950956555a15d158221da

SHA1
6a35327a1bb351dc5e25b9df61c6deb8875ec56c

SHA256
f85c29d05f1de181b010fb505301e813acf5bddaf29e86cf869027d1beb8f0e7

SHA512
0bf8f6d40e6d5008d9a2a91386d233ab13dc66b27102ef66a2f24eb07266944dfe77ac3d22973b3eb962d3752d9e2296bdaf099a4cc117237d3f2e191973fd53

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
6086c2cea2b7257939dc858656915100

SHA1
879748806ebb7d60a9dfb2e5591e104c8bb5b164

SHA256
bc25c1c246e362e145104f36784f080a85470fbbcd1bf328f65ad0b92810a317

SHA512
977c68182f467a6b3b2cf4401f67e19a049f40ed59c50ee1c491f44b7f92a965c09b1cf7d37afa2480621db94a651ae888f2bdcf56eaf2f29bb9b1209ddb1876

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
aa48360d0feb151bb0126fa7b3de2c29

SHA1
7b7184aee3cfcaa30c689c64bdaecc706e56292d

SHA256
0d3735147271c8074d2a6ab145b6131b1c3fad261d425bccc634082c29b3c285

SHA512
48b39558598770f0c29b160a3f3f6dc4a56478abe4a94f0949f5b74ae45ff1ae355d4195781f27c61b87ed63c1f30314da84bc975961d2cc22bc813c481a5ab0

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
df08e69a4a3761e7709ceb722f120716

SHA1
b83a4873a220c424621cb8e197577a9d1f60687d

SHA256
7005475a3dbd4b89712635018e899470d7abd94c0ed4585d6b0d054d9a3cf417

SHA512
7a2a333c5a30e5131ab2eac123935d39744aa5b53ad0f73e1346dba7d0941db3df47d9be9f3c257c5ae143188afab849cbcc2778b60256ca3bcab4a7c9c7fb80

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
1656f249a848d213b0e0956b4899e4c3

SHA1
5ef39dab210de651634d60685093e76f9692ebd1

SHA256
28735175cedd15ee92fc855e2d860ee4e171f0251e6c64ccb1855ee048460e17

SHA512
8300b1ab0bb3696ae48cdfe3dfafcc2c0ca8a59af034cc489feee20a0a7e8cb0e705deb1cae3fb1277790e371664ca31c8a0e4bb3aaa8a9708783ceee74c6ba4

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
0663c944c418b6699e38e9fe2be27988

SHA1
5eef22343853bdabda17b5e588a0f4bd84219173

SHA256
90007d37146715281e77264d0039e64107b5a0ee147e274d7c17f4405bf67202

SHA512
6302b44792223edfac8c002e1ac513a275b789c7ded11af228d2fd96b0987f08637e9af888e18ada7ea217d3e42c417bbbf2948fcd12f7f95bcb3e4fb2cc2213

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
860ee1f2d480c5e22f939dcb51977e4d

SHA1
49a2142f6c51694828f7c31186158416195fa87e

SHA256
cc90f68e427915262c0ed904940509f5d96acb07b60af7beb722a7d67311d2c2

SHA512
de0a208efb61c7d047122b44020f0daf95af1260946153cac252bb73ddd46bb6ef4383787e56c61a0fc40db72d6ebdadb822410a7bb94baaf52e40a803f41366

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
6ff4ebe7774d4d9d0ff7daeba233fdbd

SHA1
cfa96a9ee98f1a74d973c8112d3461acfe19ada2

SHA256
b1d75599dd832ed696d69eaed7782c1dd904687f3363f9b9f2bea2c48cc4ede3

SHA512
f9d6137ce69e8717ffa7f41466e83888f9a914b687f9dbcffc16cbb990b4c8cad6898823446612f1379ae2e5e3352b5ac70732032504f5c009c1f3cf374955c4

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
4452e8c9216267d1348a7ec28202c30a

SHA1
8064a374e69c080d74ed857cfd8b434c497c61d6

SHA256
8c85292015e2cdc37b89d8eee5a08344378f2fa7669735a2586e7fff7e594c83

SHA512
64add4613e9552f50bf31873935dbd3dd8b06f11546f57aa94bae9e59fbeb2efc0ba6afa520bb5079170f812102a85adeb75e8a74af44b4bc19a6a6c9272c9bc

Download Submit
memory/768-470-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/768-149-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/820-99-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/820-91-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/820-97-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/820-164-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1124-154-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1124-152-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1384-124-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1384-363-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1460-68-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/1460-70-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/1460-57-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/1460-65-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/1460-63-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/1644-27-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/1644-19-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1644-103-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/1644-25-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1896-161-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1896-472-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2456-165-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2456-475-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2556-0-0x0000000140000000-0x0000000140403000-memory.dmp

Filesize
4.0MB

Download
memory/2556-1-0x00000000020D0000-0x0000000002130000-memory.dmp

Filesize
384KB

Download
memory/2556-9-0x00000000020D0000-0x0000000002130000-memory.dmp

Filesize
384KB

Download
memory/2556-76-0x0000000140000000-0x0000000140403000-memory.dmp

Filesize
4.0MB

Download
memory/3328-35-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/3328-42-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/3328-144-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3328-43-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3556-102-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3556-15-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3620-33-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3620-329-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3620-31-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3620-121-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3688-437-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/3688-145-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/4024-52-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4024-55-0x0000000140000000-0x000000014026E000-memory.dmp

Filesize
2.4MB

Download
memory/4024-46-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4024-148-0x0000000140000000-0x000000014026E000-memory.dmp

Filesize
2.4MB

Download
memory/4208-114-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/4212-105-0x00000000007B0000-0x0000000000816000-memory.dmp

Filesize
408KB

Download
memory/4212-168-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/4212-104-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/4212-110-0x00000000007B0000-0x0000000000816000-memory.dmp

Filesize
408KB

Download
memory/4428-77-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/4428-84-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/4428-78-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/4428-160-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/4696-157-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4696-471-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4856-369-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4856-120-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4952-72-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/4952-156-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/5192-169-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/5192-476-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/5316-477-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5316-173-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download